Alexander Ebert [Mon, 31 Jan 2022 16:32:20 +0000 (17:32 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Mon, 31 Jan 2022 16:30:49 +0000 (17:30 +0100)]
Release 5.3.19
Alexander Ebert [Mon, 31 Jan 2022 16:30:10 +0000 (17:30 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Mon, 31 Jan 2022 16:28:38 +0000 (17:28 +0100)]
Release 5.2.19
Alexander Ebert [Mon, 31 Jan 2022 16:27:54 +0000 (17:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Mon, 31 Jan 2022 16:24:44 +0000 (17:24 +0100)]
Release 3.1.27
Tim Düsterhus [Mon, 31 Jan 2022 16:21:49 +0000 (17:21 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Mon, 31 Jan 2022 16:18:38 +0000 (17:18 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Mon, 31 Jan 2022 16:18:14 +0000 (17:18 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Mon, 31 Jan 2022 16:17:54 +0000 (17:17 +0100)]
Merge branch 'unknown-bbcode-xss' into 3.1
Tim Düsterhus [Mon, 31 Jan 2022 13:18:17 +0000 (14:18 +0100)]
Fix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()
Thanks to @methosiea for responsibly reporting this issue.
Resolves #4653
Tim Düsterhus [Mon, 31 Jan 2022 13:40:44 +0000 (14:40 +0100)]
Fix PHP 8.1.2 compatibility in DatabaseException
> Cannot access protected property PDOException::$code
Tim Düsterhus [Thu, 27 Jan 2022 13:09:56 +0000 (14:09 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 27 Jan 2022 13:01:33 +0000 (14:01 +0100)]
Fix regular expression for the `atext` production in EmailGrammar
Due to the missing escaping of the hyphen with a backslash the allowed
characters were not just:
- The plus sign (`+`, 0x2B),
- the dash (`-`, 0x2D), and
- the slash (`/`, 0x2F).
But all ASCII characters between 0x2B and 0x2F, namely:
- The plus sign (`+`, 0x2B),
- the comma (`,`, 0x2C),
- the dash (`-`, 0x2D),
- the dot (`.`, 0x2E), and
- the slash (`/`, 0x2F).
i.e. the comma and dot in addition to the actually allowed characters.
This error caused an incorrect encoding of headers in `::encodeHeader()`.
Specifically the real name of a mailbox was affected by this issue. As a result
a real name that included a dot, but otherwise matched the `atom` grammar was
improperly encoded, possibly causing email parsing failures for MUAs.
joshuaruesweg [Tue, 25 Jan 2022 09:33:41 +0000 (10:33 +0100)]
Fix poll management within the form builder
Fixes #4648
Joshua Rüsweg [Mon, 24 Jan 2022 15:02:06 +0000 (16:02 +0100)]
Merge pull request #4647 from WoltLab/5.4-devtools-requirewcfvalidator
Validates whether the WCF was created as a requirement when saving a …
joshuaruesweg [Mon, 24 Jan 2022 12:45:42 +0000 (13:45 +0100)]
Validates whether the WCF was created as a requirement when saving a project
Tim Düsterhus [Mon, 24 Jan 2022 14:10:11 +0000 (15:10 +0100)]
Fix typo in de.xml
Tim Düsterhus [Fri, 21 Jan 2022 13:03:14 +0000 (14:03 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Fri, 21 Jan 2022 13:00:08 +0000 (14:00 +0100)]
Release 5.4.12
Alexander Ebert [Fri, 21 Jan 2022 12:58:37 +0000 (13:58 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Fri, 21 Jan 2022 12:53:33 +0000 (13:53 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Fri, 21 Jan 2022 12:50:28 +0000 (13:50 +0100)]
Remove codestyle workflow for non-PSR-12 branches
The recent backport of the `|json` template modifier from 5.5 to 3.1+ in
58bc4b693415079127dd11d8210d2564a443010d fails the code style, because the
branches 5.3 and earlier expect tabs instead of spaces for indentation.
It's not really work fixing the code style for the file, just to revert it once
again when merging upwards.
Remove the check for these older branches. They are only touched for bug fixes
and the style will need to be adapted when merging into 5.4.
Alexander Ebert [Fri, 21 Jan 2022 12:48:46 +0000 (13:48 +0100)]
Release 5.3.18
Alexander Ebert [Fri, 21 Jan 2022 12:47:22 +0000 (13:47 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Fri, 21 Jan 2022 12:30:34 +0000 (13:30 +0100)]
Release 5.2.18
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Alexander Ebert [Fri, 21 Jan 2022 12:27:41 +0000 (13:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Fri, 21 Jan 2022 12:06:52 +0000 (13:06 +0100)]
Release 3.1.26
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.
