Commit Graph

661 Commits

Author SHA1 Message Date
Chulki Lee 1d7895c869 Add plantuml support
Signed-off-by: Chulki Lee <chulki.lee@gmail.com>
2019-07-31 10:02:07 -07:00
BoHong Li c628737411
Merge branch 'develop' into refactor-realtime
Signed-off-by: BoHong Li <raccoon@hackmd.io>

# Conflicts:
#	README.md
#	package.json
2019-07-30 18:20:09 +08:00
Max Wu dd267096c9 fix: use lodash escapeHTML
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2019-07-28 20:04:41 +08:00
Max Wu a7082633aa Upgrade mermaid to 8.2.3
to avoid XSS inside the svg tag

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2019-07-28 20:04:41 +08:00
Yukai Huang f3a3c14aca
Merge branch 'develop' into feature/slides-spotlight 2019-06-27 17:37:16 +08:00
Yukai Huang e315127d31
Merge branch 'master' into feature/slides-timer 2019-06-26 11:39:22 +08:00
Yukai Huang d5a5ebc4d0
Merge branch 'master' into feature/slides-spotlight 2019-06-26 11:39:19 +08:00
BoHong Li a6036cb70b
refactor: back to use js-standard
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-05-27 17:53:08 +08:00
Max Wu fbb18b6e0a Fix stored XSS in the graphviz error message rendering [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2019-04-14 12:12:02 -04:00
BoHong Li b0dee3ee14
refactor: fix lint warning on public/js/lib/common/login.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:45 +08:00
BoHong Li bf727b5878
refactor: fix lint warning on public/js/lib/editor/utils.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:25 +08:00
BoHong Li 45ba0c646d
refactor: fix lint warning on public/js/syncscroll.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:25 +08:00
BoHong Li e564c40b4d
refactor: fix lint warning on public/js/cover.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:25 +08:00
BoHong Li d387cac690
refactor: fix lint warning on public/js/extra.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:25 +08:00
BoHong Li 0498dc70e8
refactor: fix lint warning on public/js/history.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:24 +08:00
BoHong Li 573501389a
refactor: fix lint warning on public/js/index.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:24 +08:00
BoHong Li a40a8bfc02
refactor: fix lint warning on public/js/pretty.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:24 +08:00
BoHong Li 33fcfd416d
refactor: fix lint warning on public/js/render.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:23 +08:00
BoHong Li 73bc7ae8e6
refactor: fix lint warning on public/js/slide.js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:23 +08:00
BoHong Li 4ae1c0ab3e
refactor: replace lz-string with @hackmd/lz-string
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:22 +08:00
BoHong Li 67707d097f
fix: remove string.js for sucurity issue
1. Upgrade Imgur to fix npm install
2. Upgrade less version for security
3. Change package name in package.json to fit npm package.json rule

Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:22 +08:00
BoHong Li 56d86ee25e
fix: lint error
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:21 +08:00
BoHong Li f915957a4f
refactor: replace js-url with wurl (original version of js-url)
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-11 19:35:12 +08:00
BoHong Li 628e679916
refactor: replace Idle.js to @hackmd/idle-js
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-11 18:30:20 +08:00
PastLeo 9696e60248
add reveal.js-elapsed-time-bar
Signed-off-by: PastLeo <chgu82837@gmail.com>
2019-04-05 15:53:23 +08:00
PastLeo 5621d45bf9
add spotlight dep for slides mode
Signed-off-by: PastLeo <chgu82837@gmail.com>
2019-04-05 15:17:48 +08:00
Sheogorath 982775f6dc
Fix broken HTML export with emojis
HTML export was broken due to missing alt-attribute for emojis.

This patch adds the old alt-element style and restores the exportability
this way.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-09 15:04:07 +01:00
Sheogorath 1f0fb12755
Fix CI errors for unused variables
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:36:39 +01:00
Sheogorath c5ca7b634a
Remove broken speakerdeck embedding
The current speakerdeck implementation is broken. An alternative
implementation using oembed doesn't work due to CORS, which could be
solved by proxying the speakerdeck API, but we decided to not do this.

This patch provides the link to the speakerdeck presentation instead,
and this way doesn't break existing notes. This is right now the best
solution we could come up with.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:26:37 +01:00
Max Wu 067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Sheogorath 33774c11b9
Update from to-markdown to turndown
We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.

After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.

