Websites loaded via an iframe could interrupt the user's workflow by initiating certain actions like opening print dialogs, alert boxes, etc. on the user's browser or even initiate file downloads.
By using the sandbox attribute, the iframe is limited in it's actions and can't access browser APIs such as to download files.
With the additional credentialless attribute, the page in the iframe is loaded in a completely separate browsing context on Chromium-based browsers, thus isolating the content even more.
The functionality could previously be abused to initiate certain actions on 3rd-party websites where the user is logged-in, if these 3rd-party websites have no proper CSRF protection. However, this is not a security risk to HedgeDoc itself.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit upgrades dependencies that are more or less trivial
to update, e.g. because they didn't have major version bumps or
simply didn't break anything. There are some dependencies which
have not been upgraded since this would have required larger
refactorings. This includes especially the markdown-it ecosystem
and the webpack ecosystem.
The largest refactorings in this commit come from the bump of
socket.io v2 to v4 which changed the handling of the connected
socket list for instance.
This commit further removes some outdated and/or unnecessary
dependencies. This includes the String.js library which is
unmaintained for 9 years and has some CVEs. We mainly used
this library for their escapeHTML and unescapeHTML methods.
This can be done using native DOM APIs nowadays, which is also
considered more safe since it is the same logic that the
browser itself uses.
Since we target Node 18 and above, we can also rely on the
built-in fetch function instead of the node-fetch package.
The current version of Chance.js includes a method for
generating a random color now too, so we don't need the
package randomcolor anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The slideshare integration was broken for quite a while already,
as slideshare doesn't seem to have a good replacement, we're
dropping it in the same manner as speakerdeck was dropped some
time ago. This means the special syntax now just renders a plain
link. This commit gets rid of the vimdo oembed API too which
allowed JSONP injection. Instead we're using the normal vimeo
video metadata API.
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The used library gist-embed relies on GitHub Gist's JSONP
endpoint which is a risk for XSS injection. By adding untrusted
content from GitHub into the DOM it also follows very bad
practises. Using the iframe embedding has the disadvantage of
not having the proper height for the frame auto-loaded, but
the security benefits are worth it.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Because screen readers don't know that the anchor icon is not meant to be read,
they might read the title (which is the same as the heading itself) in addition
to the heading, thus causing a duplicated output.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
In e17cc644 the Webpack build process for CodeMirror was changed.
For unknown reasons, not all plugins and modes were added.
This adds all plugins currently enabled in
https://github
.com/hedgedoc/CodeMirror/blob/951b3d94bb5ad9ac7b44642adbe595e843390506/release.sh
Signed-off-by: David Mehren <git@herrmehren.de>
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
that.
This copies the function into its own file (to make importing it easy)
and adds an import in index.js.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2248
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, the HTML export template `html.hbs` included CDN links
for the HTML and CSS resources.
This commit enables Webpack to create a new `htmlexport.html` at
build-time, which includes all resources inline.
That template is then used as before by the frontend to be populated
with the rendered note content.
The tradeoff is that each exported .html file is about 5.6 MB in size,
as we need to inline all fonts (icons & emojis).
Signed-off-by: David Mehren <git@herrmehren.de>
This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
the `secure` flag is necessary to set any cookie.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit moves the import of highlight.js into a `require.ensure`
block, that is only executed when a code-block is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.
The call to `hljs.listLanguages()` in `index.js` is also replaced
by a static list. This is important, as `index.js` would otherwise
need to import highlight.js, which would cause the quite big
library to be included into nearly every entrypoint, needlessly
increasing the transferred code size.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit moves the import of viz.js into a `require.ensure` block,
that is only executed when a graphviz diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.
To ensure that graphviz code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.
The library is also removed from the Webpack config file, as it only
is used at one place in extra.js, which is handled by Webpack
without any extra config.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit moves the import of abcjs into a `require.ensure` block,
that is only executed when a abc diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.
To ensure that abc code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.
Signed-off-by: David Mehren <git@herrmehren.de>
The html.hbs template does not contain any logic,
so we can replace the lib with good old string.replace calls.
This significantly reduces the bundle size, as we don't have to ship
a full template engine to the client.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit moves the import of mermaid into a `require.ensure` block,
that is only executed when a mermaid diagram is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.
To ensure that mermaid code-blocks are not treated as normal
code-blocks while the chunk is loading, a corresponding check is added
to `finishView`.
Signed-off-by: David Mehren <git@herrmehren.de>
The ot library is tricky to load with Webpack, as it writes
it's functions into a global `ot` object and does not export anything.
I got it working using `exports-loader` to put the `ot` object
into a CommonJS export and then forcing Webpack to only
load using CommonJS.
Signed-off-by: David Mehren <git@herrmehren.de>
