Tim Düsterhus [Thu, 17 Mar 2022 08:10:12 +0000 (09:10 +0100)]
Fix XSS in the cronjob's error message in cronjobLogList
This can happen if untrusted information, such as the HTTP response body for a
failed Guzzle request, is embedded into the error message.
Thanks to @SoftCreatR for responsibly reporting the issue.
Alexander Ebert [Mon, 31 Jan 2022 16:24:44 +0000 (17:24 +0100)]
Release 3.1.27
Tim Düsterhus [Mon, 31 Jan 2022 16:17:54 +0000 (17:17 +0100)]
Merge branch 'unknown-bbcode-xss' into 3.1
Tim Düsterhus [Mon, 31 Jan 2022 13:18:17 +0000 (14:18 +0100)]
Fix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()
Thanks to @methosiea for responsibly reporting this issue.
Resolves #4653
Alexander Ebert [Fri, 21 Jan 2022 12:06:52 +0000 (13:06 +0100)]
Release 3.1.26
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.
(cherry picked from commit
bba7f1706e30761e55954a5a4be569e5bb55a6c4)
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier
(cherry picked from commit
e178fa84dc06861c5aba3d14e03161c5396fe9a7)
Alexander Ebert [Wed, 19 Jan 2022 12:46:00 +0000 (13:46 +0100)]
Release 3.1.25
Tim Düsterhus [Wed, 19 Jan 2022 12:27:40 +0000 (13:27 +0100)]
Merge branch 'encode-js-quot' into 3.1
Tim Düsterhus [Tue, 4 Jan 2022 10:50:50 +0000 (11:50 +0100)]
Encode the double quote (`"`) in StringUtil::encodeJS()
`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `"`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).
The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.
Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.
WoltLab [Tue, 30 Nov 2021 12:57:10 +0000 (12:57 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 30 Nov 2021 10:01:51 +0000 (11:01 +0100)]
Release 3.1.24
Alexander Ebert [Wed, 10 Nov 2021 18:21:40 +0000 (19:21 +0100)]
Incorrect reset of the timer to show the loading indicator
The missing reset caused repeated calls to `show()` being effectively ignored, because the check `_timeoutShow === null` would be always true if the callback was cancelled before.
See https://community.woltlab.com/thread/293232-ajaxstatus-wird-nach-einem-fehlerhaften-request-nicht-wieder-angezeigt/
Tim Düsterhus [Tue, 2 Nov 2021 12:31:07 +0000 (13:31 +0100)]
Merge pull request #4574 from WoltLab/supportexpiry-31
Notify users of the expiring support
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Tim Düsterhus [Thu, 14 Oct 2021 13:10:10 +0000 (15:10 +0200)]
Fix EmailNewActivationCodeForm
This got broken, because it inherits from RegisterNewActivationForm and the “is
already enabled” validation was moved into a dedicated method within there. This
is a perfect example of why one should never inherit from controllers …
see
f394421c0cc7e8879007092e40e540b2fd1118c1
Alexander Ebert [Tue, 31 Aug 2021 10:32:33 +0000 (12:32 +0200)]
Release 3.1.23
Tim Düsterhus [Thu, 26 Aug 2021 08:29:10 +0000 (10:29 +0200)]
Fix return type comment for AbstractDatabaseObjectAction::getSingleObject()
WoltLab [Tue, 24 Aug 2021 09:49:26 +0000 (09:49 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Fri, 23 Jul 2021 07:09:56 +0000 (09:09 +0200)]
Encode HTML in smileyTitle in Smiley::getHtml()
Sascha Greuel [Sun, 11 Jul 2021 08:24:24 +0000 (10:24 +0200)]
Don't leak an account's activation status (#4365)
* Don't leak an account's activation status
* Update wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php
Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
Tim Düsterhus [Tue, 6 Jul 2021 07:32:45 +0000 (09:32 +0200)]
Remove duplicate `class` attribute in cacheList.tpl
Tim Düsterhus [Mon, 5 Jul 2021 07:53:22 +0000 (09:53 +0200)]
Fix typo in de.xml
Closes #4366
Co-authored-by: Sascha Greuel <sascha@softcreatr.de>
Tim Düsterhus [Wed, 23 Jun 2021 07:37:13 +0000 (09:37 +0200)]
Use “Moderation” instead of “Moderatoren” in de.xml
Tim Düsterhus [Fri, 18 Jun 2021 13:44:21 +0000 (15:44 +0200)]
Set 'accept-encoding: identity' by default in HTTPRequest
RFC 7231#5.3.4 allows a server to use an arbitrary 'content-encoding' when no
'accept-encoding' request header is sent.
