GitHub/WoltLab/WCF.git
2 years agoMerge branch 'cronjobLogList-xss' into 3.1
Tim Düsterhus [Thu, 17 Mar 2022 13:12:25 +0000 (14:12 +0100)]
Merge branch 'cronjobLogList-xss' into 3.1

2 years agoFix XSS in the cronjob's error message in cronjobLogList
Tim Düsterhus [Thu, 17 Mar 2022 08:10:12 +0000 (09:10 +0100)]
Fix XSS in the cronjob's error message in cronjobLogList

This can happen if untrusted information, such as the HTTP response body for a
failed Guzzle request, is embedded into the error message.

Thanks to @SoftCreatR for responsibly reporting the issue.

2 years agoRelease 3.1.27 3.1.27
Alexander Ebert [Mon, 31 Jan 2022 16:24:44 +0000 (17:24 +0100)]
Release 3.1.27

2 years agoMerge branch 'unknown-bbcode-xss' into 3.1
Tim Düsterhus [Mon, 31 Jan 2022 16:17:54 +0000 (17:17 +0100)]
Merge branch 'unknown-bbcode-xss' into 3.1

2 years agoFix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()
Tim Düsterhus [Mon, 31 Jan 2022 13:18:17 +0000 (14:18 +0100)]
Fix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()

Thanks to @methosiea for responsibly reporting this issue.

Resolves #4653

2 years agoRelease 3.1.26 3.1.26
Alexander Ebert [Fri, 21 Jan 2022 12:06:52 +0000 (13:06 +0100)]
Release 3.1.26

2 years agoAdd missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`

This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.

(cherry picked from commit bba7f1706e30761e55954a5a4be569e5bb55a6c4)

2 years agoStop using `|encodeJSON`
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`

(cherry picked from commit ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)

2 years agoAdd `|json` template modifier
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier

(cherry picked from commit e178fa84dc06861c5aba3d14e03161c5396fe9a7)

2 years agoRelease 3.1.25 3.1.25
Alexander Ebert [Wed, 19 Jan 2022 12:46:00 +0000 (13:46 +0100)]
Release 3.1.25

2 years agoMerge branch 'encode-js-quot' into 3.1
Tim Düsterhus [Wed, 19 Jan 2022 12:27:40 +0000 (13:27 +0100)]
Merge branch 'encode-js-quot' into 3.1

2 years agoEncode the double quote (`"`) in StringUtil::encodeJS()
Tim Düsterhus [Tue, 4 Jan 2022 10:50:50 +0000 (11:50 +0100)]
Encode the double quote (`"`) in StringUtil::encodeJS()

`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `"`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).

The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.

Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.

2 years agoUpdating minified JavaScript files 3.1.24
WoltLab [Tue, 30 Nov 2021 12:57:10 +0000 (12:57 +0000)]
Updating minified JavaScript files

2 years agoRelease 3.1.24
Alexander Ebert [Tue, 30 Nov 2021 10:01:51 +0000 (11:01 +0100)]
Release 3.1.24

3 years agoIncorrect reset of the timer to show the loading indicator
Alexander Ebert [Wed, 10 Nov 2021 18:21:40 +0000 (19:21 +0100)]
Incorrect reset of the timer to show the loading indicator

The missing reset caused repeated calls to `show()` being effectively ignored, because the check `_timeoutShow === null` would be always true if the callback was cancelled before.

See https://community.woltlab.com/thread/293232-ajaxstatus-wird-nach-einem-fehlerhaften-request-nicht-wieder-angezeigt/

3 years agoMerge pull request #4574 from WoltLab/supportexpiry-31
Tim Düsterhus [Tue, 2 Nov 2021 12:31:07 +0000 (13:31 +0100)]
Merge pull request #4574 from WoltLab/supportexpiry-31

Notify users of the expiring support

3 years agoNotify users of the expiring support
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Notify users of the expiring support

This effectively is 14a6db14f1ac63da83098dc648288ae07df62e80 combined with
637c1ca28225918a1a07680b7759c02565cd4c50.

