Commit graph

664 commits

Author SHA1 Message Date
Tilman Vatteroth
29b3562672 feat: use codemirror precompiled package
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-02-28 09:25:43 +01:00
Erik Michelson
057777f31f fix(night-mode): migrate cookie solution to store only
Signed-off-by: Erik Michelson <michelson@uni-bremen.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-02-19 21:40:01 +01:00
David Mehren
e2b0117c3e Fix missing syntax highlighting in the markdown editor
In e17cc644 the Webpack build process for CodeMirror was changed.
For unknown reasons, not all plugins and modes were added.
This adds all plugins currently enabled in
https://github
.com/hedgedoc/CodeMirror/blob/951b3d94bb5ad9ac7b44642adbe595e843390506/release.sh

Signed-off-by: David Mehren <git@herrmehren.de>
2022-10-16 21:05:34 +02:00
Tilman Vatteroth
164fe21d18 Replace embedding shortcode regexes with more specific ones to safeguard against xss attacks
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-08-26 18:59:06 +02:00
David Mehren
d26dcd04a1
Adapt code for eslint-config-standard 17
Signed-off-by: David Mehren <git@herrmehren.de>
2022-05-01 21:19:44 +02:00
Erik Michelson
c99d30931d Remove duplicated jQuery selectors
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
Erik Michelson
0093aa4783 Fix GitLab snippet export
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
David Mehren
e0021036ae
Fix missing inline authorship colors
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
 that.

 This copies the function into its own file (to make importing it easy)
 and adds an import in index.js.

 Fixes https://github.com/hedgedoc/hedgedoc/issues/2248

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-08 12:13:37 +02:00
Tilman Vatteroth
61e092e8af Force change of aria-hidden when modal shows or hides
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-04-03 22:52:53 +02:00
David Mehren
381d360d58
Fix mermaid import
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-02 19:11:39 +01:00
David Mehren
489f785992
Set global timeout for Ajax operations
`ajaxSetup()` sets the default values for future Ajax operations.

See also
https://api.jquery.com/jQuery.ajaxSetup/
https://api.jquery.com/jquery.ajax/

Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-04 20:49:53 +01:00
David Mehren
957d7d553e
Merge pull request #1394 from hedgedoc/remove-cdn 2021-08-15 20:11:26 +02:00
David Mehren
a865ed0822
Merge pull request #1538 from hedgedoc/fix/secure_cookies 2021-08-15 00:42:52 +02:00
David Mehren
8973e85ba6
Hardcode YouTube and Vimeo URLs to HTTPS
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
d56ff5bdf3
Fix slideshare CSP error by always using HTTPS
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
4526542944
Replace Cloudflare links in exported HTML
Emoji images are now converted to data URLs

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
David Mehren
3b00601872
Inline CSS & JS into HTML export template
Previously, the HTML export template `html.hbs` included CDN links
for the HTML and CSS resources.

This commit enables Webpack to create a new `htmlexport.html` at
build-time, which includes all resources inline.
That template is then used as before by the frontend to be populated
with the rendered note content.

The tradeoff is that each exported .html file is about 5.6 MB in size,
as we need to inline all fonts (icons & emojis).

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
David Mehren
7b00a59661
Set secure flag for non-session cookies
This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
 the `secure` flag is necessary to set any cookie.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:08:31 +02:00
Tilman Vatteroth
c767bad386
Make anchor links base uri independent
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-07-26 22:29:33 +02:00
David Mehren
7ff685933e
Lazy-load highlight.js
This commit moves the import of highlight.js into a `require.ensure`
block, that is only executed when a code-block is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.

The call to `hljs.listLanguages()` in `index.js` is also replaced
by a static list. This is important, as `index.js` would otherwise
need to import highlight.js, which would cause the quite big
library to be included into nearly every entrypoint, needlessly
increasing the transferred code size.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:29:27 +02:00
David Mehren
5b8b76135b
Lazy-load viz.js
This commit moves the import of viz.js into a `require.ensure` block,
that is only executed when a graphviz diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.

To ensure that graphviz code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.

