Tim Düsterhus [Fri, 17 Feb 2023 12:57:39 +0000 (13:57 +0100)]
Drop obsolete update_com.woltlab.wcf_5.5.9_systemId.php
Tim Düsterhus [Fri, 17 Feb 2023 11:54:31 +0000 (12:54 +0100)]
Merge pull request #5307 from WoltLab/unfurl-language
Add `accept-language` header to Unfurling requests
Tim Düsterhus [Fri, 17 Feb 2023 11:24:38 +0000 (12:24 +0100)]
Add `accept-language` header to Unfurling requests
The default language is preferred, but any language is acceptable with a lower
priority.
see https://www.woltlab.com/community/thread/299002-imdb-english-embed-links-displaying-german-text/
Alexander Ebert [Fri, 17 Feb 2023 11:03:00 +0000 (12:03 +0100)]
Release 5.5.9
Alexander Ebert [Thu, 16 Feb 2023 11:32:03 +0000 (12:32 +0100)]
Release 5.5.9 dev 2
WoltLab [Thu, 16 Feb 2023 09:21:12 +0000 (09:21 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 14 Feb 2023 14:51:53 +0000 (15:51 +0100)]
Release 5.5.9 dev 1
Tim Düsterhus [Fri, 10 Feb 2023 08:58:20 +0000 (09:58 +0100)]
Update npm dependencies
Alexander Ebert [Mon, 6 Feb 2023 16:14:41 +0000 (17:14 +0100)]
Improve the vertical alignment in case no direction has enough space
See https://www.woltlab.com/community/thread/298831-l%C3%B6schen-in-der-mobilen-ansicht-nicht-sichtbar/
Alexander Ebert [Mon, 6 Feb 2023 15:22:55 +0000 (16:22 +0100)]
Prevent the Instagram iframe from overlapping other elements
See https://www.woltlab.com/community/thread/298758-medienanbieter-instagram-%C3%BCberlappt-content/
Alexander Ebert [Mon, 6 Feb 2023 13:31:32 +0000 (14:31 +0100)]
Fix the replacement of the encoded apostrophe
See https://www.woltlab.com/community/thread/298815-desktopbenachrichtigungen-stellen-apostroph-nicht-korrekt-dar/
Alexander Ebert [Mon, 6 Feb 2023 13:25:16 +0000 (14:25 +0100)]
Enforce the minimum height of filtered checkbox lists dynamically
See https://www.woltlab.com/community/thread/298850-mulitselect-felder-werden-gr%C3%B6%C3%9Fer-angezeigt-als-notwendig-nach-update-auf-5-5/
Tim Düsterhus [Tue, 31 Jan 2023 11:02:29 +0000 (12:02 +0100)]
Merge pull request #5262 from WoltLab/avatar-extension-validation
Validate the avatar mime type against the extension list
Tim Düsterhus [Tue, 31 Jan 2023 08:50:36 +0000 (09:50 +0100)]
Add safety abort in UserAvatarEditor::createAvatarVariant() for WebP originals
Tim Düsterhus [Tue, 31 Jan 2023 08:47:16 +0000 (09:47 +0100)]
Validate the avatar mime type against the extension list
see https://www.woltlab.com/community/thread/298731-avatar-upload-pr%C3%BCft-lediglich-dateiendnung-aber-nicht-das-format/
Tim Düsterhus [Tue, 24 Jan 2023 15:10:46 +0000 (16:10 +0100)]
Merge pull request #5240 from WoltLab/style-import-template-modification-time
Update template’s modification time when updated via style import
Tim Düsterhus [Tue, 24 Jan 2023 15:02:58 +0000 (16:02 +0100)]
Update template’s modification time when updated via style import
Fixes #5235
Tim Düsterhus [Mon, 23 Jan 2023 11:10:25 +0000 (12:10 +0100)]