3 years agoFix EmailNewActivationCodeForm
Tim Düsterhus [Thu, 14 Oct 2021 13:10:10 +0000 (15:10 +0200)]
Fix EmailNewActivationCodeForm

This got broken, because it inherits from RegisterNewActivationForm and the “is
already enabled” validation was moved into a dedicated method within there. This
is a perfect example of why one should never inherit from controllers …

see f394421c0cc7e8879007092e40e540b2fd1118c1

3 years agoRelease 3.1.23 3.1.23
Alexander Ebert [Tue, 31 Aug 2021 10:32:33 +0000 (12:32 +0200)]
Release 3.1.23

3 years agoFix return type comment for AbstractDatabaseObjectAction::getSingleObject()
Tim Düsterhus [Thu, 26 Aug 2021 08:29:10 +0000 (10:29 +0200)]
Fix return type comment for AbstractDatabaseObjectAction::getSingleObject()

3 years agoUpdating minified JavaScript files
WoltLab [Tue, 24 Aug 2021 09:49:26 +0000 (09:49 +0000)]
Updating minified JavaScript files

3 years agoEncode HTML in smileyTitle in Smiley::getHtml()
Tim Düsterhus [Fri, 23 Jul 2021 07:09:56 +0000 (09:09 +0200)]
Encode HTML in smileyTitle in Smiley::getHtml()

3 years agoDon't leak an account's activation status (#4365)
Sascha Greuel [Sun, 11 Jul 2021 08:24:24 +0000 (10:24 +0200)]
Don't leak an account's activation status (#4365)

* Don't leak an account's activation status

* Update wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php

Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
3 years agoRemove duplicate `class` attribute in cacheList.tpl
Tim Düsterhus [Tue, 6 Jul 2021 07:32:45 +0000 (09:32 +0200)]
Remove duplicate `class` attribute in cacheList.tpl

3 years agoFix typo in de.xml
Tim Düsterhus [Mon, 5 Jul 2021 07:53:22 +0000 (09:53 +0200)]
Fix typo in de.xml

Closes #4366

Co-authored-by: Sascha Greuel <sascha@softcreatr.de>
3 years agoUse “Moderation” instead of “Moderatoren” in de.xml
Tim Düsterhus [Wed, 23 Jun 2021 07:37:13 +0000 (09:37 +0200)]
Use “Moderation” instead of “Moderatoren” in de.xml

3 years agoSet 'accept-encoding: identity' by default in HTTPRequest
Tim Düsterhus [Fri, 18 Jun 2021 13:44:21 +0000 (15:44 +0200)]
Set 'accept-encoding: identity' by default in HTTPRequest

RFC 7231#5.3.4 allows a server to use an arbitrary 'content-encoding' when no
'accept-encoding' request header is sent.

Make it clear that no 'content-encoding' is acceptable by only accepting the
'identity' encoding.

3 years agoFix 'to its full extent' in en.xml
Tim Düsterhus [Thu, 17 Jun 2021 12:41:10 +0000 (14:41 +0200)]
Fix 'to its full extent' in en.xml

3 years agoMerge pull request #4209 from WoltLab/comment_moderation_queue
Matthias Schmidt [Wed, 12 May 2021 07:33:29 +0000 (09:33 +0200)]
Merge pull request #4209 from WoltLab/comment_moderation_queue

Delete moderation queue entries after deleting comments/comment responses

3 years agoDelete moderation queue entries after deleting comments/comment responses
Matthias Schmidt [Tue, 11 May 2021 17:13:21 +0000 (19:13 +0200)]
Delete moderation queue entries after deleting comments/comment responses

Close #4208

3 years agoAdd missing `$definitionName` value for comment response moderation queue handlers
Matthias Schmidt [Tue, 11 May 2021 17:11:03 +0000 (19:11 +0200)]
Add missing `$definitionName` value for comment response moderation queue handlers

3 years agoFix ignoring the disable state of an article category
joshuaruesweg [Tue, 11 May 2021 10:52:07 +0000 (12:52 +0200)]
Fix ignoring the disable state of an article category

Deactivated categories are currently only hidden in the overview of categories in the frontend. However, articles in these categories (and the category itself, via the direct link) were still accessible. This patch solves the problem by hiding the category for all users and making articles and the category itself no longer accessible for any user.

