Commit Graph

108 Commits

Author SHA1 Message Date
Rohitt Vashishtha 3bdc8bbaa5 CVE-2018-9986: Fix XSS issues with frontend markdown processor.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.

The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.

Fix this, and add tests for each corrected code path.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:37 -07:00
Shubham Dhama a32e1eb913 markdown: Require double-asterisk around all mentions.
This enforces `**` around all the mentions including "at-all" and
"at-everyone" mentions. Hence this makes `@all` and `@everyone`
invalid mentions, resulting into proper syntax for these mentions as
`@**all**` and `@**everyone**` respectively.

Note from tabbott: This removes an old feature/syntax, which made
sense back when @Tim was also a way to mention a user with Tim as
their first name.  Given how nice typeahead is now, the user part of
the feature was removed a while ago; this should have gone at the same
time.

Fixes: #8143.
2018-02-16 11:45:08 -08:00
Greg Price d053e07760 upload: Make filedrop error handling more consistent.
The first argument to the error callback is *usually* a string code
from a list in the filedrop source; but sometimes it was the text
the server sent in the HTTP status line, instead.  The latter isn't
predictable, and so it's not possible to write app code that uses it
to handle error consistently.

Instead, use that parameter for the numeric HTTP status code.  This
still isn't totally clean in that sometimes it's internal filedrop
errors, as strings, and sometimes it's HTTP status codes, as numbers;
but at least both of those are things we can sanely handle with a
`switch` statement.

Also pass through `serverResponse`, which for a nice JSON error from
the server will contain meaningful information about the error which
the calling code can use for nice error handling.  And just drop the
HTTP status text, which at best is redundant with the numeric code.

In passing, fix one case where for no obvious reason filedrop was
passing the file object but not the index.

This should be a pure refactor.
2018-01-29 16:06:11 -08:00
Greg Price 55cf54c087 upload: Remove old per-user quota feature.
We'll replace this primarily with per-realm quotas (plus the simple
per-file limit of settings.MAX_FILE_UPLOAD_SIZE, 25 MiB by default).

We do want per-user quotas too, but they'll need some more management
apparatus around them so an admin has a practical way to set them
differently for different users.  And the error handling in this
existing code is rather confused.  Just clear this feature out
entirely for now; then we'll build the per-realm version more cleanly,
and then we can later add back per-realm quotas modelled after that.

The migration to actually remove the field is in a subsequent commit.

Based in part on work by Vishnu Ks (hackerkid).
2018-01-29 16:06:11 -08:00
Tim Abbott 852af0e3c5 Revert "katex: Update the `require` path to point to the new one."
This implementation never worked, for two reasons:

(1) The logic for getting the path to the katex package had invalid
syntax in the version of Node we use.

(2) The KaTeX package bundled by webpack doesn't seem to be importable
from Node at all.
2018-01-23 12:30:28 -08:00
rht 953478a189 katex: Update the `require` path to point to the new one.
This fixes #7620.
2018-01-20 08:09:17 -05:00
Andy Perez f0190333b8 bugdown: Remove whitespace strip from inline code.
Fixes #4507
2017-12-14 07:48:10 -05:00
Umair Khan 8f190e0746 user-groups: Update marked.js to do proper local echo for mentions.
We implement markdown in the JS as well to improve the
usability.  Comes complete withunit tests.

Fixes #7381.
2017-11-27 09:16:09 -08:00
Andy Perez e7f1825617 bugdown: Update KaTeX to version 0.8.3 from 0.7.1.
Fixes #7480.
2017-11-23 12:43:34 -08:00
Andy Perez 83f563aeff bugdown: Properly parse empty blockquotes.
The character ">" now only starts a blockquote if the resulting
blockquote would be non-empty.  Thus, by itself, ">" is now
interpreted literally by bugdown, fixing #687.  The message
with contents consisting of ">>>" is now parsed as a doubly
(not triply) nested blockquote with contents ">".  Properly
formed blockquotes have identical behavior as before, but now
bugdown can no longer produce empty blockquotes as output.