Merge pull request #5231 from WoltLab/system-check-opcache
Check OPcache in SystemCheckPage
Tim Düsterhus [Fri, 20 Jan 2023 13:26:22 +0000 (14:26 +0100)]
Add update_com.woltlab.wcf_5.5.9_systemId.php
Tim Düsterhus [Fri, 20 Jan 2023 13:22:28 +0000 (14:22 +0100)]
Check OPcache in SystemCheckPage
Resolves #5230
Tim Düsterhus [Thu, 19 Jan 2023 13:26:57 +0000 (14:26 +0100)]
Merge branch '5.4' into 5.5
Alexander Ebert [Thu, 19 Jan 2023 13:24:53 +0000 (14:24 +0100)]
Release 5.5.8
Alexander Ebert [Thu, 19 Jan 2023 13:22:17 +0000 (14:22 +0100)]
Release 5.4.25
Alexander Ebert [Thu, 19 Jan 2023 13:21:54 +0000 (14:21 +0100)]
Merge branch '5.3' into 5.4
Alexander Ebert [Thu, 19 Jan 2023 13:19:31 +0000 (14:19 +0100)]
Release 5.3.26
Tim Düsterhus [Thu, 19 Jan 2023 13:17:02 +0000 (14:17 +0100)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Thu, 19 Jan 2023 13:16:28 +0000 (14:16 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 19 Jan 2023 13:16:10 +0000 (14:16 +0100)]
Merge branch 'xss-activation' into 5.3
Tim Düsterhus [Tue, 17 Jan 2023 13:07:33 +0000 (14:07 +0100)]
Automatically detect HTTP codeblocks
Alexander Ebert [Mon, 16 Jan 2023 16:59:50 +0000 (17:59 +0100)]
Release 5.5.8 dev 1
WoltLab [Mon, 16 Jan 2023 16:20:19 +0000 (16:20 +0000)]
Updating minified JavaScript files
Alexander Ebert [Mon, 16 Jan 2023 16:05:50 +0000 (17:05 +0100)]
Use `ResizeObserverEntry.contentRect` in legacy browsers
Fixes #5187
Alexander Ebert [Mon, 16 Jan 2023 15:54:38 +0000 (16:54 +0100)]
Add `messageTableOfContents` and `quoteMetaCode` to the shared templates
See https://www.woltlab.com/community/thread/298400-artikelvorschau-bringt-eine-reihe-von-fehlermeldungen/
See https://www.woltlab.com/community/thread/298137-alle-anzeigen-aktualisieren-unable-to-find-template-quotemetacode/
Alexander Ebert [Mon, 16 Jan 2023 15:36:33 +0000 (16:36 +0100)]
Suppress empty style descriptions
See https://www.woltlab.com/community/thread/298369-stil-beschreibung-fehlt-sprachvariable-wird-angezeigt/
Alexander Ebert [Mon, 16 Jan 2023 15:14:55 +0000 (16:14 +0100)]
Suppress user activity events when articles have been disabled
See https://www.woltlab.com/community/thread/298375-letzte-aktivit%C3%A4ten-nach-modul-deaktivierung/
Tim Düsterhus [Mon, 16 Jan 2023 13:52:27 +0000 (14:52 +0100)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Mon, 16 Jan 2023 13:51:47 +0000 (14:51 +0100)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Mon, 16 Jan 2023 13:48:54 +0000 (14:48 +0100)]
Remove questionable `@` in __singleMediaSelectionFormField.tpl
This looks like it is exploitable, because the value is not guaranteed to be an integer.
Tim Düsterhus [Mon, 16 Jan 2023 13:40:29 +0000 (14:40 +0100)]
Fix XSS vulnerability in registerActivation.tpl
This was introduced in
a477e3522933a7204b02013cd6b6d47d0db1d254 when the
activation logic was refactored to no longer use numeric-only activation codes.
Thanks to Chabik Hatim for responsibly reporting the vulnerability.