3 years agoReset language form field in language import form after saving
Matthias Schmidt [Thu, 6 May 2021 11:59:21 +0000 (13:59 +0200)]
Reset language form field in language import form after saving

3 years agoFix detection of nested tables in messages
Matthias Schmidt [Mon, 3 May 2021 10:29:48 +0000 (12:29 +0200)]
Fix detection of nested tables in messages

Close #4175

3 years agoFix table borders when cells with `rowspan` are visually in the last row (#4176)
Matthias Schmidt [Mon, 3 May 2021 10:27:17 +0000 (12:27 +0200)]
Fix table borders when cells with `rowspan` are visually in the last row (#4176)

See https://community.woltlab.com/thread/289598

3 years agoMerge pull request #4143 from WoltLab/3.1-fix-sitemap
Tim Düsterhus [Fri, 23 Apr 2021 13:27:25 +0000 (15:27 +0200)]
Merge pull request #4143 from WoltLab/3.1-fix-sitemap

Fix generating sitemaps with factor 250 objects sitemaps

3 years agoFix generating sitemaps with factor 250 objects
joshuaruesweg [Fri, 23 Apr 2021 09:32:26 +0000 (11:32 +0200)]
Fix generating sitemaps with factor 250 objects

3 years agoUpdate the number of responses that will be loaded
Alexander Ebert [Sat, 17 Apr 2021 10:00:01 +0000 (12:00 +0200)]
Update the number of responses that will be loaded

3 years agoRelease 3.1.22 3.1.22
Alexander Ebert [Wed, 14 Apr 2021 11:20:59 +0000 (13:20 +0200)]
Release 3.1.22

3 years agoAdd missing permissions check when removing moderated content
Matthias Schmidt [Tue, 13 Apr 2021 11:13:38 +0000 (13:13 +0200)]
Add missing permissions check when removing moderated content

3 years agoUpdated Google's address in the privacy policy
Marcel Werk [Mon, 12 Apr 2021 14:59:49 +0000 (16:59 +0200)]
Updated Google's address in the privacy policy

3 years agoReset the assignment cache on group deletion
Alexander Ebert [Mon, 12 Apr 2021 09:36:26 +0000 (11:36 +0200)]
Reset the assignment cache on group deletion

Fixes #4045

3 years agoUpdate the user rank after users change their profile
Marcel Werk [Mon, 29 Mar 2021 16:23:50 +0000 (18:23 +0200)]
Update the user rank after users change their profile

3 years agoStrip rtl override char
Marcel Werk [Sun, 28 Mar 2021 09:37:09 +0000 (11:37 +0200)]
Strip rtl override char

3 years agoRelease 3.1.21 3.1.21
Alexander Ebert [Wed, 3 Mar 2021 09:18:54 +0000 (10:18 +0100)]
Release 3.1.21

3 years agoMerge branch '3.0' into 3.1
Alexander Ebert [Wed, 3 Mar 2021 09:14:28 +0000 (10:14 +0100)]
Merge branch '3.0' into 3.1

3 years agoAdd missing permission check to ModerationQueueAction::validateAssignUser() 3.0.27 3.0.final
Tim Düsterhus [Tue, 2 Mar 2021 08:38:51 +0000 (09:38 +0100)]
Add missing permission check to ModerationQueueAction::validateAssignUser()

This only affected registered users. Guests never could trigger this action,
because it is not listed in `$allowGuestAccess`.

