Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/static/js
History
Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead. 
Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.
 		2018-04-12 09:46:54 -07:00
..
portico desktop-app: Update app to latest v1.9.0. 2018-03-30 13:14:10 -07:00
stats lint: Fix errors with stats.js with new eslint. 2018-04-06 12:42:19 -07:00
.eslintrc.json
activity.js right-sidebar: Enable up and down arrow keys. 2018-02-12 15:38:23 -08:00
admin.js org settings: Add labels as a context to admin templates. 2018-04-01 14:52:12 +05:30
admin_sections.js settings: Add support for adding/removing custom profile fields. 2018-03-29 13:59:16 -07:00
alert_words.js
alert_words_ui.js
attachments_ui.js attachments_ui: Remove unnecessary export of bytes_to_size. 2018-03-15 18:06:04 -07:00
avatar.js user settings: Display avatar source. 2018-03-05 09:12:59 -08:00
blueslip.js lint: Replace 'return undefined;' with 'return;'. 2018-03-13 08:22:42 -04:00
bot_data.js bots: Delete bot from bot_data set on realm_bot delete event. 2018-03-08 07:54:19 -08:00
channel.js
click_handlers.js Extract info_overlay.js. 2018-03-30 09:07:23 -07:00
colorspace.js
common.js lint: Replace 'return undefined;' with 'return;'. 2018-03-13 08:22:42 -04:00
components.js Fix recent pitfall in toggle component. 2018-04-04 16:37:39 -07:00
compose.js cleanup: Remove the legacy Dropbox file upload integration. 2018-04-11 11:39:48 -07:00
compose_actions.js compose: Fix fading when topic changes on re-narrow. 2018-04-05 15:21:02 -07:00
compose_fade.js stream_data.js: Replace user_email with user_id in func is_user_subscribed. 2018-04-08 16:54:12 -07:00
compose_pm_pill.js compose: Add pills for typing in PM recipients. 2018-03-07 15:53:11 -08:00
compose_state.js compose: Add pills for typing in PM recipients. 2018-03-07 15:53:11 -08:00
compose_ui.js message edit: Allow uploading files. 2018-03-05 10:42:38 -08:00
composebox_typeahead.js markdown: Add @stream as an alias for @all. 2018-04-09 16:35:14 -07:00
condense.js frontend: Simplify saving collapsed/uncollapsed flags. 2017-12-26 09:01:21 -05:00
copy_and_paste.js copy_and_paste: Re-disable copy-paste handler in production. 2018-04-09 22:10:28 -07:00
debug.js
dict.js lint: Replace 'return undefined;' with 'return;'. 2018-03-13 08:22:42 -04:00
drafts.js drafts: Fix same day's timestamp when language is other than english. 2018-03-14 10:57:11 -07:00
dynamic_text.js
echo.js Revert "Suppress local echo when we are not caught up." 2018-03-30 11:51:52 -07:00
emoji.js emoji: Do selective local echo of emoticon conversions. 2018-03-27 17:16:55 -07:00
emoji_picker.js Refactor perfect-scrollbar: Call ui methods in emoji_picker.js. 2018-03-16 12:47:44 -07:00
favicon.js lint: Ban two spaces after comma in JS code. 2017-10-18 10:22:18 -07:00
feature_flags.js cleanup: Remove the legacy Dropbox file upload integration. 2018-04-11 11:39:48 -07:00
fenced_code.js bugdown: Fix handling of nested fenced math blocks. 2017-11-22 12:19:43 -08:00
fetch_status.js Revert "Ignore new messages when lists are behind." 2018-03-30 11:52:14 -07:00
filter.js CVE-2018-9990: Fix XSS issue with stream names in topic typeahead. 2018-04-12 09:46:54 -07:00
floating_recipient_bar.js
gear_menu.js
hash_util.js Add stream ids to urls for stream-related narrows. 2018-02-19 09:03:11 -08:00
hashchange.js Extract info_overlay.js. 2018-03-30 09:07:23 -07:00
hotkey.js hotkeys: Replace C with x for composing PM. 2018-04-01 16:13:05 -07:00
hotspots.js hotspots: Fix real-time sync for dismissing hotspots. 2018-03-18 10:22:09 -07:00
info_overlay.js Fix keyboard handling for info overlays. 2018-04-04 16:37:39 -07:00
input_pill.js pills: Add exportable function for creating non-editable pills. 2018-04-05 17:40:12 -07:00
integration_bot_widget.js template context: Give better names to the URLs for the API. 2017-10-30 18:29:29 -07:00
invite.js invite: Update text of success message. 2017-12-19 17:46:36 -08:00
keydown_util.js Add keydown_util.js module. 2018-04-04 16:37:39 -07:00
lightbox.js lightbox: Add debugging code for unknown message IDs. 2018-03-23 15:17:21 -07:00
lightbox_canvas.js hotkeys: Add shortcuts for pan and zoom in lightbox view 2018-04-03 09:20:55 -07:00