Make it clear that no 'content-encoding' is acceptable by only accepting the
'identity' encoding.
Tim Düsterhus [Thu, 17 Jun 2021 12:41:10 +0000 (14:41 +0200)]
Fix 'to its full extent' in en.xml
Matthias Schmidt [Wed, 12 May 2021 07:33:29 +0000 (09:33 +0200)]
Merge pull request #4209 from WoltLab/comment_moderation_queue
Delete moderation queue entries after deleting comments/comment responses
Matthias Schmidt [Tue, 11 May 2021 17:13:21 +0000 (19:13 +0200)]
Delete moderation queue entries after deleting comments/comment responses
Close #4208
Matthias Schmidt [Tue, 11 May 2021 17:11:03 +0000 (19:11 +0200)]
Add missing `$definitionName` value for comment response moderation queue handlers
joshuaruesweg [Tue, 11 May 2021 10:52:07 +0000 (12:52 +0200)]
Fix ignoring the disable state of an article category
Deactivated categories are currently only hidden in the overview of categories in the frontend. However, articles in these categories (and the category itself, via the direct link) were still accessible. This patch solves the problem by hiding the category for all users and making articles and the category itself no longer accessible for any user.
Matthias Schmidt [Thu, 6 May 2021 11:59:21 +0000 (13:59 +0200)]
Reset language form field in language import form after saving
Matthias Schmidt [Mon, 3 May 2021 10:29:48 +0000 (12:29 +0200)]
Fix detection of nested tables in messages
Close #4175
Matthias Schmidt [Mon, 3 May 2021 10:27:17 +0000 (12:27 +0200)]
Fix table borders when cells with `rowspan` are visually in the last row (#4176)
See https://community.woltlab.com/thread/289598
Tim Düsterhus [Fri, 23 Apr 2021 13:27:25 +0000 (15:27 +0200)]
Merge pull request #4143 from WoltLab/3.1-fix-sitemap
Fix generating sitemaps with factor 250 objects sitemaps
joshuaruesweg [Fri, 23 Apr 2021 09:32:26 +0000 (11:32 +0200)]
Fix generating sitemaps with factor 250 objects
Alexander Ebert [Sat, 17 Apr 2021 10:00:01 +0000 (12:00 +0200)]
Update the number of responses that will be loaded
Alexander Ebert [Wed, 14 Apr 2021 11:20:59 +0000 (13:20 +0200)]
Release 3.1.22
Matthias Schmidt [Tue, 13 Apr 2021 11:13:38 +0000 (13:13 +0200)]
Add missing permissions check when removing moderated content
Marcel Werk [Mon, 12 Apr 2021 14:59:49 +0000 (16:59 +0200)]
Updated Google's address in the privacy policy
Alexander Ebert [Mon, 12 Apr 2021 09:36:26 +0000 (11:36 +0200)]
Reset the assignment cache on group deletion
Fixes #4045
Marcel Werk [Mon, 29 Mar 2021 16:23:50 +0000 (18:23 +0200)]
Update the user rank after users change their profile
Marcel Werk [Sun, 28 Mar 2021 09:37:09 +0000 (11:37 +0200)]
Strip rtl override char
Alexander Ebert [Wed, 3 Mar 2021 09:18:54 +0000 (10:18 +0100)]
Release 3.1.21
Alexander Ebert [Wed, 3 Mar 2021 09:14:28 +0000 (10:14 +0100)]
Merge branch '3.0' into 3.1
Tim Düsterhus [Tue, 2 Mar 2021 08:38:51 +0000 (09:38 +0100)]
Add missing permission check to ModerationQueueAction::validateAssignUser()
This only affected registered users. Guests never could trigger this action,
because it is not listed in `$allowGuestAccess`.