3 years agoMerge branch '3.0' into 3.1
Tim Düsterhus [Mon, 1 Mar 2021 16:07:24 +0000 (17:07 +0100)]
Merge branch '3.0' into 3.1

3 years agoRelease 3.0.27
Tim Düsterhus [Mon, 1 Mar 2021 16:01:25 +0000 (17:01 +0100)]
Release 3.0.27

3 years agoAdjust upgrade notice
Tim Düsterhus [Mon, 1 Mar 2021 15:59:43 +0000 (16:59 +0100)]
Adjust upgrade notice

see f4a8700ae34fa3120576c5ab4e2096f514cffdc5
see 14a6db14f1ac63da83098dc648288ae07df62e80

3 years agoAdd upgrade instructions for 2.1.24 pl 3
Tim Düsterhus [Mon, 1 Mar 2021 15:55:23 +0000 (16:55 +0100)]
Add upgrade instructions for 2.1.24 pl 3

3 years agoMatch all prefixes for store.woltlab.com in PackageAction::validateSearchForPurchased...
Tim Düsterhus [Tue, 23 Feb 2021 08:46:31 +0000 (09:46 +0100)]
Match all prefixes for store.woltlab.com in PackageAction::validateSearchForPurchasedItems()

see #3910

3 years agoMerge branch '3.0' into 3.1
Tim Düsterhus [Tue, 16 Feb 2021 11:38:24 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1

3 years agoMerge pull request #3997 from WoltLab/major-upgrade-no-upload
Tim Düsterhus [Tue, 16 Feb 2021 11:37:59 +0000 (12:37 +0100)]
Merge pull request #3997 from WoltLab/major-upgrade-no-upload

Reject major com.woltlab.wcf upgrades via package upload

3 years agoReject major com.woltlab.wcf upgrades via package upload
Tim Düsterhus [Tue, 16 Feb 2021 11:11:21 +0000 (12:11 +0100)]
Reject major com.woltlab.wcf upgrades via package upload

3 years agoMerge branch '3.0' into 3.1
Tim Düsterhus [Wed, 3 Feb 2021 09:06:19 +0000 (10:06 +0100)]
Merge branch '3.0' into 3.1

3 years agoFix typo in phrases
Tim Düsterhus [Wed, 3 Feb 2021 08:18:31 +0000 (09:18 +0100)]
Fix typo in phrases

3 years agoRelease 3.1.20 3.1.20
Alexander Ebert [Mon, 1 Feb 2021 11:56:07 +0000 (12:56 +0100)]
Release 3.1.20

3 years agoMerge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:55:02 +0000 (12:55 +0100)]
Merge branch '3.0' into 3.1

3 years agoRelease 3.0.26 3.0.26
Alexander Ebert [Mon, 1 Feb 2021 11:50:17 +0000 (12:50 +0100)]
Release 3.0.26

3 years agoMerge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:47:24 +0000 (12:47 +0100)]
Merge branch '3.0' into 3.1

3 years agoMissing check for accessible user groups
Alexander Ebert [Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)]
Missing check for accessible user groups

3 years agoMerge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:38:59 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1

3 years agoNotify users of the expiring support
Alexander Ebert [Mon, 1 Feb 2021 11:38:49 +0000 (12:38 +0100)]
Notify users of the expiring support

3 years agoMerge branch '3.0' into 3.1
Alexander Ebert [Mon, 1 Feb 2021 11:38:11 +0000 (12:38 +0100)]
Merge branch '3.0' into 3.1

3 years agoIgnore top-level node_modules/
Tim Düsterhus [Fri, 16 Oct 2020 11:57:29 +0000 (13:57 +0200)]
Ignore top-level node_modules/

3 years agoRelease 3.1.19 3.1.19
Alexander Ebert [Fri, 29 Jan 2021 13:44:59 +0000 (14:44 +0100)]
Release 3.1.19