Tim Düsterhus [Mon, 16 Jan 2023 13:49:57 +0000 (14:49 +0100)]
Merge pull request #5225 from WoltLab/supportexpiry-53
Notify users of the expiring support (5.3)
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Notify users of the expiring support (5.3)
see #4574
Tim Düsterhus [Mon, 16 Jan 2023 09:50:32 +0000 (10:50 +0100)]
Properly take languageID into account in LanguageEditor::deleteFromXML()
see https://www.woltlab.com/community/thread/298522-sprachvariable-case-aktualisieren/
Tim Düsterhus [Thu, 12 Jan 2023 13:11:33 +0000 (14:11 +0100)]
Detect reused dialogIds in Form/Builder/Dialog.ts
see https://www.woltlab.com/community/thread/298580-uncaught-error-form-has-not-been-requested-yet/
Tim Düsterhus [Wed, 11 Jan 2023 14:55:01 +0000 (15:55 +0100)]
Fix incorrect use of `this` references in Dom/Util
This breaks if single functions are imported.
Tim Düsterhus [Wed, 11 Jan 2023 13:22:30 +0000 (14:22 +0100)]
Add `rel="nofollow"` to missed login link
This was noticed while resolving the merge conflicts when merging from 5.5 to
master.
see
fa0b20e855dbf01ebf3e4ac54c12a0507dcb993f
Tim Düsterhus [Wed, 11 Jan 2023 13:16:05 +0000 (14:16 +0100)]
Merge pull request #5221 from WoltLab/login-no-follow
Mark login links as `rel="nofollow"`
Tim Düsterhus [Wed, 11 Jan 2023 12:37:35 +0000 (13:37 +0100)]
Remove questionable `@` in login.tpl
Tim Düsterhus [Wed, 11 Jan 2023 12:35:03 +0000 (13:35 +0100)]
Mark login links as `rel="nofollow"`
Resolves #5218
Marcel Werk [Thu, 15 Dec 2022 15:53:33 +0000 (16:53 +0100)]
Fix missing permission check
It was not considered whether the user has the permission to edit his profile.
Tim Düsterhus [Thu, 15 Dec 2022 14:03:05 +0000 (15:03 +0100)]
Merge pull request #5190 from WoltLab/php-ddl-foreign-key-drop
Fix dropping of misnamed foreign keys in PHP DDL
Tim Düsterhus [Thu, 15 Dec 2022 13:22:10 +0000 (14:22 +0100)]
Fix dropping of misnamed foreign keys in PHP DDL
Foreign keys are matched up by their `getDiffData()` which includes the column
list, referenced column list and referenced table, but does not include the name.
This effectively ensures that only a single foreign key exists for each
possible combination of source and target columns.
Dropping foreign keys however relies on the foreign key’s name being sent to
the database and this is currently broken when the foreign key name differs
from the expected name:
The misnamed key will be matched up, but the DROP query will send the expected
name, instead of the actual name.
Fix this by inserting the `$matchingExistingForeignKey` into the list of keys
to drop, which makes sense, because the existing key is what should be dropped
in the first place.
Tim Düsterhus [Tue, 13 Dec 2022 14:11:42 +0000 (15:11 +0100)]
Merge pull request #5186 from WoltLab/fileDelete-validation
Fix validation in AbstractFileDeletePackageInstallationPlugin
Tim Düsterhus [Tue, 13 Dec 2022 14:02:52 +0000 (15:02 +0100)]
Silently skip files belonging to other packages in AbstractFileDeletePackageInstallationPlugin
Instead of throwing, we just silently skip files belonging to other packages,
because this implies that the file no longer exists for the package in
question.
Tim Düsterhus [Tue, 13 Dec 2022 13:31:04 +0000 (14:31 +0100)]
Fix validation in AbstractFileDeletePackageInstallationPlugin
The query for logged files must not include the `packageID` in its condition,
as the entire purpose is retrieving all the `packageID`s for installed files to
compare them against the package that is currently installed or updated. Thus
by selecting only files for the current packageID the purpose is defeated.
