Alexander Ebert [Wed, 29 Mar 2023 16:24:45 +0000 (18:24 +0200)]
Force replace some HTML tags before sending messages to the search index
Stripping the HTML can cause certain words to be accidentally joined when there is no symbol between them that is recognized by the tokenizer. Inserting a whitespace at tag positions that are known to be prone is a stop-gap solution until we find a more stable replacement strategy.
See #4652 and WoltLab/com.woltlab.wcf.elasticSearch#14
Tim Düsterhus [Tue, 28 Mar 2023 12:57:51 +0000 (14:57 +0200)]
Merge pull request #5372 from WoltLab/article-permissions
Fix several article related permissions
Tim Düsterhus [Tue, 28 Mar 2023 12:19:40 +0000 (14:19 +0200)]
Check edit permissions before showing edit link in ACP's article list
Tim Düsterhus [Tue, 28 Mar 2023 12:17:40 +0000 (14:17 +0200)]
Unify visibility of articles in ACP's article list with frontend
Tim Düsterhus [Tue, 28 Mar 2023 12:12:34 +0000 (14:12 +0200)]
Allow users that may contribute articles to see their own articles independent of publication status in lists
Tim Düsterhus [Tue, 28 Mar 2023 12:06:18 +0000 (14:06 +0200)]
Unify default publication status for users that may manage articles and users that may manage their own articles
Tim Düsterhus [Tue, 28 Mar 2023 12:03:05 +0000 (14:03 +0200)]
Allow users that may manage own articles to view them independent of publication status
Tim Düsterhus [Tue, 28 Mar 2023 11:57:50 +0000 (13:57 +0200)]
Allow users that may manage own articles to actually create articles
Tim Düsterhus [Fri, 17 Mar 2023 09:47:31 +0000 (10:47 +0100)]
Update to TypeScript 5.0
Tim Düsterhus [Fri, 17 Mar 2023 09:37:41 +0000 (10:37 +0100)]
Update eslint
Alexander Ebert [Thu, 16 Mar 2023 15:43:22 +0000 (16:43 +0100)]
Release 5.5.10
Alexander Ebert [Thu, 16 Mar 2023 15:32:19 +0000 (16:32 +0100)]
Merge branch '5.4' into 5.5
Alexander Ebert [Thu, 16 Mar 2023 15:25:26 +0000 (16:25 +0100)]
Release 5.4.26
Alexander Ebert [Thu, 16 Mar 2023 15:21:37 +0000 (16:21 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Thu, 16 Mar 2023 15:06:57 +0000 (16:06 +0100)]
Release 5.3.27
WoltLab [Thu, 16 Mar 2023 14:58:18 +0000 (14:58 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Thu, 16 Mar 2023 14:54:32 +0000 (15:54 +0100)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Thu, 16 Mar 2023 14:54:21 +0000 (15:54 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 16 Mar 2023 14:50:46 +0000 (15:50 +0100)]
Merge branch 'edit-permissions' into 5.3
Alexander Ebert [Mon, 13 Mar 2023 11:52:57 +0000 (12:52 +0100)]
Release 5.5.10 dev 1
WoltLab [Mon, 13 Mar 2023 11:51:33 +0000 (11:51 +0000)]
Updating minified JavaScript files
Alexander Ebert [Mon, 13 Mar 2023 11:27:47 +0000 (12:27 +0100)]
Fix the handling of external links in the mobile main menu
See https://www.woltlab.com/community/thread/299236-externe-hauptmen%C3%BC-links-werden-trotz-einstellung-im-acp-mobil-nicht-in-neuem-tab/
Tim Düsterhus [Fri, 10 Mar 2023 12:47:35 +0000 (13:47 +0100)]
Check if the article is readable in Article::canEdit()
Previously an editor could access the contents of an inaccessible article by
directly navigating to the edit form.
Tim Düsterhus [Fri, 10 Mar 2023 12:30:44 +0000 (13:30 +0100)]
Merge pull request #5353 from WoltLab/article-edit
Fix Article::canEdit() permission for article contributors
Tim Düsterhus [Fri, 10 Mar 2023 12:22:12 +0000 (13:22 +0100)]
Fix Article::canEdit() permission for article contributors
The previous return value was non-sense, because `false` is already the
default. Users that may contribute articles may edit their own articles until
they are published, thus this must `return true`.