(cherry picked from commit
bba7f1706e30761e55954a5a4be569e5bb55a6c4)
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier
(cherry picked from commit
e178fa84dc06861c5aba3d14e03161c5396fe9a7)
Tim Düsterhus [Fri, 21 Jan 2022 08:28:01 +0000 (09:28 +0100)]
Move `@types/*` npm dependencies into the non-dev section
This is required for them to be detected in downstream consumers.
Alexander Ebert [Thu, 20 Jan 2022 18:06:46 +0000 (19:06 +0100)]
Release 5.4.12 dev 1
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.
(cherry picked from commit
bba7f1706e30761e55954a5a4be569e5bb55a6c4)
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier
(cherry picked from commit
e178fa84dc06861c5aba3d14e03161c5396fe9a7)
Alexander Ebert [Wed, 19 Jan 2022 13:26:02 +0000 (14:26 +0100)]
Release 5.4.11
Alexander Ebert [Wed, 19 Jan 2022 13:18:27 +0000 (14:18 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Wed, 19 Jan 2022 13:10:10 +0000 (14:10 +0100)]
Release 5.3.17
Alexander Ebert [Wed, 19 Jan 2022 13:00:57 +0000 (14:00 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Wed, 19 Jan 2022 12:55:01 +0000 (13:55 +0100)]
Release 5.2.17
Alexander Ebert [Wed, 19 Jan 2022 12:50:25 +0000 (13:50 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Wed, 19 Jan 2022 12:46:00 +0000 (13:46 +0100)]
Release 3.1.25
Tim Düsterhus [Wed, 19 Jan 2022 12:38:26 +0000 (13:38 +0100)]
Consistently escape backslashes in StringUtil
This is not a functional change, this is just for consistency within the PHP
code, so that each backslash is properly escaped as `\\`.
Tim Düsterhus [Wed, 19 Jan 2022 12:31:58 +0000 (13:31 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Wed, 19 Jan 2022 12:29:21 +0000 (13:29 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 19 Jan 2022 12:29:10 +0000 (13:29 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Wed, 19 Jan 2022 12:27:40 +0000 (13:27 +0100)]
Merge branch 'encode-js-quot' into 3.1
Tim Düsterhus [Wed, 19 Jan 2022 08:50:39 +0000 (09:50 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Wed, 19 Jan 2022 08:48:30 +0000 (09:48 +0100)]
Merge pull request #4642 from WoltLab/php-ddl-app-install
Fix the replacing of WCF_N in PHP DDL during app installation
Tim Düsterhus [Tue, 18 Jan 2022 11:36:04 +0000 (12:36 +0100)]
Fix the replacing of WCF_N in PHP DDL during app installation
During app installation the newly installed app might not yet be stored within
the application cache, thus failing to replace the `1` within the table
structure definition.
Fix this by setting the `skipCache` parameter to `true`. This will increase the
number of database queries, because applications will be checked once for each
defined table and for each defined FOREIGN KEY, but I don't see a simple fix
for this issue that avoids this increase in query count. Specifically we cannot
simply reset the application cache after inserting the application into
wcf1_application.
Marcel Werk [Mon, 17 Jan 2022 17:44:51 +0000 (18:44 +0100)]
When replacing media, the thumbnails were not reset
ref https://www.woltlab.com/community/thread/293960-fehlerhafte-thumbnails-nach-medien-ersetzung/
Tim Düsterhus [Mon, 17 Jan 2022 08:42:47 +0000 (09:42 +0100)]
Merge pull request #4638 from Krymonota/patch-20
Add `var_dump` to allowed enterprise functions
Niklas [Sun, 16 Jan 2022 16:23:16 +0000 (17:23 +0100)]
Add `var_dump` to allowed enterprise functions
Marcel Werk [Sun, 16 Jan 2022 14:03:11 +0000 (15:03 +0100)]
Error class wasn't shown in box conditions
Alexander Ebert [Thu, 13 Jan 2022 13:10:20 +0000 (14:10 +0100)]
Release 5.4.11 dev 1
WoltLab [Thu, 13 Jan 2022 12:33:37 +0000 (12:33 +0000)]
Updating minified JavaScript files
Marcel Werk [Tue, 11 Jan 2022 13:11:37 +0000 (14:11 +0100)]
Revert "Strip MariaDB replication version hack in MySQLDatabase::getVersion()"
This reverts commit
bfa8d95d6f016efdedb943c1fe977d89de13406c.
