Commit Graph

17 Commits

Author SHA1 Message Date
Vinoth Kannan
ded6ea66a5
FIX: skip iframe URLs with relative paths in pretty text sanitizer. (#21714)
This commit prevents unallowed URLs in iframe src by adding a relative path like `https://bob.com/abc/def/../ghi`. Currently, the iframe linking to the site uses the current_user, not the post's author, so users who have no access to a certain path are not able to view anything they shouldn't.
2023-05-24 16:14:18 +05:30
Jarek Radosz
057d6b406d
DEV: Extensively use includes() (#17541)
Also, the change in insert-hyperlink (from `this.linkUrl.indexOf("http") === -1` to `!this.linkUrl.startsWith("http")`) was intentional fix: we don't want to prevent users from looking up topics with http in their titles.
2022-07-17 20:48:36 +02:00
Jarek Radosz
5f7163b5bb
DEV: Extensively use startsWith() (#17540) 2022-07-17 20:16:39 +02:00
David Taylor
166fe3bb34
FIX: Apply 'allowed_href_schemes' to all src/srcset attributes (#16860)
Previously we were only applying the restriction to `a[href]` and `img[src]`. This commit ensures we apply the same logic to all allowlisted media src attributes.
2022-05-19 11:18:30 +01:00
Jarek Radosz
77fed8dfc3
DEV: Update xss.js package (#16398) 2022-04-06 22:49:13 +02:00
Joffrey JAFFEUX
b3ecf00c98
DEV: adds initial support for custom blocks using code fencing (#15743)
Allows to write custom code blocks:

```
   ```mermaid height=200,foo=bar
   test
   ```
```

Which will then get converted to:

```
<pre data-code-wrap="mermaid" data-code-height="200" data-code-foo="bar">
  <code class="lang-nohighlight">
    test
  </code>
</pre>
```
2022-02-09 11:23:44 +01:00
Bianca Nenciu
38199424bc
SECURITY: Sanitize d-popover attributes (#13958) 2021-08-05 16:39:17 +03:00
Josh Soref
59097b207f
DEV: Correct typos and spelling mistakes (#12812)
Over the years we accrued many spelling mistakes in the code base. 

This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change 

- comments
- test descriptions
- other low risk areas
2021-05-21 11:43:47 +10:00
Osama Sayegh
d56b2e85aa
FIX: Escape Font Awesome icons (#12421)
This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS.
2021-03-17 16:11:40 +03:00
Rafael dos Santos Silva
c4552e9c10
FIX: Autoplay videos must always be muted (#11533)
This automatically adds the muted attribute if it's missing in a video
tag.

Co-authored-by: David Taylor <david@taylorhq.com>
2020-12-21 14:55:00 -03:00
Krzysztof Kotlarek
dbec3792b7
FIX: pretty text allow list (#10977)
Reword whitelist to allowlist in pretty-text.
This library is used by plugins so we need deprecation notice.
2020-10-28 13:22:06 +11:00
Joffrey JAFFEUX
530d9ab071
DEV: enforces eslint’s curly rule to the codebase (#10720)
eslint --fix is capable of fix it automatically for you, ensure prettier is run after eslint as eslint --fix could leave the code in an invalid prettier state.
2020-09-22 16:28:28 +02:00
Robin Ward
8c384ae6b8 Create proper shim for xss library - second attempt 2020-09-15 10:42:51 -04:00
Guo Xiang Tan
e3b4632f04
Revert "Create proper shim for xss library"
This reverts commit 30e9112535.
2020-09-15 11:38:40 +08:00
Robin Ward
30e9112535 Create proper shim for xss library 2020-09-14 15:57:32 -04:00
Joffrey JAFFEUX
52672b9eab
DEV: apply new coding standards (#10592) 2020-09-04 13:42:47 +02:00
Robin Ward
79c64eaeff
DEV: Move pretty-text into an ember-addon format (#9689) 2020-05-07 12:37:47 -04:00