see
672cd6166b684767a3fc8ee1fd6a4516d2061285
Tim Düsterhus [Mon, 12 Dec 2022 14:19:24 +0000 (15:19 +0100)]
Merge pull request #5184 from WoltLab/external-image-internal-hostname
Merge `INTERNAL_HOSTNAMES` into list of allowed image domains
Tim Düsterhus [Mon, 12 Dec 2022 13:43:03 +0000 (14:43 +0100)]
Merge `INTERNAL_HOSTNAMES` into list of allowed image domains
Fixes #5146
Tim Düsterhus [Mon, 12 Dec 2022 13:36:11 +0000 (14:36 +0100)]
Use BBCodeHandler::getImageExternalSourceWhitelist() in HtmlOutputNodeImg
Related to #5146
Tim Düsterhus [Mon, 12 Dec 2022 09:28:28 +0000 (10:28 +0100)]
Fix baseclass inheritance check in DatabaseObjectList::__construct()
see https://www.woltlab.com/community/thread/298219-fehlerhafte-%C3%BCberpr%C3%BCfung-der-databaseobjectdecorator-baseclass/
Alexander Ebert [Fri, 9 Dec 2022 18:04:02 +0000 (19:04 +0100)]
Fix the insertion of tables into the editor
See https://www.woltlab.com/community/thread/298250-tabellen-einf%C3%BCgen-via-ipad-nicht-mehr-m%C3%B6glich/
Alexander Ebert [Fri, 9 Dec 2022 14:59:26 +0000 (15:59 +0100)]
Fix the logic to display the button for the participant list
See https://www.woltlab.com/community/thread/298009-teilnehmer-bei-umfragen-nicht-%C3%B6ffentlich-sichtbar/
Alexander Ebert [Fri, 9 Dec 2022 12:49:24 +0000 (13:49 +0100)]
The `$value` for `getFormElement()` is nullable
See https://www.woltlab.com/community/thread/298187-explode-passing-null-to-parameter-2-string-of-type-string-is-deprecated-php-8-1/
Tim Düsterhus [Tue, 6 Dec 2022 11:22:59 +0000 (12:22 +0100)]
Stop using undefined properties in SearchHandler::saveSearch()
These are not intended to be stored on the class and not used elsewhere, the
`this->` is likely a copy and paste mistake in the initial implementation.
see
11b63e8aa4e1a71425e1bffd7eb28f9db4a4bf13
Marcel Werk [Wed, 30 Nov 2022 15:12:55 +0000 (16:12 +0100)]
Merge pull request #5151 from SoftCreatR/bugfix/tpl
Make unfurlUrl template available in ACP
Sascha Greuel [Tue, 29 Nov 2022 09:38:01 +0000 (10:38 +0100)]
Made unfurlUrl template available in ACP
See https://www.woltlab.com/community/thread/298168-artikel-erstellen-im-acp-bringt-fehler-bei-vorschau/
Tim Düsterhus [Fri, 25 Nov 2022 11:01:05 +0000 (12:01 +0100)]
Merge pull request #5142 from WoltLab/php-ddl-index-validate
Fix validation of changed indices in PHP DDL
Tim Düsterhus [Thu, 24 Nov 2022 10:17:33 +0000 (11:17 +0100)]
Fix validation of changed indices in PHP DDL
The validation of the to-be-performed DDL operation currently identifies
indices by their data (i.e. column list and type), whereas the actual DDL
operation uses the `->diffIndices()` operation which also takes into account
the name of the index.
This mismatch allows a package to drop a foreign index, consider the following
situation:
Package A:
DatabaseTable::create('wcf1_test')
->columns([
NotNullInt10DatabaseTableColumn::create('a'),
NotNullInt10DatabaseTableColumn::create('b'),
])
->indices([
DatabaseTableIndex::create('testing')
->columns(['a']),
])
The package creates a table with two columns and a named index (“testing”) that
includes one of the columns.
Now Package B:
DatabaseTable::create('wcf1_test')
->indices([
DatabaseTableIndex::create('testing')
->columns(['a', 'b'])
->drop(),
])
This definition drops the named index (“testing”), but with a different column
definition. Thus the validation believes the indices to be different, allowing
the operation to proceed. The actual operation however identifies the index by
its name and thus drops the “testing” index that belongs to a different
package.