Alexander Ebert [Mon, 10 Jan 2022 13:59:52 +0000 (14:59 +0100)]
Replace legacy HTML tags during paste
See https://www.woltlab.com/community/thread/293870-artikel-beim-ersten-abspeichern-b-statt-strong/
Marcel Werk [Mon, 10 Jan 2022 10:08:36 +0000 (11:08 +0100)]
Merge pull request #4629 from WoltLab/mariadb-version-hack
Strip MariaDB replication version hack in MySQLDatabase::getVersion()
Tim Düsterhus [Mon, 10 Jan 2022 10:04:39 +0000 (11:04 +0100)]
Update npm dependencies
Tim Düsterhus [Mon, 10 Jan 2022 09:47:49 +0000 (10:47 +0100)]
Strip MariaDB replication version hack in MySQLDatabase::getVersion()
Resolves #4626
Alexander Ebert [Sat, 8 Jan 2022 16:41:58 +0000 (17:41 +0100)]
Disallowing access to a CMS page now shows an error 403 instead of 404
Alexander Ebert [Sat, 8 Jan 2022 16:39:30 +0000 (17:39 +0100)]
Treat invalid timestamps as a missing date
Alexander Ebert [Sat, 8 Jan 2022 13:57:41 +0000 (14:57 +0100)]
Merge pull request #4627 from SoftCreatR/patch-3
Add size detection for WebP smileys
Sascha Greuel [Sat, 8 Jan 2022 08:27:38 +0000 (09:27 +0100)]
Added size detection for WebP smileys
Alexander Ebert [Fri, 7 Jan 2022 16:35:25 +0000 (17:35 +0100)]
Missing reset of the WebP flag for cover photos
Uploading a GIF after uploading a cover photo with a WebP variant caused the GIF to not show up.
See https://www.woltlab.com/community/thread/293665-gif-bilder-als-titelbild/
Alexander Ebert [Fri, 7 Jan 2022 16:12:36 +0000 (17:12 +0100)]
Incorrect handling of Shift+Enter inside code blocks
See https://www.woltlab.com/community/thread/293723-eingabetaste-erzeugt-weiteren-quellcode-bbcode/
Tim Düsterhus [Fri, 7 Jan 2022 13:52:02 +0000 (14:52 +0100)]
Merge pull request #4623 from WoltLab/php8.1-i18n-option
Fix PHP 8.1 compatibility when saving I18n options
Tim Düsterhus [Fri, 7 Jan 2022 08:54:19 +0000 (09:54 +0100)]
Default missing values to `''` in OptionHandler::validateOption()
This is required for PHP 8.1 compatibility of i18n options, as these are
handled separately using I18nHandler.
see
b46c272b28ba84892534b31c641a6dd412bb0a1e
see
860e98cff580e299cbbd8cdb7eb50d0113b938cc
Tim Düsterhus [Fri, 7 Jan 2022 08:50:28 +0000 (09:50 +0100)]
Revert "Fix PHP 8.1 compatibility when saving I18n options"
During the discussion within the PR is was decided to opt for a different, less
invasive, fix, because the impact of this change is not really clear.
This reverts commit
b46c272b28ba84892534b31c641a6dd412bb0a1e.
Alexander Ebert [Thu, 6 Jan 2022 19:20:12 +0000 (20:20 +0100)]
Nested tab menus were not preselected on load
See https://www.woltlab.com/community/thread/293819-subtab-direkt-aufrufen-geht-nicht/
Marcel Werk [Thu, 6 Jan 2022 17:11:09 +0000 (18:11 +0100)]
Merge branch '5.4' of https://github.com/WoltLab/WCF into 5.4
Marcel Werk [Thu, 6 Jan 2022 17:11:01 +0000 (18:11 +0100)]
signature_max_image_height caused incorrect size of avatars in quotes within signatures
Closes #4625
Alexander Ebert [Thu, 6 Jan 2022 17:08:45 +0000 (18:08 +0100)]
Filtering the user list by a user group discarded the optional columns
Fix for
9bc86ecf0bd32ed2615023bcf9ae398aafbb23fa
See https://www.woltlab.com/community/thread/293719-detailinfos-innerhalb-benutzergruppen-fehlen-im-acp-seit-update-woltlab-suite-5/
Tim Düsterhus [Thu, 6 Jan 2022 09:50:13 +0000 (10:50 +0100)]
Fix PHP 8.1 compatibility when saving I18n options
As I18n options are special-cased, they will not be provided in `rawValues`,
thus passing `null` to `->getData()`, which the option types are not prepared
to handle. Before PHP 8.1 this was implicitly treated as an empty string, with
the types introduced to native functions, e.g. `explode()` or `preg_replace()`
this will result in an error.