Tim Düsterhus [Mon, 1 Mar 2021 16:07:24 +0000 (17:07 +0100)]
Merge branch '3.0' into 3.1
Tim Düsterhus [Mon, 1 Mar 2021 16:01:25 +0000 (17:01 +0100)]
Release 3.0.27
Tim Düsterhus [Mon, 1 Mar 2021 15:59:43 +0000 (16:59 +0100)]
Tim Düsterhus [Mon, 1 Mar 2021 15:55:23 +0000 (16:55 +0100)]
Add upgrade instructions for 2.1.24 pl 3
Tim Düsterhus [Tue, 23 Feb 2021 08:46:31 +0000 (09:46 +0100)]
Match all prefixes for store.woltlab.com in PackageAction::validateSearchForPurchasedItems()
see #3910
Tim Düsterhus [Tue, 16 Feb 2021 11:38:24 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1
Tim Düsterhus [Tue, 16 Feb 2021 11:37:59 +0000 (12:37 +0100)]
Merge pull request #3997 from WoltLab/major-upgrade-no-upload
Reject major com.woltlab.wcf upgrades via package upload
Tim Düsterhus [Tue, 16 Feb 2021 11:11:21 +0000 (12:11 +0100)]
Reject major com.woltlab.wcf upgrades via package upload
Tim Düsterhus [Wed, 3 Feb 2021 09:06:19 +0000 (10:06 +0100)]
Merge branch '3.0' into 3.1
Tim Düsterhus [Wed, 3 Feb 2021 08:18:31 +0000 (09:18 +0100)]
Fix typo in phrases
Alexander Ebert [Mon, 1 Feb 2021 11:56:07 +0000 (12:56 +0100)]
Release 3.1.20
Alexander Ebert [Mon, 1 Feb 2021 11:55:02 +0000 (12:55 +0100)]
Merge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:50:17 +0000 (12:50 +0100)]
Release 3.0.26
Alexander Ebert [Mon, 1 Feb 2021 11:47:24 +0000 (12:47 +0100)]
Merge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)]
Missing check for accessible user groups
Alexander Ebert [Mon, 1 Feb 2021 11:38:59 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:38:49 +0000 (12:38 +0100)]
Notify users of the expiring support
Alexander Ebert [Mon, 1 Feb 2021 11:38:11 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1
Tim Düsterhus [Fri, 16 Oct 2020 11:57:29 +0000 (13:57 +0200)]
Ignore top-level node_modules/
Alexander Ebert [Fri, 29 Jan 2021 13:44:59 +0000 (14:44 +0100)]
Release 3.1.19
WoltLab [Fri, 29 Jan 2021 13:38:27 +0000 (13:38 +0000)]
Updating minified JavaScript files
joshuaruesweg [Fri, 29 Jan 2021 12:30:56 +0000 (13:30 +0100)]
Fix converting float value to integer
Marcel Werk [Mon, 18 Jan 2021 15:19:25 +0000 (16:19 +0100)]
Permissions for media were not saved correctly
joshuaruesweg [Fri, 15 Jan 2021 12:45:59 +0000 (13:45 +0100)]
Set explicit value for invalid select options
Joshua Rüsweg [Wed, 6 Jan 2021 15:38:31 +0000 (16:38 +0100)]
Merge pull request #3844 from WoltLab/fix-failing-cronjobs
Fix failing cronjobs
joshuaruesweg [Sun, 3 Jan 2021 16:10:32 +0000 (17:10 +0100)]
fixup! Disable disabling of failed system cronjobs Fixes #3841
joshuaruesweg [Sat, 2 Jan 2021 15:10:37 +0000 (16:10 +0100)]
Disable disabling of failed system cronjobs
Fixes #3841
joshuaruesweg [Sat, 2 Jan 2021 15:06:56 +0000 (16:06 +0100)]
Prevent failing cronjobs from blocking other cronjobs by executing them last
Alexander Ebert [Mon, 7 Dec 2020 19:58:02 +0000 (20:58 +0100)]
Force the use of the attachment thumbnail if the original is inaccessible
Alexander Ebert [Tue, 1 Dec 2020 12:32:47 +0000 (13:32 +0100)]
Incorrect version comparison for accessible packages
Alexander Ebert [Mon, 23 Nov 2020 13:29:11 +0000 (14:29 +0100)]
Release 3.1.18
Alexander Ebert [Sun, 22 Nov 2020 16:58:44 +0000 (17:58 +0100)]
Merge pull request #3744 from Krymonota/patch-18
Add missing JSDoc to `EmailSmtpTest`
Niklas [Sat, 21 Nov 2020 18:39:56 +0000 (19:39 +0100)]
Add missing JSDoc to `EmailSmtpTest`
WoltLab [Fri, 20 Nov 2020 18:06:23 +0000 (18:06 +0000)]
Updating minified JavaScript files
Alexander Ebert [Fri, 20 Nov 2020 17:39:33 +0000 (18:39 +0100)]
Workaround for a Chromium bug on Windows
Alexander Ebert [Wed, 18 Nov 2020 19:00:04 +0000 (20:00 +0100)]
Mutable variable access inside a callback
Matthias Schmidt [Wed, 18 Nov 2020 16:32:21 +0000 (17:32 +0100)]
Fix ACL buttons when editing media files successively
Replaces
3a7740a3704339c79d08fd2f5094fa1a1973318b by backporting and using parts of
6ee58cd2865980cd7fa16a1f3ebc660131fc7fd6.
