Commit Graph

57 Commits

Author SHA1 Message Date
Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:54 -07:00
Rishi Gupta 191f8f1b39 left sidebar: Change Home to All messages.
We made this change because users often unnecessarily click "Home"
first in their use of Zulip, because it seems appealing.  While "All
messages" isn't quite precise (it doesn't include muted streams), it
does describe relatively simply the interleaved view that this
represents.

This commit leaves everything as "home" in the code, and only changes
user-visible strings and docs. Changing the code will be a big project;
there are hundreds of relevant occurrences in variable names, etc.

Further, we'll probably want to convert those various variable names
in different ways.

Tweaked by tabbott to extend the commit message and update a few comments.
2017-11-28 15:42:58 -08:00
Tim Abbott 82b708b721 eslint: Add and enforce space-in-parens lint rule. 2017-10-06 12:36:59 -07:00
Cory Lynch a90eda0154 Add 'group-pm-with' to operator autocomplete.
As you're typing this new keyword, it should be suggested
via get_operator_suggestions. Added relevant test.
2017-09-24 13:56:33 -04:00
Abhijeet Kaur 2bf3324395 frontend: Add ability to search by "group-pm-with" search operator.
This allows user to view all group private conversation messages
with a specific user. That is, it views all the the group private
messages from groups which include the given user.

Add search suggestion for group-pm-with. Add operator name
and description in "Search operators" tab.

Add change in tab name to "Group Messages" when using this operator.
Add frontend_tests for group-pm-with search operator.

Fixes: #3882.
2017-09-24 11:58:48 -04:00
Steve Howell bc0761b22b Extract topic_data.js.
This new module tracks the recent topic names for any given
stream.

The code was pulled over almost verbatim from stream_data.js,
with minor renames to the function names.

We introduced a minor one-line function called stream_has_topics.
2017-07-27 14:26:22 -07:00
Steve Howell b95e785335 recent topics: Extract get_recent_topic_names().
We now have all of our callers into recent_topics code just
receive a list of topic names from get_recent_topic_names().

This is more encapsulated than handing off tiny little
structures to the three callers, two of whom immediately
mapped the objects to names, and one of whom needlessly
used the now defunct name canon_subject field.

The consolidation here removes some "subject" references, and
now all lookup are by stream id, not stream name.

The diff here is a bit daunting, but it's mostly simplification
of tests and calling code.  Two of the callers now need to look
up stream ids, but they are otherwise streamlined.

The main change here is to stream_data.js, and we replace the
`canon_subject` and `subject` fields with `name`.
2017-07-27 14:26:22 -07:00
Cory Lynch 1dba70ca0d search_suggestion: Fix highlighting for multi-word streams.
I deleted a test case that involved a highlighted stream, but
the query was empty. This produces kind of a weird result with
typeahead_helper.highlight_with_escaping, but this function already
has coverage in node_tests/typeahead_helper.js, so the check here
was essentially redundant anyway. Specifically, the highlighter
wraps every character individually with <strong>, and looks really
messy in html.
2017-07-14 17:33:09 -07:00
Cory Lynch 2ce7a20237 search_suggestion: Support autocompleting operator names.
Fixes #5399
2017-07-07 20:54:54 -07:00
Cory Lynch 75617d07de search_suggestions: Prioritize recent huddles.
Fixes #5612. What this specifically does is that if you are
typing a group PM, this logic iterates through the possible
search suggestions for the next autocomplete. If that suggestion
contains a group PM that already exists, then prioritize it with
the most recent one on top.
2017-07-07 12:12:30 -07:00
Cory Lynch 7efba29b0c search_suggestions: Hide own name in huddle suggestions. 2017-07-07 12:12:30 -07:00
Cory Lynch 8abbb6d781 search: Remove in:all token from suggestions. 2017-07-01 12:19:52 -04:00
Cory Lynch 090d7487cf search_suggestion: Use person matching function from people.js.
Instead of having a custom (duplicate) matching function in
search suggestion, it was refactored to use the function in
people.js. This also gets the diacritic-ignoring feature
of the function in people.js.