Fixes #2886, #687.
2017-11-17 11:41:44 -08:00
Andy Perez 4d51a6cfac bugdown: Fix $$ whitespace handling.
The intended use of $$ is for inline expressions, not for multiline
ones; ```math is an acceptable alternative for the latter.  Hence,
the $$-syntax for inline TeX no longer permits newlines within it.

This was also necessary for the next change to be sensible; namely
allowing for spaces around both $$ when crafting inline TeX instead of
forcing everything to be crammed together, e.g. $$x=7$$.  In order to
avoid uninentionally creating inline expressions, the opening and
closing $$'s of an inline expression must now both exactly consist of
two dollar signs, no more and no less.

Fixes: #6488.
2017-11-10 16:54:27 -08:00
Brock Whittaker 70a14d8b44 bootstrap: Patch bootstrap.js to support contenteditable.
If the lookup input is contenteditable, it should be searching for text
rather than input.
2017-11-10 14:14:03 -08:00
Brock Whittaker 0c42e4a705 typeahead: Fix typeahead positioning for iOS keyboard case.
When the iOS keyboard is open and up, the positioning gotten by
getBoundingClientRect will display a `top` value that is short by the
height of the keyboard, which will usually end up placing things north
of the top of the screen.

By changing to jQuery $.fn.offset instead, the positioning appears to
be correct in all cases; iOS keyboard up, down, and desktop usage.

Fixes: #6366.
2017-10-04 17:39:42 -07:00
Brock Whittaker 2a7480051f third: Update version of Source Sans Pro font.
Our previous version was several years old.
2017-08-28 16:08:30 -07:00
Joshua Pan e6611fec99 markdown.js: Remove paragraph break from numbered lists.
Fixes #5902.
2017-07-28 12:32:20 -07:00
Brock Whittaker ac4ac63353 Change from deprecated $.parseJSON to JSON.parse.
The jQuery function `parseJSON` is now deprecated so we should push to
switch to native `JSON.parse` since all browsers support it.
2017-07-27 14:16:57 -07:00
Cory Lynch d32e89aae4 jQuery: Remove broken use of "removeAttr".
This function no longer sets properties to false, so the supported
way of doing this is to instead use prop(foo, false). Some tests
had to be fixed to accommodate this.
2017-07-24 10:54:47 -07:00
Joshua Pan 5e5ca48063 markdown.js: Fix inconsistent #**stream** on new line.
This commit removes all code related to headers because
(1) we don't need the code and (2) it splits #**stream**
as a paragraph, which we don't want. This commit also
fixes the inconsistency when #**stream** is on a new line.

Fixes #4678.
2017-07-18 11:07:25 -07:00
Joshua Pan ec669a0c45 markdown.js: Fix inconsistent user mention on new line.
The user mention regex was checking for multiple lines,
so it broke when the user mention was on a new line.
This changes the regex AND adds a couple tests to
test inline markdown regexes.
2017-07-18 00:07:49 -07:00
Cory Lynch 802ea9abf5 Refactor to delete mousewheel.js.
This old third party library added support
for a "mousewheel" event to detect scrolling.
However, it is not compatible with jQuery 3
and is obsolete now that there is a standard
"wheel" event that accomplishes the same thing.
2017-07-03 11:04:20 -04:00
Cory Lynch f848ffc03b Patch spectrum.js for jQuery 3 compatibility.
This includes removing deprecated functions
(namely bind/unbind/delegate) and fix an aspect
of event handling that breaks in the new jQuery.
2017-07-02 07:59:24 -04:00
Cory Lynch 10fa6b75f9 Patch filedrop for jQuery 3 compatibility.
This entails removing the use of jQuery.event.props,
which has been removed from jQuery 3.
2017-07-02 07:59:24 -04:00
Rafid Aslam 4f482834b4 deps: Upgrade and move `perfect-scrollbar` from `static/third` to `npm`.
- Remove `perfect-scrollbar` from `static/third` and fetch it from npm.
- Upgrade `perfect-scrollbar` to 0.7.1.
- Bump up the `PROVISION_VERSION` to 5.6.