Alexander Ebert [Thu, 24 Nov 2022 17:08:53 +0000 (18:08 +0100)]
Release 5.5.7
Alexander Ebert [Thu, 24 Nov 2022 14:39:19 +0000 (15:39 +0100)]
The `$value` for `getSearchFormElement()` is nullable
See https://www.woltlab.com/community/thread/297958-fehler-bei-suche-mit-php-8-1/
Alexander Ebert [Thu, 24 Nov 2022 14:34:08 +0000 (15:34 +0100)]
Revert "`getSearchFormElement()` expects a string for the value parameter"
This reverts commit
d2beab69c1aee0a33cfe8bdb7d967da2300b1691.
Tim Düsterhus [Tue, 22 Nov 2022 12:47:43 +0000 (13:47 +0100)]
Merge pull request #5137 from WoltLab/store-code-refresh
Refresh the package database in Package/QuickInstallation.ts
Tim Düsterhus [Tue, 22 Nov 2022 12:45:58 +0000 (13:45 +0100)]
Merge pull request #5133 from WoltLab/i18n-form-field-one-language
Fix TI18nFormField if only one language is active
Tim Düsterhus [Tue, 22 Nov 2022 11:43:04 +0000 (12:43 +0100)]
Update to TypeScript 4.9
Tim Düsterhus [Tue, 22 Nov 2022 11:18:56 +0000 (12:18 +0100)]
Update eslint npm dependency
Tim Düsterhus [Tue, 22 Nov 2022 09:21:21 +0000 (10:21 +0100)]
Refresh the package database in Package/QuickInstallation.ts
Fixes #5135
Tim Düsterhus [Mon, 21 Nov 2022 11:26:55 +0000 (12:26 +0100)]
Fix TI18nFormField if only one language is active
Fixes #5131
Tim Düsterhus [Mon, 21 Nov 2022 10:27:39 +0000 (11:27 +0100)]
Update eslint npm dependency
Tim Düsterhus [Mon, 21 Nov 2022 09:01:13 +0000 (10:01 +0100)]
Fix erroneous encoding of ampersands in HtmlInputProcessor::convertToHtml()
see
f8deb9077dc485487bf53f9930ff956fbca1127b
see https://www.woltlab.com/community/thread/298042-werden-beim-import-falsch-ersetzt/
Alexander Ebert [Thu, 17 Nov 2022 11:44:23 +0000 (12:44 +0100)]
Release 5.5.7 dev 1
WoltLab [Thu, 17 Nov 2022 11:33:20 +0000 (11:33 +0000)]
Updating minified JavaScript files
Alexander Ebert [Wed, 16 Nov 2022 16:30:05 +0000 (17:30 +0100)]
Construct the profile url using just the user id
The attempt to embed the username into the URL is flawed, because it provides none of the server side transformations performed when naturally generating those URLs.
The currently implementation causes a redirect for most usernames anyway. Besides those redirects take place early in the processing of the controller and thus are acceptable.
Removing the username from the artificially constructed URL will now always cause a redirect, but do not break web servers with less permissive rewrite rules.
See https://www.woltlab.com/community/thread/297758-url-memberlist-suche-%C3%ACst-falsch/
Alexander Ebert [Wed, 16 Nov 2022 12:41:34 +0000 (13:41 +0100)]
Schedule the restore of the scroll position for the next loop
The previous delay of 1ms causes issue by actions that also try to delay their execution to the next run of the event loop. These will get executed while the page offset has not been adjusted, causing the calculations to be incorrect.
This primarily affects the editor which makes use of `setTimeout()` to workaround some browser limitations.