This was introduced in
a40df44c036bd6201e4e8f9cef5fb878dba4dd4f.
Alexander Ebert [Thu, 9 Mar 2023 16:17:26 +0000 (17:17 +0100)]
Merge pull request #5344 from nice42q/patch-1
Resize Upright Videos
Tim Düsterhus [Thu, 9 Mar 2023 15:58:19 +0000 (16:58 +0100)]
Merge pull request #5347 from WoltLab/user-option-disabled
Check if a user option is disabled in UserOption::isVisible() and ::isEditable()
Tim Düsterhus [Thu, 9 Mar 2023 14:10:28 +0000 (15:10 +0100)]
Check if a user option is disabled in UserOption::isVisible() and ::isEditable()
see https://www.woltlab.com/community/thread/299193-gender-birthday-location-still-shows-in-profile-even-if-the-fields-are-disabled/
Tim Düsterhus [Wed, 8 Mar 2023 09:52:04 +0000 (10:52 +0100)]
Merge pull request #5343 from WoltLab/media-clipboard-bad-merge
Fix bad merge in Media/Clipboard.ts
Luke [Wed, 8 Mar 2023 09:31:53 +0000 (10:31 +0100)]
Resize Upright Videos
'vh' 1% of the viewport's height.
Responsive style for all devices
Tim Düsterhus [Wed, 8 Mar 2023 09:22:34 +0000 (10:22 +0100)]
Fix bad merge in Media/Clipboard.ts
The `_didInit = true` assignment added in
3510ed70b5abcd0786cca33469812b2781024cc9 got lost during the TypeScript
transformation in
b5030e676de80fc60f7619c0149999cfed394499.
Fixes #5341
WoltLab [Tue, 7 Mar 2023 15:23:39 +0000 (15:23 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Tue, 7 Mar 2023 15:22:04 +0000 (16:22 +0100)]
Update npm dependencies in extra/
Tim Düsterhus [Tue, 7 Mar 2023 11:27:12 +0000 (12:27 +0100)]
Merge pull request #5340 from WoltLab/x-frame-options-phrase
Drop misleading “deprecated” note in `wcf.acp.option.http_send_x_frame_options`
Tim Düsterhus [Tue, 7 Mar 2023 08:24:04 +0000 (09:24 +0100)]
Drop misleading “deprecated” note in `wcf.acp.option.http_send_x_frame_options`
Not the “disallowing of frame embeds” is deprecated, but the disabling of the
disallowing. This becomes clear when reading the description, but not when just
reading the option name + parenthesis.
Drop the parenthesis entirely, the description is quite clear and the ACP index
page will also show a warning if the option still is enabled.
see https://www.woltlab.com/community/thread/299182-einbindung-in-einem-frame-verhindern-veraltet-nicht-empfohlen/
Marcel Werk [Mon, 6 Mar 2023 15:36:13 +0000 (16:36 +0100)]
Fix missing deletion of articles after deletion of a category
Marcel Werk [Mon, 6 Mar 2023 15:29:01 +0000 (16:29 +0100)]
Fix missing custom confirm messages when deleting categories
Marcel Werk [Mon, 6 Mar 2023 15:01:02 +0000 (16:01 +0100)]
Fix missing deletion of subscriptions of article categories
Deleting article categories did not remove attached subscriptions.
Alexander Ebert [Mon, 6 Mar 2023 13:08:55 +0000 (14:08 +0100)]
Suppress the HTML encoding of values encoded by `|encodeJS`
This causes entities to be encoded, but the implementation expects them to be plain text.