References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 11:12:09 +01:00
Christoph (Sheogorath) Kern 271dff3808
Merge pull request #1043 from SISheogorath/fix/tocEmptyHead
Fix ToC breaking documents with empty h* elements
2018-11-19 21:33:34 +01:00
Sheogorath d6dd33620c
Fix wrong anchors
While experimenting with the ToC changes, it became obvious that anchors
for those unnamed headers don't work.

This patch fixes those links by running the autolinkify twice and make
sure linkify only adds links to non-empty ids.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 20:20:56 +01:00
Claudius Coenen 858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
Sheogorath c59b94a37b
Remove the xss library from webpack
We can load the xss functions directly from the library instead of
loading them through the expose loader of webpack, this should simplify
the setup and maybe even improve speed a bit.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-10 20:27:07 +01:00
Sheogorath d188b3526a
Again: Replace emoji-plugin regex
The Regex introduced in the last commit[1], was already working quite
good. But still resulted in false positives for all URL that contained a
second `:`.

To fix this once and for all, we craft a simple, but long regex based on
all emoji names and use this to match them.

We could probably optimize it, but that should also be something the
regex engine itself can and should do.

[1]: 7e45533c75 (in this source tree)

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-31 15:33:45 +01:00
Sheogorath 7e45533c75
Fix emoji regex
The old regex, adapted from the other plugins, was a bit too open for
matching. This leads to matching something like: `This is a sentence:
[And something with a: in it.]()` which doesn't become a link anymore.
Because the match is: ` [And something with a`.

This patch provides a fix for the regex to only match non-space string
within the `:`'s.

References:
- Introducing commit:
2063eb8bdf
- Inspirational source of the original RegEx:
2063eb8bdf/public/js/extra.js (L1095)

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-29 20:37:47 +01:00
Christoph (Sheogorath) Kern e115423d12
Merge pull request #1006 from SISheogorath/fix/missingEmojis
Fix not rendered autocomplete emojis
2018-10-22 23:02:33 +02:00
Christoph (Sheogorath) Kern 1abf7c54ae
Merge pull request #1004 from SISheogorath/feature/integrateHljs
Add autocomplete for highlight.js languages into codemirror
2018-10-11 17:30:03 +02:00
Sheogorath 1d452a6ed4
Remove dead package octicon
Octicon no longer provides its CSS classes and this way is useless in
CodiMD. Replacing all used classes in the UI and remove it from build
system.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 23:42:41 +02:00
Sheogorath 2063eb8bdf
Fix not rendered autocomplete emojis
Currently we have some emojis that are autocompleted but won't show up
in the resulting document.

This patch adds all emojis that are pushed to Codemirror and applies
them to the markdown rendering process, so they become usable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 21:24:33 +02:00
Sheogorath 1a9df22680
Add autocomplete for highlight.js languages into codemirror
Right now we support code highlighting for rust, but it doesn't appear
in autocomplete of codemirror, because codemirror is not aware of it.

This patch lets highlightjs simply tell codemirror, what it supports and
adds this to the autocomplete list.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 11:13:52 +02:00
Cédric Couralet 702f52f07c Fix #986 : Visibility is now transmitted with gitlab V4 api
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-10-09 06:46:25 +00:00
Sheogorath 75a23fe2c9
Add rel="noopener" to target="_blank" links
The noopener construct protects from some nasty clickjacking attacks. We
can apply them savely to all our links since we don't rely on the
previously used page.

Some more details: https://mathiasbynens.github.io/rel-noopener/

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-04 01:49:36 +02:00
Cédric Couralet 66d374b128 Add possibility to choose between version v3 or v4 for the gitlab api.
Apart from the uri versioning, one big change is the snippet visibility post data (visibility_level -> visibility)