Fixes #5315.
2017-06-23 08:29:20 -04:00
Cory Lynch 58a2ffbe1d Add search suggestion support for is:unread. 2017-06-19 06:51:13 -04:00
Cory Lynch 11a7a476d7 search_suggestion: Add negation support for 'has' operator. 2017-06-15 02:32:00 -07:00
Cory Lynch da4e2954fe search_suggestion: Remove is:private as default suggestion. 2017-06-15 02:20:50 -07:00
Cory Lynch 89b8d07420 Make search suggestion messages more concise.
This involves updating filter.js, mostly. The
tests were updated appropriately for this change,
which also involved changing a caspar test for
narrowing.
2017-06-14 22:34:46 -07:00
Cory Lynch ab5b0e938d Add support for "has" operator in search_suggestions.
This was never a feature in the old search_suggestions
version, so a new helper function for it was added.

Relevant tests were also added, maintaining 100% coverage.
2017-06-14 22:34:46 -07:00
Cory Lynch a7ec8cd1f3 Improve topic in search_suggestion.js.
Also added some additional testing to handle
some edge cases that I'd like to make sure
don't break down.
2017-06-14 22:34:46 -07:00
Cory Lynch 7cda7c4782 Improve stream in search_suggestions.js. 2017-06-14 22:34:46 -07:00
Cory Lynch 69e8074d14 Improve person/group in search_suggestions.js.
The get_person_suggestions and get_group_suggestions functions
were updated to the new system. Support for negation is also
added in the new system.

Relevant tests were also updated. Also, note that the function
get_private_suggestions was removed, as it was rendered
obsolete by these updates.
2017-06-14 22:34:46 -07:00
Cory Lynch c8d4eff8aa Improve sent_by_me in search_suggestions.js.
Added appropriate tests.
2017-06-14 22:34:46 -07:00
Cory Lynch 79d56c94dc Improve default and special_filter in search_suggestion.js.
Special filter was updated to work even when it is not the first
token in a search query. Furthermore, the default query was
moved around to work with the changes to come for the new
suggestion system.

A test also had to be modified to work with the new system.
2017-06-14 22:34:46 -07:00
Steve Howell 8eb86335b9 Extract narrow_state.js.
Despite the length of this commit, it is a very straightforward
moving of code from narrow.js -> narrow_state.js, and then
everything else is just s/narrow.foo()/narrow_state.foo()/
(with a few tiny cleanups to remove some code duplication
in certain callers).

The only new functions are simple setter/getters that
encapsulate the current_filter variable:

    narrow_state.reset_current_filter()
    narrow_state.set_current_filter()
    narrow_state.get_current_filter()

We removed narrow.predicate() as part of this, since it was dead
code.

Also, we removed the shim for narrow_state.set_compose_defaults(),
and since that was the last shim, we removed shim.js from the app.
2017-04-25 09:57:32 -07:00
Elliott Jin 9b854c62bc search_suggestion: Suggest multiple people in `pm-with` searches.
Currently, searching for group private messages requires typing each
person's email individually.  This change improves the typeahead
suggestions for group `pm-with` searches by suggesting additional people
whenever a comma is entered.

Fixes: #3575
2017-02-07 14:13:29 -08:00
Steve Howell 2af0302ed0 refactor: Use people.my_current_email() in search_suggestion.js. 2017-01-21 21:45:12 -08:00
Sampriti Panda e666a62c6a search: Extract 'Sent by me' suggestion logic into separate method.
This also adds a nice test suite for it.
2017-01-11 16:30:07 -08:00
Sampriti Panda c613e510ed search: Add autocomplete for 'from' operator.
Fixes #2932.
2017-01-11 16:29:58 -08:00
Tim Abbott 998dff9e50 lint: Add dangling commas in JavaScript objects. 2017-01-11 15:23:42 -08:00
kevv87 e6369fc29b eslint: change no-plusplus from warning to 2 and fix violations. 2016-12-01 14:27:17 -08:00
Steve Howell 06d7012113 Use people.get_all_persons() for search_suggestion.js.
This is better than using page_params.people_list, which may
go out of sync when live updates happen.
2016-11-01 13:55:48 -07:00
Steve Howell eb64b32bc8 Fix "subjects" in JS comments. Say "topics" instead. 2016-10-28 13:52:25 -07:00
Steve Howell 0a4579711d Add stream_data.get_recent_topics().
This removes the last remaining references to
stream_data.recent_subjects() outside of stream_data.js.
2016-10-28 13:52:25 -07:00
Tim Abbott c35781d505 lint: Require folding of } on same line as else statements. 2016-06-09 14:02:49 -07:00
Vishnu Ks d30ea0bc44 Move recent_subjects to stream_data. 2016-06-07 17:50:16 -07:00
Steve Howell 89f10d7e7a Handle negated person-related operators in search suggestions.
(imported from commit e045a0910ff59d9b8569c5ba3b3b644fe2d7dad7)
2014-03-05 10:54:02 -05:00
Steve Howell e5e0ba9e7c Handle negated topics in search suggestions.
Typing "stream:foo -topic:b" leads to "stream:foo -topic:bar" properly
as a suggestion now.