See https://www.woltlab.com/community/thread/298737-sonderzeichen-in-umfragen/
Tim Düsterhus [Mon, 6 Mar 2023 10:34:22 +0000 (11:34 +0100)]
Handle `NULL` groupDescription in UserGroup::getDescription()
see
a48f51b3c73abff7e4fe9a5016b976682cb5ab3c
see #4694
Marcel Werk [Fri, 3 Mar 2023 14:52:46 +0000 (15:52 +0100)]
Fix exception when editing a user rank with a broken image
Closes #4860
Tim Düsterhus [Fri, 3 Mar 2023 11:27:08 +0000 (12:27 +0100)]
Update GitHub workflows to node.js 18
Tim Düsterhus [Fri, 24 Feb 2023 14:21:08 +0000 (15:21 +0100)]
Create the initial article category with explicit description
see #5323
Tim Düsterhus [Fri, 24 Feb 2023 14:20:12 +0000 (15:20 +0100)]
Fix PHP 8.1 compatibility in AbstractCategoryEditForm for NULL description
see #5323
Tim Düsterhus [Mon, 20 Feb 2023 14:53:15 +0000 (15:53 +0100)]
Fix stack trace rendering for strings with single quotes
Tim Düsterhus [Mon, 20 Feb 2023 09:55:22 +0000 (10:55 +0100)]
Merge pull request #5311 from WoltLab/about-me-validation
Fix aboutMe validation
Tim Düsterhus [Mon, 20 Feb 2023 09:12:03 +0000 (10:12 +0100)]
Reduce the maximum length for the aboutMe and signature to 65000
This is a nice round number and gives some additional wiggle room for HTML
processing changes in UserRebuildDataWorker before the hard limit is actually
reached and contents will need to be dropped.
Tim Düsterhus [Mon, 20 Feb 2023 09:10:06 +0000 (10:10 +0100)]
Fix length comparison for aboutMe text in UserRebuildDataWorker
Contrary to the comment's claim, a `TEXT` column supports 65535 characters
(depending on the charset), not 65535 bytes.
Tim Düsterhus [Mon, 20 Feb 2023 09:04:19 +0000 (10:04 +0100)]
Fix validation in AboutMeOptionType
The validation method previously checked the original input, not the processed
input. This possibly allowed the user to hide words from the Censorship,
because the HTMLPurifier removes elements, resulting in a semantic change. For
example: `Bad<script></script>word` will be `Badword` after purification.
For the length validation this might result in outputs exceeding the hard 65535
character limit (which is also the maximum configurable length in the user
group option).
This is fixed by checking:
1. The text content against the user group option as done everywhere.
2. The text content against the censorship as done everywhere.
3. The HTML content against the hard limit.
Tim Düsterhus [Fri, 17 Feb 2023 12:57:39 +0000 (13:57 +0100)]
Drop obsolete update_com.woltlab.wcf_5.5.9_systemId.php
Tim Düsterhus [Fri, 17 Feb 2023 11:54:31 +0000 (12:54 +0100)]
Merge pull request #5307 from WoltLab/unfurl-language
Add `accept-language` header to Unfurling requests
Tim Düsterhus [Fri, 17 Feb 2023 11:24:38 +0000 (12:24 +0100)]
Add `accept-language` header to Unfurling requests
The default language is preferred, but any language is acceptable with a lower
priority.
see https://www.woltlab.com/community/thread/299002-imdb-english-embed-links-displaying-german-text/
Alexander Ebert [Fri, 17 Feb 2023 11:03:00 +0000 (12:03 +0100)]
Release 5.5.9
Alexander Ebert [Thu, 16 Feb 2023 11:32:03 +0000 (12:32 +0100)]
Release 5.5.9 dev 2
WoltLab [Thu, 16 Feb 2023 09:21:12 +0000 (09:21 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 14 Feb 2023 14:51:53 +0000 (15:51 +0100)]
Release 5.5.9 dev 1
Tim Düsterhus [Fri, 10 Feb 2023 08:58:20 +0000 (09:58 +0100)]
Update npm dependencies
Alexander Ebert [Mon, 6 Feb 2023 16:14:41 +0000 (17:14 +0100)]
Improve the vertical alignment in case no direction has enough space
See https://www.woltlab.com/community/thread/298831-l%C3%B6schen-in-der-mobilen-ansicht-nicht-sichtbar/
Alexander Ebert [Mon, 6 Feb 2023 15:22:55 +0000 (16:22 +0100)]
Prevent the Instagram iframe from overlapping other elements
See https://www.woltlab.com/community/thread/298758-medienanbieter-instagram-%C3%BCberlappt-content/
Alexander Ebert [Mon, 6 Feb 2023 13:31:32 +0000 (14:31 +0100)]
Fix the replacement of the encoded apostrophe
