Commit Graph

42365 Commits

Author SHA1 Message Date
jbrw
d11b6751bb
SECURITY: Destroy EmailToken when EmailChangeRequest is destroyed (#13950) 2021-08-06 19:27:09 -04:00
Bianca Nenciu
4c748f7f54 SECURITY: Sanitize d-popover attributes (#13958) 2021-08-05 16:40:48 +03:00
Neil Lalonde
b47c5f69d8
Version bump to v2.7.7 2021-07-23 10:53:32 -04:00
Alan Guo Xiang Tan
cc7b8d5f9f
DEV: Make rubocop happy. 2021-07-23 16:39:39 +08:00
Alan Guo Xiang Tan
dbdf61196d
SECURITY: Don't leak user of previous whisper post when deleting a topic.
A topic's last poster can be incorrectly set to a user of a whisper post
if the whisper post is before the last post and the last post is
deleted.
2021-07-23 16:39:37 +08:00
Alan Guo Xiang Tan
680024f907
SECURITY: Do not reveal post whisperer in personal messages.
Prior to this fix, post whisperer in personal messages are revealed in
the topic's participants list even though non-staff users are unable to
see the whisper.
2021-07-23 16:39:29 +08:00
Neil Lalonde
ae224045a6
Version bump to v2.7.6 2021-07-15 14:37:25 -04:00
David Taylor
ad7c7f819d
SECURITY: Sanitize YouTube Onebox data (stable) (#13749)
CVE-2021-32764
2021-07-15 19:32:47 +01:00
Neil Lalonde
a94a623009
Version bump to v2.7.5 2021-07-08 09:43:45 -04:00
Arpit Jalan
d54f7c1f42 SECURITY: do not follow canonical links 2021-07-07 14:11:32 +05:30
Bianca Nenciu
6a7e628037 FIX: TL4 users cannot delete others posts (#13554) 2021-07-06 12:11:29 +03:00
Joffrey JAFFEUX
023f5ae8e0
SECURITY: prevents onebox to hang too long on connect (#13481) 2021-06-22 17:19:13 +02:00
Penar Musaraj
fe1e1903eb
Version bump to v2.7.4 2021-06-09 14:00:41 -04:00
Robin Ward
db826335e9
DEV: Add support for class properties in babel (#13189)
This allows us to start using JS classes instead of Ember's classes.
2021-06-09 13:53:43 -04:00
Penar Musaraj
cf8610cee1
DEV: Enable optional chaining in all contexts (#13180)
* Revert "FIX: We can't use `?.` yet (#13168)"
2021-06-09 13:52:30 -04:00
Neil Lalonde
859dfac6c6
Version bump to v2.7.3 2021-06-08 11:36:25 -04:00
Régis Hanol
98f92d2e23 SECURITY: XSS in bookmarks list (#13311)
We should use `fancy_title` instead of `title` when displaying a topic title to ensure only the allowed html is not escaped.
2021-06-07 16:59:12 +02:00
Neil Lalonde
81070b323f
Version bump to v2.7.2 2021-06-04 11:23:14 -04:00
Sam
5db39cce93
UX: unconditionally focus modals (#13179)
Previously auto focus would only work on modals that include buttons or
inputs.

To avoid a situation where information modals such as keyboard shortcuts
do not get focus, simply focus on the close button as a fallback.
2021-06-04 10:35:12 -04:00
Robin Ward
45dca791b0
UX: Add auto focus to hamburger and user menu dropdowns (#13165) 2021-06-04 10:35:04 -04:00
Bianca Nenciu
8170563693
FIX: Make poll options tabbable (#13159) 2021-06-04 10:34:49 -04:00
Sam
22e9acc797
UX: Improve navigation on topic lists for screen readers (#13153)
Previously we had no role set for various topic links, nor did we have any
headers.

This teaches screen readers that topic links in topic lists are to be treated
as H2. We opted for this less radical change cause a change of the element
type would probably result in many broken themes.

Confirmed on NVDA you can very quickly breeze through topic lists now. Minor
edge case is pinned topics which can be a bit annoying due to multiple links.
2021-06-04 10:34:40 -04:00
Sam
d444a8a400
UX: provide a region for various topic actions (#13152)
This makes it much easier to reply to topics / bookmark topics and so on

Previously topic buttons had no region
2021-06-04 10:34:31 -04:00
Robin Ward
16e1ea938c
FIX: Better focus support for modals (#13147) 2021-06-04 10:34:20 -04:00
Sam
873eb405cd
UX: add ARIA region role to posts (#13130)
NVDA does not detect HTML5 articles as regions. This explicitly sets a
region with an aria-label denoting post numbers making it much easier to
know where you are in a topic.