list_render.js list_render: Add sorting reversal. 2017-11-01 13:26:40 -07:00
list_util.js
loading.js display_settings: Change success/failure feedback interface. 2018-03-04 17:47:05 -08:00
localstorage.js lint: Replace 'return undefined;' with 'return;'. 2018-03-13 08:22:42 -04:00
markdown.js CVE-2018-9986: Fix XSS issues with frontend markdown processor. 2018-04-12 09:46:37 -07:00
message_edit.js clipboard: Update clipboard to v2.0.0 to avoid variable name conflict. 2018-04-05 15:09:00 -07:00
message_events.js messages: Make checking for status message consistent with backend. 2018-01-23 09:26:41 -05:00
message_fetch.js Fetch new messages when you scroll forward in narrows. 2018-03-28 09:12:59 -07:00
message_flags.js refactor: Rename mark_message(s)_as_read to notify_server_message(s)_read. 2018-04-05 09:54:48 -07:00
message_list.js message_list: Fix unnecessary work re-rendering all_msg_list. 2018-04-02 18:58:51 -07:00
message_list_view.js message_list_view: Add a workaround for Chrome scrolling down bug. 2018-03-27 13:51:28 -07:00
message_live_update.js message_live_update: Fix double re-rendering of home_msg_list. 2018-04-02 18:58:51 -07:00
message_scroll.js Fetch new messages when you scroll forward in narrows. 2018-03-28 09:12:59 -07:00
message_store.js refactor: Extract pm_conversations.recent. 2018-02-12 09:34:59 -08:00
message_util.js
message_viewport.js lint: Ban two spaces after comma in JS code. 2017-10-18 10:22:18 -07:00
muting.js
muting_ui.js CVE-2018-9987: Fix XSS issue with muting notifications. 2018-04-12 09:46:03 -07:00
narrow.js refactor: Rename mark_message(s)_as_read to notify_server_message(s)_read. 2018-04-05 09:54:48 -07:00
narrow_state.js lint: Replace 'return undefined;' with 'return;'. 2018-03-13 08:22:42 -04:00
navigate.js
night_mode.js styles: Rename dark-mode to night-mode. 2018-03-28 10:41:26 -07:00
notifications.js electron_bridge: Send unread count to electron app on update. 2018-03-09 14:12:33 -08:00
overlays.js settings: When overlay modal opens, remove previous alert messages. 2018-01-23 14:38:59 -05:00
panels.js notifications: Check if localstorage is enabled. 2018-03-18 12:54:11 -07:00
people.js people: Clean up now-unnecessary url variable. 2018-04-09 12:12:44 -07:00
pm_conversations.js Add pm_conversations.recent.get_strings(). 2018-02-12 09:34:59 -08:00
pm_list.js refactor: Extract pm_conversations.recent. 2018-02-12 09:34:59 -08:00
pointer.js refactor: Rename mark_message(s)_as_read to notify_server_message(s)_read. 2018-04-05 09:54:48 -07:00
popovers.js clipboard: Update clipboard to v2.0.0 to avoid variable name conflict. 2018-04-05 15:09:00 -07:00
presence.js
reactions.js emoji: Migrate realm emoji to be addressed by `id` rather than `name`. 2018-03-20 22:24:44 -07:00
realm_icon.js
recent_senders.js recent senders: Use message ids instead of timestamps for sorting. 2018-02-08 18:39:10 -08:00
reload.js reload: Handle errors with compose_actions.start(). 2018-03-07 15:53:11 -08:00
resize.js condense: Re-condense all messages on window resize. 2018-03-27 09:53:45 -07:00
rows.js
rtl.js
scroll_bar.js Refactor perfect-scrollbar: Call ui methods in scroll_bar.js. 2018-03-16 12:47:46 -07:00
search.js
search_suggestion.js CVE-2018-9990: Fix XSS issue with stream names in topic typeahead. 2018-04-12 09:46:54 -07:00
sent_messages.js urls: Move the report endpoints to be API-style routes. 2017-10-17 22:05:56 -07:00
server_events.js local echo: Bypass message.flags array. 2017-12-26 09:01:21 -05:00
server_events_dispatch.js custom fields: Clean custom fields to use existing defined function. 2018-04-12 09:40:09 -07:00
settings.js settings: Fix label for message_content_in_email_notifications. 2018-04-07 20:22:33 -07:00
settings_account.js custom fields: Fix error in rendering long textual custom fields. 2018-04-04 10:46:18 -07:00
settings_bots.js settings: Remove obsolete lines of code. 2018-03-30 16:07:53 +05:30
settings_display.js settings: Change save and discard button look and feel. 2018-04-05 21:49:12 -07:00
settings_emoji.js settings: Clean up repeating code in error callbacks. 2018-03-25 10:40:40 -07:00
settings_filters.js settings: Clean up repeating code in error callbacks. 2018-03-25 10:40:40 -07:00