See https://www.woltlab.com/community/thread/298815-desktopbenachrichtigungen-stellen-apostroph-nicht-korrekt-dar/
Alexander Ebert [Mon, 6 Feb 2023 13:25:16 +0000 (14:25 +0100)]
Enforce the minimum height of filtered checkbox lists dynamically
See https://www.woltlab.com/community/thread/298850-mulitselect-felder-werden-gr%C3%B6%C3%9Fer-angezeigt-als-notwendig-nach-update-auf-5-5/
Tim Düsterhus [Tue, 31 Jan 2023 11:02:29 +0000 (12:02 +0100)]
Merge pull request #5262 from WoltLab/avatar-extension-validation
Validate the avatar mime type against the extension list
Tim Düsterhus [Tue, 31 Jan 2023 08:50:36 +0000 (09:50 +0100)]
Add safety abort in UserAvatarEditor::createAvatarVariant() for WebP originals
Tim Düsterhus [Tue, 31 Jan 2023 08:47:16 +0000 (09:47 +0100)]
Validate the avatar mime type against the extension list
see https://www.woltlab.com/community/thread/298731-avatar-upload-pr%C3%BCft-lediglich-dateiendnung-aber-nicht-das-format/
Tim Düsterhus [Tue, 24 Jan 2023 15:10:46 +0000 (16:10 +0100)]
Merge pull request #5240 from WoltLab/style-import-template-modification-time
Update template’s modification time when updated via style import
Tim Düsterhus [Tue, 24 Jan 2023 15:02:58 +0000 (16:02 +0100)]
Update template’s modification time when updated via style import
Fixes #5235
Tim Düsterhus [Mon, 23 Jan 2023 11:10:25 +0000 (12:10 +0100)]
Merge pull request #5231 from WoltLab/system-check-opcache
Check OPcache in SystemCheckPage
Tim Düsterhus [Fri, 20 Jan 2023 13:26:22 +0000 (14:26 +0100)]
Add update_com.woltlab.wcf_5.5.9_systemId.php
Tim Düsterhus [Fri, 20 Jan 2023 13:22:28 +0000 (14:22 +0100)]
Check OPcache in SystemCheckPage
Resolves #5230
Tim Düsterhus [Thu, 19 Jan 2023 13:26:57 +0000 (14:26 +0100)]
Merge branch '5.4' into 5.5
Alexander Ebert [Thu, 19 Jan 2023 13:24:53 +0000 (14:24 +0100)]
Release 5.5.8
Alexander Ebert [Thu, 19 Jan 2023 13:22:17 +0000 (14:22 +0100)]
Release 5.4.25
Alexander Ebert [Thu, 19 Jan 2023 13:21:54 +0000 (14:21 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Thu, 19 Jan 2023 13:19:31 +0000 (14:19 +0100)]
Release 5.3.26
Tim Düsterhus [Thu, 19 Jan 2023 13:17:02 +0000 (14:17 +0100)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Thu, 19 Jan 2023 13:16:28 +0000 (14:16 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 19 Jan 2023 13:16:10 +0000 (14:16 +0100)]
Merge branch 'xss-activation' into 5.3
Tim Düsterhus [Tue, 17 Jan 2023 13:07:33 +0000 (14:07 +0100)]
Automatically detect HTTP codeblocks
Alexander Ebert [Mon, 16 Jan 2023 16:59:50 +0000 (17:59 +0100)]
Release 5.5.8 dev 1
WoltLab [Mon, 16 Jan 2023 16:20:19 +0000 (16:20 +0000)]
Updating minified JavaScript files
Alexander Ebert [Mon, 16 Jan 2023 16:05:50 +0000 (17:05 +0100)]
Use `ResizeObserverEntry.contentRect` in legacy browsers
Fixes #5187
Alexander Ebert [Mon, 16 Jan 2023 15:54:38 +0000 (16:54 +0100)]
Add `messageTableOfContents` and `quoteMetaCode` to the shared templates
See https://www.woltlab.com/community/thread/298400-artikelvorschau-bringt-eine-reihe-von-fehlermeldungen/
See https://www.woltlab.com/community/thread/298137-alle-anzeigen-aktualisieren-unable-to-find-template-quotemetacode/
Alexander Ebert [Mon, 16 Jan 2023 15:36:33 +0000 (16:36 +0100)]
Suppress empty style descriptions
See https://www.woltlab.com/community/thread/298369-stil-beschreibung-fehlt-sprachvariable-wird-angezeigt/
Alexander Ebert [Mon, 16 Jan 2023 15:14:55 +0000 (16:14 +0100)]
Suppress user activity events when articles have been disabled
See https://www.woltlab.com/community/thread/298375-letzte-aktivit%C3%A4ten-nach-modul-deaktivierung/
Tim Düsterhus [Mon, 16 Jan 2023 13:52:27 +0000 (14:52 +0100)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Mon, 16 Jan 2023 13:51:47 +0000 (14:51 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Mon, 16 Jan 2023 13:48:54 +0000 (14:48 +0100)]
Remove questionable `@` in __singleMediaSelectionFormField.tpl
This looks like it is exploitable, because the value is not guaranteed to be an integer.
