Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.
Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths. We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.
Thanks to w2w for reporting this issue.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.
The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.
Fix this, and add tests for each corrected code path.
Thanks to w2w for reporting this issue.
This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.
We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.
Thanks to Suhas Sunil Gaikwad for reporting this issue.
Removed the top margin of input-group css
to prevent the double margins. Also fixed the
default-language positioning, and maintained
margin consistency in organization settings.
Fixes#8890.
There was already a progress bar set up, but it became non-functional
after refactoring. This fixes it.
The default animation was getting cut off when `uploadFinished` is
called, so we add a delay before removing the upload bar to make it
get to the end.
Tweaked by tabbott to have a more natural feeling animation setup
(where we don't animate the width adjustments; just the disappearance
of the bar).
Fixes#8863.
This reverts commit 6e048c5d3f.
See #8963 for the main issue we need to fix before re-enabling this;
basically, some combination of toMarkdown and the way text/html gets
written was introducing a lot of bonus/bogus whitespace, both in the
form of newlines and spaces converted to ` `.
`@everone` and `@all` will have a megaphone icon from FontAwesome in
place of the avatar.
Also, fix the `composebox_typeahead` tests to account for the images.
Fix#6635.
Currently, stream subscriptions aren't getting updated without
hard reload when user is deactivated in realm.
Fix this issue by updating stream subscription widgets on user
deactivation event.
Fixes#5623
This commit adds a new helper func to check if sub settings tab
is active or not and remove function `add_me_to_member_list`
function from `static/js/stream_edit.js`, cause we don't need to
render subscribers for particular case, as we are already doing that.
Currently, even after unsubscribing from private/public stream
email address of stream is still present in html widgets hidden.
Cause we don't clear email address on unsubscription event.
This clears email address from widget when user unsubscribe
from any stream.
We make some specific cases of tags use 2 space indents.
The case description:
* A tag with opening tag spread over multiple lines and closing tag
on the same line as of the closing angle bracket of the opening tag.
* A tag with opening tag spread over multiple lines and closing tag
not on the same line as of the closing angle bracket of the opening
tag.
Example:
Case 1:
Not linted:
<button type="button"
class="btn btn-primary btn-small">{{t "Yes" }}</button>
After linting:
<button type="button"
class="btn btn-primary btn-small">{{t "Yes" }}</button>
Case 2:
Before linting:
<div class = "foo"
id = "bar"
role = "whatever">
{{ bla }}
</div>
After linting:
<div class = "foo"
id = "bar"
role = "whatever">
{{ bla }}
</div>
This reverts loader indicator from the new fontawesome
`icon-button-loading` to previous SVG one, this change is only reflected
to those loaders which use `loader.handlebars` template for
loading indication(because there are some indicators like "Save changes"
in org settings which don't use loader.handlebars).
This main problem with this indicator is that it is bit
inconsistent with other places where we use `loader.handlebars` like
loading Zulip icon which appears while fetching old messages.
Introduced a new checkmark icon in the settings page
from entypo ( www.entypo.com ) to make icons more
consistent between user and organization settings.
This commit changes the way the save and discard buttons on the
organization profile, settings and permissions tabs look and fades
them out after a delay. It also cleans up the code a bit in the
settings_org.js file. It introduces changes to the css in
settings.css as well as the template for save-discard buttons.
It also fixes a bug on the user settings whereby if an option
that requires reload is clicked before clicking an option that does
not require reload, the reload message is erased. This could create
an issue where the user is not aware that a reload is required.
The loader is also changed to using fa-icon as loading spinner on
user settings and the colors are tweaked a little bit.
This commit adds the ability to pass the sticky option to
in the change_display_setting function in order to have the
feedback element remain visible instead of fading out which
is the default behavior. Also passes true for that option in
two instances on the page.
This commit changes the do_settings_change function so that it
defaults to showing the loading spinner for 500ms before fading
out the the feedback element. It also adds a sticky option so you
can override the fading out of the feedback element and have it
remain visible.
This tweak to our compose on-topic-narrow logic may help make it a bit
easier to do quick replies without needing to re-open compose. I'm
not 100% confident this actually makes Zulip better, but it's worth
testing and getting some feedback.
Fixes#6473.
For a non-empty compose box, we previously considered closing the
compose box when switching topic narrows with content in the compose
box; now we leave it open unconditionally.
Part of #6473.
The margin between the first sentence/heading for the
instructions and the numbered list that follows was too small,
which made headings look very awkward.
