Commit Graph

25469 Commits

Author SHA1 Message Date
Eeshan Garg c51a3dce62 webhooks/pivotal: Update docs to conform to style guide. 2018-04-14 09:38:22 -07:00
Eeshan Garg 911b9582bd webhooks/opbeat: Update docs to conform to style guide. 2018-04-14 09:38:22 -07:00
Eeshan Garg 3e0eb9530c webhooks: Remove the Facebook integration.
Rishi and I decided that it makes sense to get rid of the Facebook
integration for a few reasons, some of which are:

* The setup process is too complicated on Facebook's end. The users
  will surely have to browse Facebook's huge API reference before even
  having a vague idea of what they want.
* Slack chooses not to have a Facebook integration, but relies on
  Zapier for it. Zaps that integrate with Facebook are much more
  streamlined and the setup process isn't as much of a pain. Zapier's
  Facebook Zaps are much more fine-tuned and there are different Zaps
  for different parts of the FB API, a luxury that would likely span
  2K+ lines of code on our end if we were to implement it from
  scratch. So, I think we should relegate integration with Facebook to
  Zapier as well!
* After thoroughly testing the setup process, we concluded that the
  person who submitted the FB integration didn't really test it
  thoroughly because there were some gaping holes in the docs (missing
  steps, user permissions, etc.).
2018-04-14 09:38:22 -07:00
Tim Abbott 5ddf2614f0 uploads: Add new way of querying for mobile uploads endpoint.
This extends the /user_uploads API endpoint to support passing the
authentication credentials via the URL, not the HTTP_AUTHORIZATION
headers.  This is an important workaround for the fact that React
Native's Webview system doesn't support setting HTTP_AUTHORIZATION;
the app will be responsible for rewriting URLs for uploaded files
directly to add this parameter.
2018-04-13 17:51:45 -07:00
Tim Abbott 012115c9e0 message_events: Fix updating compose fade after topic editing.
If you started composing a message to a topic, and then the topic was
edited, we would update the compose box and message list state, but we
didn't correctly update the fade state after updating your compose box
(and the message list), resulting in the messages being incorrectly
faded.
2018-04-13 16:31:18 -07:00
Tim Abbott 5ae9505fdc message_list: Move set_message_offset into message_list_view.
The refactor in 12509515ae had a subtle
bug, which is that we switched from accessing the message list "this"
(aka the message list being rerendered) to current_msg_list.  This
meant that when the narrowed_msg_list was in view and code needed to
modify home_msg_list, we accessed the wrong `selected_row` to preserve
the scroll position of (namely, the one in current_msg_list, not the
one in home_msg_list).

Fix this, by moving the function to be a property of the
message_list_view object, which makes more sense structurally, anyway.

We may, in the future, want to do a similar migration for more of
message_viewport.js.

Fixes #8854.
2018-04-13 16:31:18 -07:00
Tim Abbott dbbd3627b5 message_list: Show empty narrow notice after emptying narrow.
If muting, topic editing, or deletion causes a narrow loses its last
message, we should show the empty-narrow notice; similarly, if
un-muting adds the first message, we should hide the notice.

We do this in `rerender()` since that's the common code path for
re-rendering the message list after events that might change this.

This has likely been broken since the very first muting
and topic editing implementations.
2018-04-13 16:31:18 -07:00
Tim Abbott a8d237b252 message_list: Extract rerender_with_target_scrolltop.
We may find this useful in upcoming edits to the muting code.
2018-04-13 16:31:18 -07:00
Aastha Gupta 0c219a1905 invites ui: fixed rerendering of invites list
Earlier it was re-initialising invites list on every load.
Now, if the list is already initialised, it will reutilise
those resources.
2018-04-13 12:07:42 -07:00
Tarun Kumar 0b62410f5e pm_pill: Achieve 100% node-test coverage for compose_pm_pill.js. 2018-04-13 11:59:57 -07:00
Tarun Kumar 51601fab44 muting: Achieve 100% node-test coverage for settings_muting.js. 2018-04-13 11:59:57 -07:00
Aditya Bansal 113c1a81ea index.html: Refactor 'javascript:' URI to be written as JavaScript block.
This is important because we intent to start using CSP in our main
app which means dropping of any inline event handlers
(onclick="...", onerror="...") and <a href="javascript:...">
links that can be used to run scripts.
2018-04-13 11:10:06 -07:00
Rohitt Vashishtha 7a4788b364 node-tests: Add basic tests for notifications API.
This commit exposes some inner variables of notifications.js to make
them easily testable. The first test added simply checks whether the
showing and closing of notifications works properly, and doesn't yet
verify the main code logic of the notification generation.
2018-04-13 09:13:50 -07:00
Rohitt Vashishtha 703351288a zjquery: Add replaceWith() and selector.location. 2018-04-13 09:13:50 -07:00
Rohitt Vashishtha 2e7f215f44 zjquery: Add option to silently ignore find() errors. 2018-04-13 09:13:50 -07:00
Tim Abbott db830c4085 bugdown: Replace link to old pre-open-source Zulip trac. 2018-04-13 08:41:44 -07:00
Rohitt Vashishtha 9e7929417d markdown: Increase rendered_content length limit.
This commit increases the rendered_content limit from 2x to 10x of the
original message length.