Changed `wheelSpeed` in "static/js/scroll_bar.js" to 0.5, because when it
20, the scrollbar scrolls very fast.

Changed 'wheelSpeed' in "static/js/emoji_picker.js" from 25 to 0.68
(based on tabbott's testing of scrolling through the emoji list).

Part of #1709.
2017-06-11 10:15:48 -07:00
Harshit Bansal c549dea9ac bugdown: Fix the regex used for unicode emoji matching.
The regex we were using didn't cover all the unicode blocks
to which our emojis belong. This commit fixes the regex to
include all the unicode blocks and also updates the
corresponding JS regex in marked.js.

Fixes: #3460.
2017-05-16 09:05:42 -07:00
Tim Abbott f4a4c23380 KaTeX: Fix path to KaTeX bundle in production. 2017-04-21 14:56:19 -07:00
Benjamin Gilbert 4775f55ca7 Fix spelling of "occurred" in various places. 2017-04-17 20:29:07 -07:00
Aditya Bansal 91962aa6ab font-awesome: Fix font-awesome 4.7.0 upgrade in a hacky way.
What actually has been done below is to just copy the css class defination
from the latest font-awesome css to be here and since the rest of the stuff
in /third/fontawesome was updated in ee0b16b1ef
we should be able to use this safely until we update all font-awesome class
usage in templates.

Fixes #4302.
2017-03-25 18:30:40 -07:00
Yago González 34a9e1ae11 markdown: Add TeX typesetting support.
Co-authored-by: Reid Barton <rwbarton@gmail.com>

Fixes #2056.
2017-03-21 16:40:00 -07:00
adnrs96 a91012bd70 Move thirdparty-fonts.css from static/styles to static/third. 2017-03-21 13:40:05 -07:00
Rafid Aslam 33129059f4 deps: Upgrade and move `handlebars` from `static/third` to `npm`.
- Remove `handlebars.runtime.js` from static/third and fetch it from npm
- Upgrade `handlebars` to 3.0.3.

I change the test since there is a patch about line, written in
handlebars'
v2.0.0-beta.1 release note:
"Lines containing only block statements and whitespace are now removed."

Fixes part of #1709.
2017-03-04 21:49:02 -08:00
Philip Skomorokhov 866a7b06b2 upload: Limit total size of files uploaded by a user to 1GB.
Fixes #3884.
2017-03-04 18:08:30 -08:00
Brock Whittaker 1143ed7219 redesign: Change /#settings and /#administration to an overlay.
This also adds a box-shadow to the #deactivate_self_modal so that it
looks similar to the old backdrop.
2017-02-09 23:35:10 -08:00
khantaalaman ee0b16b1ef Update Font Awesome to version 4.7.0.
Fixes #3329.
2017-02-06 22:45:02 -08:00
Tim Abbott b52f606c3a Revert "deps: Upgrade and move `jquery-mousewheel` from `static/third` to `npm`"
Apparently, the updated version of this has a serious scrolling
performance problem in the left sidebar that basically makes scrolling
in that area unusable.

This reverts commit b683b2d3c3.
2017-01-26 13:42:00 -08:00
Rafid Aslam b683b2d3c3 deps: Upgrade and move `jquery-mousewheel` from `static/third` to `npm`
- Remove `jquery-mousewheel` from `static/third` and fetch it from npm.
- Upgrade `jquery-mousewheel` to 3.1.6.
- Bump up the `PROVISION_VERSION` to 4.5.
- Change some js code to comply with this `jquery-mousewheel` version.

Part of #1709.
2017-01-19 17:24:53 -08:00
Rafid Aslam 10a8c3d2ae deps: Move `xdate` from `static/third` to `npm`
- Remove `xdate` from `static/third` and fetch it from `npm`.
- Bump up the `PROVISION_VERSION` to 4.3.