Default gitlab api version to v4

Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-07-31 08:36:56 +00:00
Alexander Wellbrock 97c2330264
Fix some false titles
Signed-off-by: Alexander Wellbrock <a.wellbrock@mailbox.org>
2018-07-08 20:41:46 +02:00
Sheogorath dea62cf310
Update store
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-30 16:52:34 +02:00
Sheogorath 1c92524c08
Fix broken unicode urls
It wasn't possible to create unicode based URLs in freeurl mode, because
the noteid used for the websocket connection is double escaped. When we
decode it and let socketio-client reencode it, we get the real
shortid/noteid and can find the note in the database and open the
connection.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-26 22:25:36 +02:00
Christoph (Sheogorath) Kern c7745f6b27
Merge pull request #863 from hackmdio/feature/slidePrint
Add Print icon to slide view
2018-06-26 21:41:18 +02:00
Sheogorath 04d16e4d6e
Add Print icon to slide view
It redirects the user to the print view of the document. I claim that
people should either be smart enough to use ctrl+P or ask someone who
knows how to print a webpage. I don't want to babysit our users.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 23:50:38 +02:00
Sheogorath 2184491f4a
Final replacements
Looks like I missed a few. This should be complete now. And make us
ready for the repo rename and merging.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:13:46 +02:00
Sheogorath 4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Sheogorath 8fe26988d1
Fix all newly introduced linting issues
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 21:27:21 +02:00
Sheogorath 49db5bc653
Merge branch 'pr-846' 2018-06-23 21:19:44 +02:00
Sheogorath f65d96c57b
Fix liniting and optimize some functions
First fixed some linting issues. Also optimized some functions to be
undoable with one ctrl+z.

This should also speedup some operations

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 21:18:15 +02:00
Jake Burden b98d10c79a turn concatenated string into a multi-line template string
Signed-off-by: Jake Burden <jake@doge.haus>
2018-06-22 18:08:47 -04:00
Edgar Zanella Alvarenga a8b664fdb5 Add a toolbar to Codemirror editor
Signed-off-by: Edgar Zanella Alvarenga <e@vaz.io>
2018-06-19 16:03:56 +02:00
Sheogorath 9fd09a8dfb
Add delete user UI
This provides the UI for the delete user feature introduced in
4229084c62

Placing of the user delete button is not perfect, but can be moved to an
own user tab later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 17:11:11 +02:00
Sheogorath ad69c5017b
Removing google drive integration
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.

As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.

This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16 01:34:55 +02:00
Sheogorath 8b69013ebd
Fix night mode button after restore
The night mode toggle doesn't get the right state after restore from
local storage. This results in the need to toggle twice to disable night
mode.

This patch adds the needed class so the toggleNightMode function gets
the right state on execution.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 20:12:02 +02:00
Sheogorath 32c578db08
Persist nightmode so we can re-enable it
Right now the night mode is possible to set by a toggle in the menu bar
but needs to be re-enabled on every document switch, reload, etc.. This
is super annoying so we should keep this state in local storage or
a cookie.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-23 19:46:38 +01:00
Christoph (Sheogorath) Kern f6df2deb84
Merge pull request #743 from hackmdio/fix-to-use-url-safe-base64
Fix to use url-safe base64 in note url
2018-03-18 15:13:06 +01:00
Max Wu 8bfe51940f Fix typo
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 03:00:36 +08:00
Max Wu dfd833dbe2 Update to show log on migrate LZString type note url in history
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 02:55:54 +08:00
Max Wu d08c9522c0 Update to migrate note url in the history of browser storage and cookie
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-03 16:26:19 +08:00
Max Wu 95e9f96aa0 Update to allow rp tag for ruby
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:55:10 +08:00
Max Wu 711a11ce23 Remove manual allow details tag since default already allow it
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:54:57 +08:00
Sheogorath 5d347d583d
Extend HTML5 support by whitelisting various tags
HTML5 provides a wide feature set of useful elements. Since Markdown
usually supports HTML it should be able to use these HTML5 tags as well.
As they were requested by some users and they where checked for being
safe, whitelisting them isn't a problem. To make the experience the same
as on GitHub when it comes to the basic look and feel of the rendered
markdown, some CSS was added to make the summary and the details tag
look like on GitHub.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-25 14:54:21 +01:00
Sheogorath 9c77e9d7f0
Allow the usage of the esc-key by codemirror
This change allows all input modes of codemirror to use the information
from an input esc-key and make this way vim and sublime more
functional. To prevent this change from breaking the return from the
fullscreen mode, it catches the esc-key in this case. Hopefully this is
an acceptable solution.