The indentation was off because there was no CSS anywhere that
properly indented <ul> elements that were nested inside <ol>
lists with custom numbering.
Since every <li> element is prefixed by a custom list number, in
<li> elements with multiple <p> elements inside, the <p> elements
after the first one did NOT take into account the space occupied
by the custom list number, which resulted in inconsistent
indentation. Now, it does!
Fixes#8965.
Mark_message(s)_as_read is used in marking a message as having been
read by the browser, rename it to notify_server_message(s)_read to
avoid any confusion.
We've had a longstanding bug where the streams settings code
was getting an i18n'ed value in the middle of a callback from
the toggle component, so it would have been broken for
non-English sites. And then a recent cleanup of the toggle
code introduced a bug where the callback-in-the-callback was
getting stale state, so English sites broke too.
This fix just simplifies everything by using the key that
comes into our callback to determine whether we filter or not.
Fixes#8945
This is a recent regression where we I refactored the toggle
component. For some reason the old code was waiting until
after the callback to set some of its state, and I did the
same thing when I simplified how the state was stored.
Under the old code, this didn't manifest as a bug, although
the old code was problematic for other reasons.
This "fix" doesn't actually change anything user facing, as the
follow up commit fixes the proximal problem more directly. And
the toggle component is still prone to people writing code that
tries to inspect the state of the widget as it's being built.
For info overlays (keyboard/markdown/search help) we now let
the modal portions of the widget have focus, so that you can
page around. And then tab switching still works with the arrow
keys.
This is a pretty thin abstraction to prevent having to put
magic numbers in code, doing the which/keyCode hack, and remembering
to all preventDefault.
Hopefully we'll expand it to handle things like shift/alt keys
for components that want their own keyboard handlers (vs. going
through hotkey.js).
Currently, long textual fields are rendered as short textual fields
in UI, this bug was introduced because of our recent changes in
custom fields type.
It removes code related to custom profile field's placeholder styling
and related to numeric custom fields, as recently we removed support
for numeric custom fields.
This commit adds support for '+' and 'Z' for "zoom in" and '-' and 'z'
for "zoom out" shortcut keys in the lightbox image viewer for Pan and
Zoom.
Fixes: #8689.
Apparently, since 1948cb6a89, we've been
sending requests by an administrator to change a user's name to the
/json/bots endpoint, which would end up changing the "bot owner" of
these objects to some random user.
We fix this by re-splitting the views code.
Fixes#8853.
In certain cases, the browser is not able to look up the message.
Include the recipient data for the message in the delete_message event,
so look up of those attributes by the browser isn't required.
Replace mark_message_as_read with process_read_messages_event as the
latter function is only correct for marking a message as having been
read by this browser.
(It is a preliminary change for deduplication of org settings template.)
This adds org settings labels as a context to admin templates so that
they can be used as a context variables in admin templates.
The reason we did this in JS code because of translation issue when
passed (as a context in `partial` handlebars helper) directly within
template.
(It is a preliminary change for deduplication of org settings template.)
This is done because of some settings like organization-settings
has ids which match the pattern of having a prefix `id_`
before the property name.
For those settings which don't have any prefix, there will be no
effect.
Here obsolete `t` in the label is removed since we do
label translations in JS files.
This splits "Language and notifications" section into "Default user
settings" and "Notifications".
With this, we can easily add other default user settings in the
same place.
In our new system for updating realm settings, we don't need to create
separate functions to update the input elements for each feature.
Most of the work is done automatically by
`settings_org.sync_realm_settings`.
We are having a same code in `render_notifications_stream_ui`
and `render_signup_notifications_stream_ui` functions aside from
the HTML element. So this commit will remove the duplicate code in
`render_signup_notifications_stream_ui` and make use of
`render_notifications_stream_ui`.
Fixes#8886.
On IE11, ClipboardData isn't defined; one can instead access it with
`window.clipboardData`, but that doesn't support text/html, so this
code path couldn't do anything special anyway.
So we instead just let the default paste handler run on IE11.
Fixes#8850.
Tim Abbott
Rohitt Vashishtha
YJDave
guaca
Marco Burstein
Shubham Dhama
Balaji2198
Aditya Bansal
Cynthia Lin
Aastha Gupta
Eeshan Garg
Armaan Ahluwalia
Armaan Ahluwalia
Tarun Kumar
Priyank
Rishi Gupta
Shubham Padia
Steve Howell
Abhigyan Khaund
Greg Price
Anurag Sharma