3 years agoUpdating minified JavaScript files
WoltLab [Fri, 29 Jan 2021 13:38:27 +0000 (13:38 +0000)]
Updating minified JavaScript files

3 years agoFix converting float value to integer
joshuaruesweg [Fri, 29 Jan 2021 12:30:56 +0000 (13:30 +0100)]
Fix converting float value to integer

3 years agoPermissions for media were not saved correctly
Marcel Werk [Mon, 18 Jan 2021 15:19:25 +0000 (16:19 +0100)]
Permissions for media were not saved correctly

3 years agoSet explicit value for invalid select options
joshuaruesweg [Fri, 15 Jan 2021 12:45:59 +0000 (13:45 +0100)]
Set explicit value for invalid select options

3 years agoMerge pull request #3844 from WoltLab/fix-failing-cronjobs
Joshua Rüsweg [Wed, 6 Jan 2021 15:38:31 +0000 (16:38 +0100)]
Merge pull request #3844 from WoltLab/fix-failing-cronjobs

Fix failing cronjobs

3 years agofixup! Disable disabling of failed system cronjobs Fixes #3841
joshuaruesweg [Sun, 3 Jan 2021 16:10:32 +0000 (17:10 +0100)]
fixup! Disable disabling of failed system cronjobs Fixes #3841

3 years agoDisable disabling of failed system cronjobs
joshuaruesweg [Sat, 2 Jan 2021 15:10:37 +0000 (16:10 +0100)]
Disable disabling of failed system cronjobs
Fixes #3841

3 years agoPrevent failing cronjobs from blocking other cronjobs by executing them last
joshuaruesweg [Sat, 2 Jan 2021 15:06:56 +0000 (16:06 +0100)]
Prevent failing cronjobs from blocking other cronjobs by executing them last

3 years agoForce the use of the attachment thumbnail if the original is inaccessible
Alexander Ebert [Mon, 7 Dec 2020 19:58:02 +0000 (20:58 +0100)]
Force the use of the attachment thumbnail if the original is inaccessible

3 years agoIncorrect version comparison for accessible packages
Alexander Ebert [Tue, 1 Dec 2020 12:32:47 +0000 (13:32 +0100)]
Incorrect version comparison for accessible packages

3 years agoRelease 3.1.18 3.1.18
Alexander Ebert [Mon, 23 Nov 2020 13:29:11 +0000 (14:29 +0100)]
Release 3.1.18

4 years agoMerge pull request #3744 from Krymonota/patch-18
Alexander Ebert [Sun, 22 Nov 2020 16:58:44 +0000 (17:58 +0100)]
Merge pull request #3744 from Krymonota/patch-18

Add missing JSDoc to `EmailSmtpTest`

4 years agoAdd missing JSDoc to `EmailSmtpTest`
Niklas [Sat, 21 Nov 2020 18:39:56 +0000 (19:39 +0100)]
Add missing JSDoc to `EmailSmtpTest`

4 years agoUpdating minified JavaScript files
WoltLab [Fri, 20 Nov 2020 18:06:23 +0000 (18:06 +0000)]
Updating minified JavaScript files

4 years agoWorkaround for a Chromium bug on Windows
Alexander Ebert [Fri, 20 Nov 2020 17:39:33 +0000 (18:39 +0100)]
Workaround for a Chromium bug on Windows

4 years agoMutable variable access inside a callback
Alexander Ebert [Wed, 18 Nov 2020 19:00:04 +0000 (20:00 +0100)]
Mutable variable access inside a callback

4 years agoFix ACL buttons when editing media files successively
Matthias Schmidt [Wed, 18 Nov 2020 16:32:21 +0000 (17:32 +0100)]
Fix ACL buttons when editing media files successively

Replaces 3a7740a3704339c79d08fd2f5094fa1a1973318b by backporting and using parts of 6ee58cd2865980cd7fa16a1f3ebc660131fc7fd6.