Part of #1709.
2017-01-19 17:07:55 -08:00
Rafid Aslam 84e802422e deps: Upgrade and move `underscore.js` from `static/third` to `npm`
- Remove `underscore.js` from `static/third` and fetch it from `npm`.
- Upgrade `underscore.js` to 1.8.3.
- Bump up the `PROVISION_VERSION` to 4.2.

Part of #1709
2017-01-19 17:07:45 -08:00
Rafid Aslam 911fcd3831 deps: Upgrade and move `codepointat` from `static/third` to `npm`
- Remove `codepointat` from `static/third` and fetch it from `npm`.
- Upgrade `codepointat` to 0.2.0.
- Bump up the `PROVISION_VERSION` to 4.1.

Part of #1709.
2017-01-19 17:07:32 -08:00
Rafid Aslam 8ac81d2722 deps: Upgrade and move `winchan.js` from `static/third` to `npm`
- Remove `winchan.js` from `static/third` and fetch it from `npm`.
- Upgrade `winchan` to 0.2.0.
- Bump up the `PROVISION_VERSION` to 4.0.

Part of #1709.
2017-01-19 17:07:21 -08:00
Rohith Asrk 213b8cef0c Bootstrap.js: Fix null is not an object error. 2017-01-19 16:28:17 -08:00
Tim Abbott 007d4becfd Revert "update-sockjs: Update sockjs from version 0.3.4 to 1.1.1."
This reverts commit 7bf10ec74f.

Apparently, SockJS 1.1.1 is broken with the browser used in our legacy
desktop app, resulting in messages being silently not sent.
2017-01-10 11:46:15 -08:00
Brock Whittaker 7b00bd6f7e Remove the old spinner, replace with new one.
This removes the old content loading spinner and replaces it with a new
SVG.
2017-01-06 10:37:54 -08:00
Yago González ca190bd394 bug fix: Handle empty at-mentions gracefully.
An exception in the webapp was trown when an empty mention was sent.
Examples of problematic messages are "@" or "@****".

In order to fix this, the regex that identifies mentions has been
modified, so it now requires the mention to have a "content" (by
replacing the ? quantifier by +).

A test case has been added to `frontend_tests/node_tests/echo.js` to
check that this works properly in the future.
2016-12-21 15:32:12 -08:00
Igor Tokarev 0bac986f26 Fixed compose box PM recipient typeahead handling of focus.
This closes #2315.
2016-12-07 22:13:47 -08:00
K.Kanakhin 7bf10ec74f update-sockjs: Update sockjs from version 0.3.4 to 1.1.1.
- Add browserify to npm dependencies.
- Add SockJS-client to npm dependencies.
- Add npm postinstall script to generate browser version of SockJS-client
  from npm package.
- Change deprecated SockJS object property 'protocol_whitelist' to
  'transports'.
- Fix settings.
2016-12-05 21:36:10 -08:00
Brock Whittaker 0e3332d86e [Bootstrap]: Fix Null Case Issue.
This fixes the case in which `this` evaluates as null and throws an
error in TravisCI.
2016-12-02 11:58:53 -08:00
hackerkid 951f1d9cdb Add missing unicode range to text: replace(inline.breaks.text)
This is a followup of #2297.
2016-11-14 20:10:54 -08:00
hackerkid b2e91eae13 Add marked.js support to emojis in miscellaneous and dingbats block.
https://en.wikipedia.org/wiki/Emoji#Unicode_blocks
2016-11-14 15:58:16 -08:00
paxapy ade3bda025 markdown: Fix stream link handler in corner cases.
* Fixes handling of multiple stream links and invalid stream names.
* Fixes text regex so it handle hash sign the right way.
* Adds tests for these stream link cases.
2016-11-10 19:22:19 -08:00
Igor Tokarev 852bc6b491 bugdown: Re-enable support for italics in bugdown.
Fixes: #1103.
2016-11-10 19:14:40 -08:00