As before the vim-mode is handled different in fulltext-mode as it is
esc-key heavy.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-24 21:14:47 +01:00
Stefan Bühler c4f8fb78ee don't require referer to find note id in socket.io connections (fixes #623)
Signed-off-by: Stefan Bühler <buehler@cert.uni-stuttgart.de>
2018-02-05 14:26:42 +01:00
Max Wu a9c88ce248
Fix task todo might not toggle
which caused by not matching syntax with double dashes correctly
2018-01-24 00:10:52 +08:00
Christoph (Sheogorath) Kern 584f1c5249
Merge pull request #691 from SISheogorath/feature/upload
Allow more detailed configuration of upload mime types
2018-01-23 12:10:33 +01:00
Christoph (Sheogorath) Kern 7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Sheogorath a7935a595a
Allow more detailed configuration of upload mime types
Fixes #637

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-20 15:16:53 +01:00
Wu Cheng-Han 3703b12584 Fix image alt not render properly 2018-01-19 00:53:49 +08:00
Max Wu 919b7467d4
Fix anchor id to keep uppercase characters
id shouldn’t be converted to lowercase since id attribute is case sensitive
2018-01-16 15:59:43 +08:00
Edoardo Odorico 6fc2c39eda Implemented dark theme.
Signed-off-by: Edoardo Odorico <edoubuntu@gmail.com>
2018-01-05 00:15:13 +01:00
Peter Dave Hello 76873d3f7e Fix file permission, remove useless executable 2017-12-14 05:05:18 +08:00
Christoph (Sheogorath) Kern b840c3fa57
Merge pull request #609 from monoxane/master
Correcting grammatical errors related to the document char count tooltip
2017-12-12 10:39:49 +01:00
Sheogorath 93b91163cd
Prevent XSS vul by srcdoc in iframe 2017-11-24 10:10:50 +01:00
Literallie 3a752fde51
Revert "Load js-url lib using legacy-loader"
Didn't work in Firefox for some reason.

`[Script Loader] ReferenceError: module is not defined`

This reverts commit 5b83deb043.
2017-11-02 17:57:44 +01:00
Sheogorath e807f1b783
Fix mermaid error handling 2017-10-30 12:26:28 +01:00
Sheogorath 09d2ba41cf
Use mermaidAPI in mermaid scope
Introduced by a5b7145527 (diff-67ae90c5144c55348a3cbdb078240454L532)

Fixes #600

Parse only throws error: 167368d508 (diff-67ae90c5144c55348a3cbdb078240454)
2017-10-30 07:11:14 +01:00
Oliver Herrmann 7d0ef1276c
Corrected some grammatical issues
Obviously caught up in a bad translation and didn't particularly make sense for native english speakers.
2017-10-30 11:25:44 +11:00
Sheogorath c794412714 Merge pull request #591 from Rwing/master
support Simplified Chinese and rename original zh to Traditional Chinese
2017-10-23 11:53:31 +02:00
Rwing 362a7eaf65 support Simplified Chinese and rename original zh to Traditional Chinese 2017-10-23 17:38:04 +08:00
Literallie 567f26f5b9
Fix MathJax config not being picked up
thanks standard
2017-10-22 02:48:24 +02:00
Literallie 04f5e3a341
Move CSP logic to new file, Fix boolean config examples
Not sure why I was quoting these in the first place
2017-10-22 02:18:45 +02:00
Literallie 5b83deb043
Load js-url lib using legacy-loader
Doesn't use eval, plus no window object access
2017-10-22 00:03:45 +02:00
Literallie 4238b9b3ef
Fix MathJax CSP issues 2017-10-22 00:03:45 +02:00
Yukai Huang 60b86e0250 Fix markdown-it gist plugin code closing tag
fix #596
2017-10-21 11:45:17 +08:00
Wu Cheng-Han d96385eafd Fix to filter @import CSS syntax in style tag to prevent XSS [Security Issue] 2017-10-05 10:17:26 +08:00
Wu Cheng-Han b0b417cefc Fix unescape > symbol inside the style tags to make the CSS works 2017-10-05 09:59:57 +08:00
Wu Cheng-Han 8979f215ab Fix blockquote not parse correctly in slide mode 2017-10-05 09:59:07 +08:00
Wu Cheng-Han 2bdccd3996 Fix home and end keys behavior for windows 2017-09-27 21:27:33 +08:00
Wu Cheng-Han fe384d80bf Fix the < and > symbols are doubly escaped which affected by executing preventXSS twice 2017-09-27 18:22:49 +08:00
Wu Cheng-Han f2743ff8f8 Fix slide mode contains unclosed tags might cause XSS [Security Issue] 2017-09-27 18:21:28 +08:00
Wu Cheng-Han 9b00afb863 Fix unclosed tags might cause XSS [Security Issue] 2017-09-27 18:20:04 +08:00
Max Wu a645f28b33 Fix slide mode might hide scrollbar on some linux 2017-06-14 12:12:28 +08:00
Wu Cheng-Han 48f8378335 Fix speaker note separator regex should only take effect on the line start 2017-06-05 01:20:21 +08:00