4 years agoRevert "Fix ACL buttons when editing media files successively"
Matthias Schmidt [Wed, 18 Nov 2020 16:26:26 +0000 (17:26 +0100)]
Revert "Fix ACL buttons when editing media files successively"

This reverts commit 3a7740a3704339c79d08fd2f5094fa1a1973318b.

4 years agoFix ACL buttons when editing media files successively
Matthias Schmidt [Wed, 18 Nov 2020 16:24:30 +0000 (17:24 +0100)]
Fix ACL buttons when editing media files successively

4 years agoFix BBCodeHandler::setDisallowedBBCodes(...) PHPDoc (#3722)
Niklas [Thu, 12 Nov 2020 08:16:32 +0000 (09:16 +0100)]
Fix BBCodeHandler::setDisallowedBBCodes(...) PHPDoc (#3722)

4 years agoObsolete exclusion of the old ACP catpcha
Alexander Ebert [Sun, 8 Nov 2020 18:19:17 +0000 (19:19 +0100)]
Obsolete exclusion of the old ACP catpcha

This route does not exist anymore since WoltLab Suite 3.0.

4 years agoBlock search keyword list if permissions for the search function are denied
Marcel Werk [Tue, 3 Nov 2020 18:41:31 +0000 (19:41 +0100)]
Block search keyword list if permissions for the search function are denied

Closes #3681

4 years agoFix de.xml
Tim Düsterhus [Tue, 3 Nov 2020 13:30:18 +0000 (14:30 +0100)]
Fix de.xml

This fixes up commit 70746ece9789d3b2256495a788ae4875d01e95bc.

4 years agoFix typo in de.xml
Tim Düsterhus [Tue, 3 Nov 2020 13:26:13 +0000 (14:26 +0100)]
Fix typo in de.xml

4 years agoFix GDPR export if invalid user id is given
Matthias Schmidt [Mon, 2 Nov 2020 17:55:46 +0000 (18:55 +0100)]
Fix GDPR export if invalid user id is given

… and stop using deprecated method `UserProfile::getUserProfile()`.

4 years agoFix class name in UserRegistrationUtil::__construct() PHPDoc (#3652)
Niklas [Wed, 28 Oct 2020 08:46:10 +0000 (09:46 +0100)]
Fix class name in UserRegistrationUtil::__construct() PHPDoc (#3652)

4 years agoIgnore top-level node_modules/
Tim Düsterhus [Fri, 16 Oct 2020 11:57:29 +0000 (13:57 +0200)]
Ignore top-level node_modules/

4 years agoUse a literal string to avoid escaping
Alexander Ebert [Sun, 11 Oct 2020 11:41:20 +0000 (13:41 +0200)]
Use a literal string to avoid escaping

See #3595

4 years agoRemoved obsolete code
Marcel Werk [Sun, 4 Oct 2020 09:07:18 +0000 (11:07 +0200)]
Removed obsolete code

There is no article counter for users (wcf1_user.articles) in version 3.1.

4 years agoMerge pull request #3585 from WoltLab/overdue-cronjob
Alexander Ebert [Thu, 1 Oct 2020 15:45:29 +0000 (17:45 +0200)]
Merge pull request #3585 from WoltLab/overdue-cronjob

Improved the wording of the cronjob error message

4 years agoImproved readability
Alexander Ebert [Thu, 1 Oct 2020 15:45:10 +0000 (17:45 +0200)]
Improved readability

Co-authored-by: Matthias Schmidt <gravatronics@live.com>
4 years agoDefault value blocked saving of empty date fields
Marcel Werk [Thu, 1 Oct 2020 14:52:40 +0000 (16:52 +0200)]
Default value blocked saving of empty date fields

4 years agoIncorrect parameter order
Alexander Ebert [Thu, 1 Oct 2020 14:41:22 +0000 (16:41 +0200)]
Incorrect parameter order

Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>