Matthias Schmidt [Wed, 18 Nov 2020 16:26:26 +0000 (17:26 +0100)]
Revert "Fix ACL buttons when editing media files successively"
This reverts commit
3a7740a3704339c79d08fd2f5094fa1a1973318b.
Matthias Schmidt [Wed, 18 Nov 2020 16:24:30 +0000 (17:24 +0100)]
Fix ACL buttons when editing media files successively
Niklas [Thu, 12 Nov 2020 08:16:32 +0000 (09:16 +0100)]
Fix BBCodeHandler::setDisallowedBBCodes(...) PHPDoc (#3722)
Alexander Ebert [Sun, 8 Nov 2020 18:19:17 +0000 (19:19 +0100)]
Obsolete exclusion of the old ACP catpcha
This route does not exist anymore since WoltLab Suite 3.0.
Marcel Werk [Tue, 3 Nov 2020 18:41:31 +0000 (19:41 +0100)]
Block search keyword list if permissions for the search function are denied
Closes #3681
Tim Düsterhus [Tue, 3 Nov 2020 13:30:18 +0000 (14:30 +0100)]
Tim Düsterhus [Tue, 3 Nov 2020 13:26:13 +0000 (14:26 +0100)]
Fix typo in de.xml
Matthias Schmidt [Mon, 2 Nov 2020 17:55:46 +0000 (18:55 +0100)]
Fix GDPR export if invalid user id is given
… and stop using deprecated method `UserProfile::getUserProfile()`.
Niklas [Wed, 28 Oct 2020 08:46:10 +0000 (09:46 +0100)]
Fix class name in UserRegistrationUtil::__construct() PHPDoc (#3652)
Tim Düsterhus [Fri, 16 Oct 2020 11:57:29 +0000 (13:57 +0200)]
Ignore top-level node_modules/
Alexander Ebert [Sun, 11 Oct 2020 11:41:20 +0000 (13:41 +0200)]
Use a literal string to avoid escaping
See #3595
Marcel Werk [Sun, 4 Oct 2020 09:07:18 +0000 (11:07 +0200)]
Removed obsolete code
There is no article counter for users (wcf1_user.articles) in version 3.1.
Alexander Ebert [Thu, 1 Oct 2020 15:45:29 +0000 (17:45 +0200)]
Merge pull request #3585 from WoltLab/overdue-cronjob
Improved the wording of the cronjob error message
Alexander Ebert [Thu, 1 Oct 2020 15:45:10 +0000 (17:45 +0200)]
Improved readability
Co-authored-by: Matthias Schmidt <gravatronics@live.com>
Marcel Werk [Thu, 1 Oct 2020 14:52:40 +0000 (16:52 +0200)]
Default value blocked saving of empty date fields
Alexander Ebert [Thu, 1 Oct 2020 14:41:22 +0000 (16:41 +0200)]
Incorrect parameter order
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
Alexander Ebert [Wed, 30 Sep 2020 18:39:39 +0000 (20:39 +0200)]
Improved the wording of the cronjob error message