The library is also removed from the Webpack config file, as it only
is used at one place in extra.js, which is handled by Webpack
without any extra config.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:29:26 +02:00
David Mehren
1c023e7881
Lazy-load abcjs
This commit moves the import of abcjs into a `require.ensure` block,
that is only executed when a abc diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.

To ensure that abc code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:29:26 +02:00
David Mehren
938afbddc3
Replace handlebars with string.replace
The html.hbs template does not contain any logic,
so we can replace the lib with good old string.replace calls.
This significantly reduces the bundle size, as we don't have to ship
a full template engine to the client.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:29:26 +02:00
David Mehren
b45b8b9c0d
Lazy-load mermaid
This commit moves the import of mermaid into a `require.ensure` block,
that is only executed when a mermaid diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.

To ensure that mermaid code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:26:03 +02:00
David Mehren
fa1ed66088
Load abcjs from npm package
This also loads abcjs without script-loader.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
fddd97391b
Load gist-embed without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
1150c72fa7
Load handlebars without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
a98d184f2c
Load mermaid without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
bd62e79f7d
Load ot without script-loader
The ot library is tricky to load with Webpack, as it writes
it's functions into a global `ot` object and does not export anything.
I got it working using `exports-loader` to put the `ot` object
into a CommonJS export and then forcing Webpack to only
load using CommonJS.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
4f4a4cb747
Load jquery-textcomplete without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
2515ad962b
Load inline-attachment without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:35 +02:00
David Mehren
cf867daf99
Load Idle.js without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
0e7a9df97d
Load jquery-ui resizable from npm package
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
e17cc6440f
Load codemirror and codemirror-spell-checker without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:20 +02:00
Tilman Vatteroth
41b9ab956c
Replace vimeo meta data api
Vimeo deprecated the v2 api and recommends to
use https://developer.vimeo.com/api/oembed/videos

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-05-15 21:25:03 +02:00
David Mehren
dc1f621eb8
Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLines
Fix insertOnStartOfLines behaviour
2021-05-06 21:16:22 +02:00
Erik Michelson
7f8be22e97
Fix click handler for numbered task lists
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-05-05 23:34:03 +02:00
David Mehren
e4b2b6ff73
Fix insertOnStartOfLines behaviour
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.

This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.

Fixes #1231

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-05 22:57:49 +02:00
Erik Michelson
0d943d1284
Extract list of supported languages in separate file
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-04-26 21:45:31 +02:00
David Mehren
837cf59ef9
Add support for freshly imported languages
New languages: bg, fa, gl, he, hu, oc, pt-br

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-26 21:42:06 +02:00
David Mehren
0f7f11e4f3
Fix HTML clipboard import
jQuery's .html() method escapes contained text (e.g. '<' becomes
'&lt;'). This confuses the turndown parser, which then only performs
unescaping, but does not convert to markdown.
By using .text() instead, the unescaped content is returned and turndown
can correctly generate markdown.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-16 22:06:45 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
David Mehren
788e7d460a
Update webpack config and JS import for spin.js v4
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-12 23:47:58 +01:00
Tilman Vatteroth
9f59a73049
Fix wrong acces to slide options
If the slide options in the frontmatter are empty
or not present, then slideOptions object in the
parsed JSON is undefined. This triggers an
exception when the sanitized slide options object
is built.

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-02-02 13:27:37 +01:00
Tilman Vatteroth
3eb64cff55
Delete slide options that are not defined
Reveal.js doesn't set the default value of an option in the provided config object
if the key is set with "undefined" as value. This leads to a broken slide mode,
because some critical settings are missing.

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-15 21:18:23 +01:00
Philip Molares
8e611e42ee added theme to the sanitization of slideOptions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 16:42:53 +01:00
Philip Molares
1546786c63 changed the SCRIPT_END_PLACEHOLDER regex to case insensitive
this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:35:17 +01:00
Philip Molares
35b0d39a12 added sanitation to the slideMode in frontmatter
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648

Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)

See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:18:09 +01:00
David Mehren
c32b1cf42b
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 10:14:27 +01:00
David Mehren
b0e2577fd5
Remove reference to nonexisting DOM element
This was missed in #596 and breaks the frontend JS.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-27 19:24:43 +01:00