Tim Düsterhus [Mon, 16 Jan 2023 13:40:29 +0000 (14:40 +0100)]
Fix XSS vulnerability in registerActivation.tpl
This was introduced in
a477e3522933a7204b02013cd6b6d47d0db1d254 when the
activation logic was refactored to no longer use numeric-only activation codes.
Thanks to Chabik Hatim for responsibly reporting the vulnerability.
Tim Düsterhus [Mon, 16 Jan 2023 13:49:57 +0000 (14:49 +0100)]
Merge pull request #5225 from WoltLab/supportexpiry-53
Notify users of the expiring support (5.3)
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Notify users of the expiring support (5.3)
see #4574
Tim Düsterhus [Mon, 16 Jan 2023 09:50:32 +0000 (10:50 +0100)]
Properly take languageID into account in LanguageEditor::deleteFromXML()
see https://www.woltlab.com/community/thread/298522-sprachvariable-case-aktualisieren/
Tim Düsterhus [Thu, 12 Jan 2023 13:11:33 +0000 (14:11 +0100)]
Detect reused dialogIds in Form/Builder/Dialog.ts
see https://www.woltlab.com/community/thread/298580-uncaught-error-form-has-not-been-requested-yet/
Tim Düsterhus [Wed, 11 Jan 2023 14:55:01 +0000 (15:55 +0100)]
Fix incorrect use of `this` references in Dom/Util
This breaks if single functions are imported.
Tim Düsterhus [Wed, 11 Jan 2023 13:22:30 +0000 (14:22 +0100)]
Add `rel="nofollow"` to missed login link
This was noticed while resolving the merge conflicts when merging from 5.5 to
master.
see
fa0b20e855dbf01ebf3e4ac54c12a0507dcb993f
Tim Düsterhus [Wed, 11 Jan 2023 13:16:05 +0000 (14:16 +0100)]
Merge pull request #5221 from WoltLab/login-no-follow
Mark login links as `rel="nofollow"`
Tim Düsterhus [Wed, 11 Jan 2023 12:37:35 +0000 (13:37 +0100)]
Remove questionable `@` in login.tpl
Tim Düsterhus [Wed, 11 Jan 2023 12:35:03 +0000 (13:35 +0100)]
Mark login links as `rel="nofollow"`
Resolves #5218
Marcel Werk [Thu, 15 Dec 2022 15:53:33 +0000 (16:53 +0100)]
Fix missing permission check
It was not considered whether the user has the permission to edit his profile.
Tim Düsterhus [Thu, 15 Dec 2022 14:03:05 +0000 (15:03 +0100)]
Merge pull request #5190 from WoltLab/php-ddl-foreign-key-drop
Fix dropping of misnamed foreign keys in PHP DDL
Tim Düsterhus [Thu, 15 Dec 2022 13:22:10 +0000 (14:22 +0100)]
Fix dropping of misnamed foreign keys in PHP DDL
Foreign keys are matched up by their `getDiffData()` which includes the column
list, referenced column list and referenced table, but does not include the name.
This effectively ensures that only a single foreign key exists for each
possible combination of source and target columns.
Dropping foreign keys however relies on the foreign key’s name being sent to
the database and this is currently broken when the foreign key name differs
from the expected name:
The misnamed key will be matched up, but the DROP query will send the expected
name, instead of the actual name.
Fix this by inserting the `$matchingExistingForeignKey` into the list of keys
to drop, which makes sense, because the existing key is what should be dropped
in the first place.