Earlier, we had placed a limit of MAX_MESSAGE_LENGTH * 2 for the
rendered content (explained in commit
77addc5456).  That limit was based on
the assumption that in most cases, the rendered content wouldn't cause
a large increase in message length. However, quite prominently in
syntax highlighted codeblocks, that wasn't true and this caused the
limit condition to be hit for long messages composed primarily of code
blocks.

Example: The following message would render close to 10x it's original size.

```py
if:
def:
print("x", var)
x = y
```

Because the syntax highlighted logic is extremely compressible, having
rendered_content reach up to 100KB doesn't create a network
performance problem.
2018-04-13 08:39:51 -07:00
Tim Abbott cc927774af docs: Add an initial document explaining our presence protocol. 2018-04-12 17:04:51 -07:00
novokrest 0d164fab1b message_edit_form: Show default cursor instead of pointer.
Fixes part of #3938.

(This only changes the sections within the message-edit form; the top
and left chrome are still cursor: pointer).
2018-04-12 15:08:38 -07:00
Gooca c4e2899f99 settings: Pull nested radio-buttons closer together.
Exact spacing tweaked by tabbott.

Fixes #9066.
2018-04-12 14:46:23 -07:00
Tim Abbott 105eed049e install-node: Fix leaking of $HOME.
This fixes a bug where provision was failing since our most recent
upgrade to yarn/nvm/node.

It turns out my original fix was the correct fix, but to the wrong
third-party tool: nvm, not yarn, was the offender.
2018-04-12 14:32:36 -07:00
Steve Howell f56b4b7ec2 zjquery: Simplify validation for $(...).
We flatten the code a bit by removing a check that type is object,
and we replace it later with a check that type is string.

We also no longer allow document-like objects to be wrapped based
on the location-attribute-is-present hack.  Instead, we want the
tests to just set document to 'document-stub'.
2018-04-12 11:37:01 -07:00
Steve Howell 368b37e198 zjquery: Add a selector attribute to our wrapped elements.
We might as well have this for debugging purposes and to simplify
the code that happens when we double-wrap DOM elements.
2018-04-12 11:37:01 -07:00
Steve Howell f78947f2ba zjquery: Fix minor typo in comments.
This typo came from s/impl/self/ at some point :)
2018-04-12 11:37:01 -07:00
Steve Howell 174d065b2e zjquery: Add to_$ hook so elements can wrap themselves. 2018-04-12 11:37:01 -07:00
Steve Howell f505f3de04 zjquery: Support $.fn.foo mechanism.
We can now extend zjquery using the $.fn mechanism.  This isn't
necessarily recommended for test code (since you can just stub
individual objects directly), but some of our real code does this.
2018-04-12 11:37:00 -07:00
Steve Howell f5e0794d5c zjsquery: Give special treatment to "body" tag.
We don't do things like $('table') much in our code, but $('body')
is in the code.
2018-04-12 11:37:00 -07:00
Steve Howell 3971fae05d node tests: Fix some leaks with $(...). 2018-04-12 11:37:00 -07:00
Tim Abbott 041fd802b7 Revert "yarn: Revert back to v0.27.5."
This reverts commit d4b88e86cc.
2018-04-12 11:37:00 -07:00
Tim Abbott f6ae57fa70 install-node: Correctly fix yarn installation.
Apparently, new versions of yarn use the HOME environment variable to
figure out where to access their configuration, and sudo apparently
doesn't clear that variable, so install-node was being run with HOME
set to something under /home/vagrant (e.g.).

