Commit Graph

20 Commits

Author SHA1 Message Date
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks.
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 99563eb150 zjsunit: Make window a Proxy for global.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-13 14:27:13 -08:00
Anders Kaseorg fffef412bc dependencies: Upgrade to-markdown 3.1.1 to turndown 5.0.3.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-11 16:26:31 -08:00
Anders Kaseorg 28f3dfa284 js: Automatically convert var to let and const in most files.
This commit was originally automatically generated using `tools/lint
--only=eslint --fix`.  It was then modified by tabbott to contain only
changes to a set of files that are unlikely to result in significant
merge conflicts with any open pull request, excluding about 20 files.
His plan is to merge the remaining changes with more precise care,
potentially involving merging parts of conflicting pull requests
before running the `eslint --fix` operation.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-03 12:42:39 -08:00
Anders Kaseorg 23cd064c86 webpack: Elide node_modules when importing JS modules.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-06-26 16:49:32 -07:00
Aman Agrawal 904422d8bc css: Convert colors from rgba to hsla format. 2019-06-20 11:34:59 -07:00
Aman Agrawal 3e589cf65e css: Convert colors from rgb to hsl format.
Note that we are not converting the stream colors.
2019-06-20 11:34:34 -07:00
Puneeth Chaganti 9c377a05f3 paste: More robust check to verify if clipboard data is an image.
The commit f863a9b567 had modified
jquery.filedrop's paste method to exit early if any of the items in the
clipboardData is of the string kind. The early exit was added to prevent pasting
an image thumbnail for text copied from software like MS Word, instead of
pasting the actual copied text content. When copying an image in a (modern?)
Browser, though, the clipboard seems to contain a html `img` tag item, along
with the actual image file. This resulted in pastes being broken.

This commit modifies the condition checked for the early exit. We now actually
look at the html content in the clipboard to see if it is an `img` tag, in which
case we upload the image, instead of exiting early.

Closes #7130.
2019-01-25 11:40:33 -08:00
Priyank Patel 778742a189 jsdom: Upgrade jsdom to v11.10.0.
This also updates node_tests to use new constructor which is uppercase,
and some properties that are changed to be more clear now, like
jsdom().defaultView which is meant to the window object is now called window.

Ref: https://github.com/jsdom/jsdom/blob/master/Changelog.md
2018-05-20 11:11:03 -07:00
Steve Howell 42435db492 Add run_test helper for individual tests.
This run_test helper sets up a convention that allows
us to give really short tracebacks for errors, and
eventually we can have more control over running
individual tests.  (The latter goal has some
complications, since we often intentionally leak
setup in tests.)
2018-05-15 08:24:44 -07:00
Sampriti Panda e86d5139bb copy_and_paste.js: Remove excess newlines while pasting markdown html.
Fixes #8963
2018-04-24 08:27:43 -07:00
Tim Abbott a4def8d409 copy_and_paste: Re-disable copy-paste handler in production.
This reverts commit 6e048c5d3f.

See #8963 for the main issue we need to fix before re-enabling this;
basically, some combination of toMarkdown and the way text/html gets
written was introducing a lot of bonus/bogus whitespace, both in the
form of newlines and spaces converted to `&nbsp;`.
2018-04-09 22:10:28 -07:00
Tim Abbott 6e048c5d3f copy_and_paste: Enable copy-paste handler in production.
Now that we've fixed the issues we encountered when first testing
this, we can try it out in production again.
2018-03-11 15:26:27 -07:00
Sampriti Panda 90c89dcc5a copy_and_paste: Fix quirks with some parts of toMarkdown.
* Raw links don't use the proper markdown syntax and get pasted as is.
* Text in Ordered List format are not escaped like in normal markdown.
2018-02-22 08:26:45 -08:00
Garvit b9826e9067 Add filters for toMarkdown to paste data to compose-box.
This fixes bugs with pasting headings and italic styling.

Fixes #7485.
2017-11-28 09:56:48 -08:00
Rishi Gupta 83149a953a copy paste: Turn off toMarkdown in production.
At least until some of the TODOs at the bottom of
node_tests/copy_and_paste.js are done.
2017-11-27 16:44:16 -08:00
Rishi Gupta 3fcfcd2a55 copy paste: Add toMarkdown test for `1. text`. 2017-11-27 16:44:16 -08:00
Tim Abbott 0f8ee343de node: Fix copy_and_paste test output.
I'm confused how this was passing when I tested previously.
2017-11-23 14:18:28 -08:00
Tim Abbott cc8c8ab21c node: Fix style in copy-paste test.
This bug got merged due to a problem with Travis CI.
2017-11-23 13:06:17 -08:00
Tim Abbott 4d4532a27e copy_and_paste: Add a simple extensible test suite.
This commit is mostly about adding the test suite; some of the results
are things we'd like to change.
2017-11-23 12:59:01 -08:00