Tim Düsterhus [Tue, 4 Jan 2022 15:10:03 +0000 (16:10 +0100)]
Run prettier on `acp/style/**/*.scss`
Tim Düsterhus [Tue, 4 Jan 2022 10:50:50 +0000 (11:50 +0100)]
Encode the double quote (`"`) in StringUtil::encodeJS()
`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `"`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).
The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.
Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.
Tim Düsterhus [Mon, 3 Jan 2022 14:40:24 +0000 (15:40 +0100)]
Merge pull request #4619 from WoltLab/recommend-smtp
Mark the SMTP email transport as recommended
Tim Düsterhus [Mon, 3 Jan 2022 09:21:52 +0000 (10:21 +0100)]
Mark the SMTP email transport as recommended
Marcel Werk [Tue, 28 Dec 2021 16:18:10 +0000 (17:18 +0100)]
Pasting in ItemList did not work
Tim Düsterhus [Thu, 23 Dec 2021 10:24:45 +0000 (11:24 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 23 Dec 2021 10:19:25 +0000 (11:19 +0100)]
Pass the file's basename to the validation regex in StyleEditor::export()
This fixes
84f62ddac1ba9894a9cbb8791085f7799f3760c8.
Alexander Ebert [Wed, 22 Dec 2021 16:26:57 +0000 (17:26 +0100)]
Release 5.4.10
Alexander Ebert [Wed, 22 Dec 2021 14:49:35 +0000 (15:49 +0100)]
Release 5.4.10 dev 2
Alexander Ebert [Wed, 22 Dec 2021 14:46:57 +0000 (15:46 +0100)]
Release 5.3.16
WoltLab [Wed, 22 Dec 2021 14:23:59 +0000 (14:23 +0000)]
Updating minified JavaScript files
Alexander Ebert [Wed, 22 Dec 2021 14:07:29 +0000 (15:07 +0100)]
Improper restore of navigation menu icons
Alexander Ebert [Mon, 20 Dec 2021 15:43:35 +0000 (16:43 +0100)]
Merge pull request #4610 from WoltLab/54-metacode-parse-attributes
Enforce a consistent return type
Alexander Ebert [Mon, 20 Dec 2021 15:10:27 +0000 (16:10 +0100)]
Enforce a consistent return type
The method was designed to always return an array. If the `\base64_code()` fails, it returned `false` instead, which was both unexpected and could fail in PHP 8.1 (autovivification on false, https://wiki.php.net/rfc/autovivification_false)
Alexander Ebert [Fri, 17 Dec 2021 16:38:41 +0000 (17:38 +0100)]
Release 5.4.10 dev 1
Tim Düsterhus [Fri, 17 Dec 2021 12:34:12 +0000 (13:34 +0100)]
Add `wcf.user.3rdparty.login.error.user_aborted` phrase
Tim Düsterhus [Fri, 17 Dec 2021 09:31:27 +0000 (10:31 +0100)]
Fix the include family of "functions" in stack trace sanitization
`include` et al are not actual functions, but language constructs. For this
reason they cannot be reflected, causing their arguments to show as
`[error_during_sanitization]`. Fix this by special casing them to not run the
sanitization, they do not contain sensitive arguments (apart from the path
which is redacted independently later).
WoltLab [Thu, 16 Dec 2021 18:09:39 +0000 (18:09 +0000)]
Updating minified JavaScript files
Alexander Ebert [Thu, 16 Dec 2021 18:08:23 +0000 (19:08 +0100)]
Selection changes on mobile were recognized as clicks
WoltLab [Thu, 16 Dec 2021 14:47:59 +0000 (14:47 +0000)]
Updating minified JavaScript files
joshuaruesweg [Wed, 15 Dec 2021 08:48:19 +0000 (09:48 +0100)]
Remove dot files from image export
Tim Düsterhus [Tue, 14 Dec 2021 10:24:35 +0000 (11:24 +0100)]
Remove obsolete imports
Tim Düsterhus [Tue, 14 Dec 2021 10:02:18 +0000 (11:02 +0100)]
Properly wrap Guzzle's ConnectException into FontDownloadFailed in FontManager