Fix this by just setting that environment variable correctly.

This replaces 250a036ff8, which
misdiagnosed the issue.
2018-04-12 11:37:00 -07:00
Steve Howell 205bcb8ef9 Fix recently broken reactions tests with s/html/text/.
In the real code, as part of a quick security patch, we started
using text() to set values instead of html().  The tests now
reflect this.
2018-04-12 11:29:08 -07:00
Shubham Dhama 50545a3571 settings: Revert checkmark icon to fontawesome and checkbox-green.
In 7b8da9b we have introduced some other checkmark icons
which aren't necessary as old icons still make sense there.

So removing them as they don't add any extra value.

Fixes: #8995.
2018-04-12 11:06:43 -07:00
Tim Abbott 250a036ff8 install-node: Fix yarn installation.
It appears that some change in yarn's versioning system means that
installing yarn itself ends up chowning its config directory
incorrectly to be owned by root, preventing `yarn install` from
working later.
2018-04-12 10:42:27 -07:00
Tim Abbott fea65cbb01 Update changelog and versions following Zulip Server 1.7.2. 2018-04-12 10:20:49 -07:00
Priyank d4b88e86cc yarn: Revert back to v0.27.5.
Revert yarn version back due to some issue with new version that causes
permission issues in ~/.config/yarn directory.

Related discussion: https://chat.zulip.org/#narrow/stream/21-provision-help/topic/EACCES.3A.20permission.20denied.2C.20scandir.20'.2Fhome.2Fvagrant.2F.2Econfig.2Fya
2018-04-12 10:18:59 -07:00
Tim Abbott feef35bf25 linter: Add checks for sloppy use of .html().
Since jQuery's .html() can be a source of security bugs, we add a new
lint rule that tries to catch common problematic uses.
2018-04-12 09:50:14 -07:00
Tim Abbott 5f0f492205 unread: Clean up variable names around bankruptcy modal.
unread_info was a particularly bad name for the HTML.
2018-04-12 09:48:02 -07:00
Tim Abbott a6d80969f5 subs: Clean up variable name for rendered subscription count. 2018-04-12 09:48:02 -07:00
Tim Abbott ab8fb23164 emoji: Clean up variable names for rendered template content. 2018-04-12 09:48:02 -07:00
Tim Abbott c90fbff703 settings: Clarify variable names for tab template rendering. 2018-04-12 09:48:02 -07:00
Tim Abbott dbb62ba5cb compose: Clean up variable names for preview logic.
This makes it more clear that the content has already been rendered.
2018-04-12 09:48:02 -07:00
Tim Abbott f4aea3ec22 invite: Clarify variable names for rendered_email_msg. 2018-04-12 09:48:02 -07:00
Tim Abbott 0db715d222 search_suggestion: Add escaping for email addresses.
This is probably unnecessary, but makes me feel better about every
code path in this file doing proper escaping to avoid XSS issues.
2018-04-12 09:47:01 -07:00
Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:54 -07:00
Rohitt Vashishtha 3bdc8bbaa5 CVE-2018-9986: Fix XSS issues with frontend markdown processor.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.

The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.

Fix this, and add tests for each corrected code path.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:37 -07:00
Tim Abbott 1207a08b36 CVE-2018-9987: Fix XSS issue with muting notifications.
This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.

We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.

Thanks to Suhas Sunil Gaikwad for reporting this issue.
2018-04-12 09:46:03 -07:00
YJDave 92a04b31a0 custom fields: Clean custom fields to use existing defined function. 2018-04-12 09:40:09 -07:00
guaca a19daf0ab2 Settings: Fix vertical spacing.
Removed the top margin of input-group css
 to prevent the double margins. Also fixed the
 default-language positioning, and maintained
margin consistency in organization settings.

Fixes #8890.
2018-04-12 09:38:24 -07:00
Axel Tietje 8f984be457 docs: Fix typo in production docs. 2018-04-12 09:19:26 -07:00
Lyla Fischer d291def7a1 user-docs subsystem: Fix broken markdown. 2018-04-12 09:09:56 -07:00