Note role: article which is more semantically correct is not respected by
NVDA d/D shortcut, hence the much more generic "region" role.
2021-06-04 10:34:13 -04:00
Kris
8e0a669aa5
A11Y: Fix post control and user-menu focus styles (#13118) 2021-06-04 10:34:05 -04:00
dependabot[bot]
2674078b97
Build(deps): Bump nokogiri from 1.11.4 to 1.11.5 (#13107)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.4 to 1.11.5.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.4...v1.11.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-06-04 10:33:57 -04:00
Kris
bb59e4ca61
UX: Fix theme upload width, remove class clash, prettier (#13071)
* UX: fix width & theme upload modal class clash

* remove unneeded class

* unprettier hbs

* add back unicode emoji

* add newline
2021-06-04 10:33:49 -04:00
dependabot[bot]
d803095451
Build(deps): Bump nokogiri from 1.11.3 to 1.11.4 (#13074)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.3 to 1.11.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.3...v1.11.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-06-04 10:33:40 -04:00
Neil Lalonde
8562c1d098
Version bump to v2.7.1 2021-06-03 14:55:45 -04:00
Penar Musaraj
7d06980cc5
SECURITY: Do not allow unauthorized access to category edit UI (#13252) 2021-06-03 14:35:27 -04:00
Penar Musaraj
5f5301d478
FIX: Close hyperlink modal on ESC key (#13166) 2021-06-03 14:35:00 -04:00
Penar Musaraj
f8bab65425
FIX: Disable lightboxing of animated images (#13099) 2021-06-03 14:34:36 -04:00
Neil Lalonde
ccf207f12e
Version bump to v2.7.0 2021-05-18 14:28:06 -04:00
Neil Lalonde
2c399a84fe
Merge master 2021-05-18 14:09:54 -04:00
Discourse Translator Bot
55611a5b80
Update translations (#13089) 2021-05-18 16:49:18 +02:00
Discourse Translator Bot
8ac184c636
Update translations (#13088) 2021-05-18 15:11:41 +02:00
Gerhard Schlager
09dfa5c068
Fix typo (#13086)
@discourse-translator-bot keep_translations_and_approvals
2021-05-18 14:39:46 +02:00
Joffrey JAFFEUX
c78f32a9a1
FIX: removes legacy Ember.keys usage causing a crash (#13085)
The crash:

```
Uncaught TypeError: Ember.keys is not a function
```

Repro:

- visit home page
- click new topic
- navigate to your messages by clicking your avatar (top right), then enveloppe icon, and finally the bottom chevron
- click New Message
- click cancel in the composer, it should crash
2021-05-18 12:23:41 +02:00
Bianca Nenciu
c1dfd76658
FIX: Make replace watched words work with wildcard (#13084)
Watched words are always regular expressions, despite watched_words_
_regular_expressions being enabled or not. Internally, wildcard
characters are replaced with a regular expression that matches any non
whitespace character.
2021-05-18 12:09:47 +03:00
Robin Ward
a21700a444
FIX: Previewing themes didn't work in Ember CLI (#13078)
This is two fixes:

1. Ember CLI's proxy did not support 3xx redirects so a redirect was
   failing.

2. We were not passing query parameters to the `bootstrap.json` endpoint
   to correctly handle previewing themes (and other occasional options.)
2021-05-17 14:51:36 -04:00
jbrw
a24b6daa87
FIX: An unresolved blank uri should attempt an alternate Oneboxing strategy, if available (#13070) 2021-05-14 15:23:20 -04:00
Roman Rizzi
8801a27cc6
FIX: Automatically load more reviewable items. (#13069)
If you finished reviewing the initially loaded items, and there're more in the queue, load them.

Also, when fast-tracking the pending items updates, use the reviewable_count returned by the perform result. Calling "result.reviewable_count" returns undefines.
2021-05-14 15:06:34 -03:00
Gerhard Schlager
4c26dd09e4
DEV: Update bin/bundle (#13067)
This fixes the following error I've been seeing lately in RubyMine:

> Error:Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
> Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.
2021-05-14 19:54:10 +02:00
David Taylor
b6b27bc383
DEV: Improve auto-restart parent process detection logic (#13068)
The auto restart logic was sending a USR2 to the parent process without checking what the parent process actually was. In some situations, it might not be the `bin/unicorn` supervisor.

This commit switches to use a global variable for the supervisor PID. This will be much less prone to unexpected behavior.
2021-05-14 18:17:31 +01:00
Robin Ward
32d6d8308c
FIX: Allow file-change events soon after reloading (#13065)
This patch remembers the last id for the `file-change` event and uses it
to initialize the client side watcher. This should help fix the issue
where styles are not reloaded client side if the browser refreshed.
2021-05-14 12:36:53 -04:00
Gerhard Schlager
d6b53b688d
DEV: Prevent automatic restart of rails console (and crashing zsh) (#13066)
Only a server should be restarted when non-autoloaded ruby files are edited.
2021-05-14 18:19:22 +02:00
Bianca Nenciu
c0679022e7
FIX: Skip upload if HTML cannot be parsed (#12971) 2021-05-14 16:52:40 +03:00
Bianca Nenciu
3a1b05f219
FIX: Make autotag watched words case insensitive (#13043)
* FIX: Hide tag watched words if tagging is disabled

These 'autotag' words were shown even if tagging was disabled.

* FIX: Make autotag watched words case insensitive

This commit also fixes the bug when no tag was applied if no other tag
was already present.
2021-05-14 16:52:10 +03:00
dependabot[bot]
0e6a8757fe
Build(deps): Bump execjs from 2.8.0 to 2.8.1 (#13063)
Bumps [execjs](https://github.com/rails/execjs) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/rails/execjs/releases)
- [Commits](https://github.com/rails/execjs/compare/v2.8.0...v2.8.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-14 11:36:35 +02:00