settings_invites.js settings: Clean up repeating code in error callbacks. 2018-03-25 10:40:40 -07:00
settings_lab.js settings: Remove autoscroll_forever setting. 2018-01-02 10:35:49 -05:00
settings_muting.js
settings_notifications.js settings: Refactor to use pluck to extract `setting` attribute. 2018-03-27 18:01:03 -07:00
settings_org.js settings: Change save and discard button look and feel. 2018-04-05 21:49:12 -07:00
settings_profile_fields.js custom fields: Clean custom fields to use existing defined function. 2018-04-12 09:40:09 -07:00
settings_sections.js settings_ui: Move main function for new settings system to library code. 2018-03-04 18:26:27 -08:00
settings_streams.js stream settings: Make deactivate stream handler global. 2018-04-06 12:25:42 -07:00
settings_ui.js settings: Changed checkbox and close icons on settings. 2018-04-05 21:49:13 -07:00
settings_user_groups.js settings: Avoid duplicate form handlers. 2018-03-25 08:28:04 -07:00
settings_users.js settings_users: Fix sending queries to /json/bots endpoint. 2018-04-02 18:48:55 -07:00
setup.js
socket.js
stream_color.js Revert "Make recipient bar styling more compact and clean." 2018-02-16 11:55:00 -08:00
stream_create.js stream_create: Finish handler cleanup. 2018-03-26 06:44:19 -04:00
stream_data.js subscription: Add real time sync for user-just-deactivated case. 2018-04-08 16:54:12 -07:00
stream_edit.js subscription: Show current user on top of subscribers list if present. 2018-04-11 09:54:42 -07:00
stream_events.js stream_data: Move calls to update_calculated_fields to events layer. 2018-03-09 18:00:31 -08:00
stream_list.js Refactor perfect-scrollbar: Call ui methods in stream_list.js. 2018-03-16 12:47:47 -07:00
stream_muting.js
stream_popover.js bankruptcy: Add UI widget to mark all messages as read. 2018-02-15 18:01:03 -08:00
stream_sort.js
subs.js subscription: Show current user on top of subscribers list if present. 2018-04-11 09:54:42 -07:00
tab_bar.js left sidebar: Change Home to All messages. 2017-11-28 15:42:58 -08:00
templates.js
timerender.js drafts: Add timestamps showing when last modified. 2018-02-19 09:55:50 -08:00
top_left_corner.js
topic_data.js
topic_generator.js Add topic_generator.get_next_unread_pm_string(). 2018-02-12 09:34:59 -08:00
topic_list.js Refactor perfect-scrollbar: Call ui methods in topic_list.js. 2018-03-16 12:47:46 -07:00
translations.js i18n: Flag emojiset type name string for translation. 2018-02-22 05:36:03 -08:00
transmit.js websockets: Fix race condition in CSRF token initialization. 2018-03-31 09:29:56 -07:00
tutorial.js
typeahead_helper.js markdown: Add @stream as an alias for @all. 2018-04-09 16:35:14 -07:00
typing.js Add typing.initialize() to prevent tracebacks. 2018-03-16 09:23:23 -07:00
typing_data.js docs: Reorganize developer docs to improve navigation. 2017-11-16 09:45:08 -08:00
typing_events.js docs: Reorganize developer docs to improve navigation. 2017-11-16 09:45:08 -08:00
typing_status.js docs: Reorganize developer docs to improve navigation. 2017-11-16 09:45:08 -08:00
ui.js ui.js: Add minimum scrollbar length. 2018-04-02 10:48:28 -07:00
ui_init.js Extract info_overlay.js. 2018-03-30 09:07:23 -07:00
ui_report.js ui: Add ability to hide ui feedback messages. 2018-04-05 17:17:08 -07:00
ui_util.js ui_util: Move `place_caret_at_end` to ui_util module. 2018-01-23 15:00:11 -08:00
unread.js unread: Fix confusing aliasing of variable names. 2018-03-28 12:21:36 -07:00
unread_ops.js refactor: Rename mark_message(s)_as_read to notify_server_message(s)_read. 2018-04-05 09:54:48 -07:00
unread_ui.js
upload.js uploads: Fix the upload progress bar. 2018-04-09 22:53:06 -07:00
upload_widget.js settings ui: Restrict file type for image file pickers. 2017-10-27 10:21:36 -07:00
user_events.js custom profile data: Send event to active user on update. 2018-03-21 16:08:12 -07:00
user_groups.js user-groups: Update user_group_name_dict, when name/description is edited. 2018-03-15 10:09:28 -07:00
user_pill.js pills: Add exportable function for creating non-editable pills. 2018-04-05 17:40:12 -07:00
util.js markdown: Add @stream as an alias for @all. 2018-04-09 16:35:14 -07:00
zulip.js night-mode: Add custom CSS through JS. 2017-11-29 23:06:11 -08:00