See https://www.woltlab.com/community/thread/297841-einf%C3%BCgen-von-links-in-den-editor/
Tim Düsterhus [Wed, 16 Nov 2022 10:29:25 +0000 (11:29 +0100)]
Update `@types/google.maps` and `@types/facebook-js-sdk`
Tim Düsterhus [Wed, 16 Nov 2022 10:28:24 +0000 (11:28 +0100)]
Update eslint
Tim Düsterhus [Wed, 16 Nov 2022 10:24:42 +0000 (11:24 +0100)]
Update `tslib`
Alexander Ebert [Tue, 15 Nov 2022 17:00:11 +0000 (18:00 +0100)]
Add the CSS class `.formAttachmentListItem` to existing attachments on page load
See https://www.woltlab.com/community/thread/297604-dateianh%C3%A4nge-werden-bei-mehrsprachigkeit-nicht-zwischen-editoren-synchronisiert/
Alexander Ebert [Sun, 13 Nov 2022 16:15:04 +0000 (17:15 +0100)]
`getSearchFormElement()` expects a string for the value parameter
Alexander Ebert [Sun, 13 Nov 2022 16:14:24 +0000 (17:14 +0100)]
Validate that the searched option implements the required interface
Alexander Ebert [Sun, 13 Nov 2022 15:43:36 +0000 (16:43 +0100)]
Remove selection markers after discarding the link dialog
See https://www.woltlab.com/community/thread/297178-links-bearbeiten-und-kopieren/
Alexander Ebert [Sun, 13 Nov 2022 15:09:23 +0000 (16:09 +0100)]
Bind the event listeners for the RSS feed dialog everytime
The dialog is replaced with the provided HTML on every invocation. Since this is a named dialog, the instance is set up once, but rebuild with every invocation.
See https://www.woltlab.com/community/thread/297896-kopieren-schaltfl%C3%A4che-nach-erneutem-%C3%B6ffnen-des-dialogs-nicht-mehr-funktionsf%C3%A4hig/
Alexander Ebert [Sun, 13 Nov 2022 14:53:58 +0000 (15:53 +0100)]
Fix the scroll offset when the first message is being targeted
See https://www.woltlab.com/community/thread/297814-mobil-zus%C3%A4tzlicher-container-sichtbar-bei-direktlink-auf-den-ersten-beitrag-eine/
Alexander Ebert [Fri, 11 Nov 2022 15:49:33 +0000 (16:49 +0100)]
Merge pull request #5119 from WoltLab/acp-not-authorized-ux
Improve user experience when accessing the ACP with an unauthorized user
Marcel Werk [Fri, 11 Nov 2022 15:24:31 +0000 (16:24 +0100)]
Typo
Alexander Ebert [Fri, 11 Nov 2022 14:41:45 +0000 (15:41 +0100)]
Prevent wrapping of text on narrow resolutions
There is plenty of whitespace around each column to allow for some small overlaps.
https://www.woltlab.com/community/thread/297666-blog-unsch%C3%B6ne-darstellung-der-reaktionen/
Tim Düsterhus [Thu, 10 Nov 2022 14:00:18 +0000 (15:00 +0100)]
Improve user experience when accessing the ACP with an unauthorized user
Specifically the logout link is available now.
Marcel Werk [Tue, 8 Nov 2022 14:25:30 +0000 (15:25 +0100)]
Fix missing consideration of the ad position when calculating the show order
Tim Düsterhus [Mon, 7 Nov 2022 10:00:16 +0000 (11:00 +0100)]
Fix typo in de.xml
Tim Düsterhus [Wed, 2 Nov 2022 08:51:43 +0000 (09:51 +0100)]
Merge pull request #5099 from WoltLab/articlelist-comments-column
Remove comments column from ACP's ArticleListPage
Tim Düsterhus [Wed, 2 Nov 2022 08:51:30 +0000 (09:51 +0100)]
Merge pull request #5100 from WoltLab/notification-email-unconfirmed
Discard notification emails if the recipient’s email address is unconfirmed
Tim Düsterhus [Mon, 31 Oct 2022 15:35:50 +0000 (16:35 +0100)]
Discard notification emails if the recipient’s email address is unconfirmed
This change discards notification emails if the recipient’s email address is
unconfirmed after the email was created and before the email was actually seat.
An example might be that the background queue is delayed, due to the mail
server’s spam protection kicking in, allowing the admin to unconfirm email
addresses of email addresses that are no longer valid to prevent more bounces
from being generated.
Tim Düsterhus [Mon, 31 Oct 2022 12:53:14 +0000 (13:53 +0100)]
Remove comments column from ACP's ArticleListPage
This column was effectively broken since the introduction of pluggable
discussion providers and is completely broken (always showing zero) since the
`comments` column was moved the the article to the article content in
75c21dfd1231389b2e3f527fc202dfec8f5c808b.
projects / GitHub / WoltLab / WCF.git / log