(imported from commit bb0acf52744f7b13977a3db5d3c130d1402b09b7)
2014-03-05 10:54:02 -05:00
Steve Howell 44564274a1 Move methods from search_suggestion to filter.
The methods describe() and operator_to_prefix() are
now in filter.js.  They seem like they eventually
may be useful outside the scope of search suggestions,
and they seem to go hand in hand with other Filter
responsibilities.

(imported from commit 55f14c3ee848febb2e7c8c6a27afd690569b4e08)
2014-02-19 11:05:30 -05:00
Steve Howell 10b24f77b6 Fix misc. uses of search tuples.
(imported from commit c7dc47c1396eb0d9f6821cafcb3dc90d283b4764)
2014-02-10 15:11:43 -05:00
Steve Howell fc78a2cc66 Stop using tuples in search_suggestions.js and Filter.unparse().
This is yet another change related to phasing out the
[operator, operand] tuple data structure for representing
terms in a narrow.

(imported from commit 508e58fc4eebae8a24a8ae59919ba5d94fc66850)
2014-02-06 16:42:38 -05:00
Steve Howell 8f9d29189c Fix undefined operator in search suggestions.
There was a bug where you would type "is:private je" into the search
suggestion and see undefined:jesstess@zulip.com.  Now we use
the "pm-with" operator.  The search suggestions for people are kind
of complicated now, because there is some overlap between
get_private_suggestions and get_person_suggestions.

(imported from commit 7d330f34f4a433995420de6eb90cb41229b70272)
2014-01-21 17:07:50 -05:00
Steve Howell 01f141e2b6 Show more topics in search suggestions.
Search suggestions were limiting you to the last 10 topics
in a stream, not the last 10 *matching* topics in a stream.
This was just a bug, where the slice() call was supposed to
come after the filter() call.

(imported from commit 7ad8f8409315d8ca389aa5bb085275a60f6e08c0)
2013-11-25 16:26:22 -05:00
Leo Franchi 51e0bea608 Autocomplete emails in sender: completion
(imported from commit 44dc337842d46349b103cf9631faa7d439be682c)
2013-10-07 14:55:58 -04:00
Leo Franchi 33dacae82d Split calculating of prefix from narrow operators into function
(imported from commit 940d7d7290e0357aad300ea00b6fcc59cd56cae1)
2013-10-07 14:54:05 -04:00
Leo Franchi 41b286232d Allow filtering to alerted messages with is:alerted
(imported from commit 99834f1ee1b9b2e0f5c7427afa1494bf404e3626)
2013-09-05 10:18:41 -04:00
Steve Howell c4d598b36e Move parse/unparse from narrow to Filter.
I'm trying to move well-isolated methods out of narrow.js, so that
narrow.js is more strongly focused on UI/ajax interactions and
big, heavy lifting stuff.  The logical home for parse/unparse
seemed to be Filter, and they brought along two private methods
with them.  The big code moves involved trivial follow ups
like s/exports/Filter/.

(imported from commit ace0fe5aa1c7abce0334d079ba9eb8d9a57bd10f)
2013-08-22 14:53:00 -04:00
Zev Benjamin 2c775d0894 Make recent_subjects case-insensitive
(imported from commit 36c423f506c1e8dc0536c80a4a085b689623191a)
2013-08-20 15:37:08 -04:00
Steve Howell 9d145ef5d4 Use official stream name in topic suggestions
(imported from commit 68b63a31f6a6e3cf8de6fd7fc255137dbc3260b8)
2013-08-20 14:27:43 -04:00
Steve Howell 29c012dc74 Create stream_data.js module.
This pulls a lot of data-centric functions out of subs.js.

(imported from commit 0deed7d4bf5697e893af9bc9d888c2d5da8d9fa2)
2013-08-19 12:17:55 -04:00
Steve Howell 878ee2b3fd Move Filter class to filter.js from narrow.js.
1) The class Filter now lives in its own module.
2) The function canonicalized_operators() is now a class method on Filter.
3) The function message_in_home moved to filter.js and became private.
4) Various calling code had to change, of course.
5) Splitting out Filter helped simplify a few tests.

(imported from commit e41d792b46d3d6a30d3bd03db0419f129d0a2a7b)
2013-08-12 13:58:32 -04:00