apitech
/
wekan
mirror of https://github.com/wekan/wekan
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The Open Source kanban (built with Meteor). Keep variable/table/field names camelCase. For translations, only add Pull Request changes to wekan/i18n/en.i18n.json , other translations are done at https://transifex.com/wekan/wekan only.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10346 Commits
5 Branches
844 Tags
83 MiB
Tag: Branch: Tree: 6e1ef3d94a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6e1ef3d94a'
${ noResults }
wekan/client/components/main/editor.js

416 lines
15 KiB
Raw Normal View History Unescape

Move every Users.findOne() to the ReactiveCache
3 years ago
import { ReactiveCache } from '/imports/reactiveCache';
adds handles to notifiy board or card members
4 years ago
const specialHandles = [
{userId: 'board_members', username: 'board_members'},
{userId: 'card_members', username: 'card_members'}
];
const specialHandleNames = specialHandles.map(m => m.username);
Added copy button to all editor's
4 years ago
BlazeComponent.extendComponent({
onRendered() {
const textareaSelector = 'textarea';
const mentions = [
// User mentions
{
User mentions now return @username (full name)
4 years ago
match: /\B@([\w.-]*)$/,
Added copy button to all editor's
4 years ago
search(term, callback) {
Move every Boards.findOne(Session.get('currentBoard')) to the ReactiveCache
3 years ago
const currentBoard = Utils.getCurrentBoard();
Added copy button to all editor's
4 years ago
callback(
_.union(
currentBoard
.activeMembers()
.map(member => {
Move every Users.findOne() to the ReactiveCache
3 years ago
const user = ReactiveCache.getUser(member.userId);
Added copy button to all editor's
4 years ago
const username = user.username;
User mentions now return @username (full name)
4 years ago
const fullName = user.profile && user.profile !== undefined && user.profile.fullname ? user.profile.fullname : "";
User mentions now return @username (full name) - part 2
4 years ago
return username.includes(term) || fullName.includes(term) ? user : null;
Added copy button to all editor's
4 years ago
})
User mentions now return @username (full name) - part 2
4 years ago
.filter(Boolean), [...specialHandles])
Added copy button to all editor's
4 years ago
);
},
User mentions now return @username (full name) - part 2
4 years ago
template(user) {
if (user.profile && user.profile.fullname) {
return (user.profile.fullname + " (" + user.username + ")");
}
return user.username;
Added copy button to all editor's
4 years ago
},
User mentions now return @username (full name) - part 2
4 years ago
replace(user) {
if (user.profile && user.profile.fullname) {
return `@${user.username} (${user.profile.fullname}) `;
}
return `@${user.username} `;
Added copy button to all editor's
4 years ago
},
index: 1,
Renaissance _,,ad8888888888bba,_ ,ad88888I888888888888888ba, ,88888888I88888888888888888888a, ,d888888888I8888888888888888888888b, d88888PP"""" ""YY88888888888888888888b, ,d88"'__,,--------,,,,.;ZZZY8888888888888, ,8IIl'" ;;l"ZZZIII8888888888, ,I88l;' ;lZZZZZ888III8888888, ,II88Zl;. ;llZZZZZ888888I888888, ,II888Zl;. .;;;;;lllZZZ888888I8888b ,II8888Z;; `;;;;;''llZZ8888888I8888, II88888Z;' .;lZZZ8888888I888b II88888Z; _,aaa, .,aaaaa,__.l;llZZZ88888888I888 II88888IZZZZZZZZZ, .ZZZZZZZZZZZZZZ;llZZ88888888I888, II88888IZZ<'(@@>Z| |ZZZ<'(@@>ZZZZ;;llZZ888888888I88I ,II88888; `""" ;| |ZZ; `""" ;;llZ8888888888I888 II888888l `;; .;llZZ8888888888I888, ,II888888Z; ;;; .;;llZZZ8888888888I888I III888888Zl; .., `;; ,;;lllZZZ88888888888I888 II88888888Z;;...;(_ _) ,;;;llZZZZ88888888888I888, II88888888Zl;;;;;' `--'Z;. .,;;;;llZZZZ88888888888I888b ]I888888888Z;;;;' ";llllll;..;;;lllZZZZ88888888888I8888, II888888888Zl.;;"Y88bd888P";;,..;lllZZZZZ88888888888I8888I II8888888888Zl;.; `"PPP";;;,..;lllZZZZZZZ88888888888I88888 II888888888888Zl;;. `;;;l;;;;lllZZZZZZZZW88888888888I88888 `II8888888888888Zl;. ,;;lllZZZZZZZZWMZ88888888888I88888 II8888888888888888ZbaalllZZZZZZZZZWWMZZZ8888888888I888888, `II88888888888888888b"WWZZZZZWWWMMZZZZZZI888888888I888888b `II88888888888888888;ZZMMMMMMZZZZZZZZllI888888888I8888888 `II8888888888888888 `;lZZZZZZZZZZZlllll888888888I8888888, II8888888888888888, `;lllZZZZllllll;;.Y88888888I8888888b, ,II8888888888888888b .;;lllllll;;;.;..88888888I88888888b, II888888888888888PZI;. .`;;;.;;;..; ...88888888I8888888888, II888888888888PZ;;';;. ;. .;. .;. .. Y8888888I88888888888b, ,II888888888PZ;;' `8888888I8888888888888b, II888888888' 888888I8888888888888888 ,II888888888 ,888888I8888888888888888 ,d88888888888 d888888I8888888888ZZZZZZ ,ad888888888888I 8888888I8888ZZZZZZZZZZZZ 888888888888888' 888888IZZZZZZZZZZZZZZZZZ 8888888888P'8P' Y888ZZZZZZZZZZZZZZZZZZZZ 888888888, " ,ZZZZZZZZZZZZZZZZZZZZZZZ 8888888888, ,ZZZZZZZZZZZZZZZZZZZZZZZZZZ 888888888888a, _ ,ZZZZZZZZZZZZZZZZZZZZ88888888 888888888888888ba,_d' ,ZZZZZZZZZZZZZZZZZ8888888888888 8888888888888888888888bbbaaa,,,______,ZZZZZZZZZZZZZZZ88888888888888888 88888888888888888888888888888888888ZZZZZZZZZZZZZZZ88888888888888888888 8888888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888 888888888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888888888 8888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888 88888888888888888888888888888ZZZZZZZZZZZZZZ888888888888888888888888888 8888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888 Normand 8 88888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888 Veilleux 8 8888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888888888
11 years ago
},
Added copy button to all editor's
4 years ago
];
const enableTextarea = function() {
const $textarea = this.$(textareaSelector);
autosize($textarea);
$textarea.escapeableTextComplete(mentions);
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky. Logged in users could run javascript in input fields. This affects Wekan versions v3.12-v3.84. In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release) there was [changes for XSS filter to allow inserting images, videos etc on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593) so features related to that are now removed. After this fix, Javascript in input fields is not executed. Thanks to Cyb3rjunky and xet7 !
6 years ago
};
Added copy button to all editor's
4 years ago
if (Meteor.settings.public.RICHER_CARD_COMMENT_EDITOR !== false) {
const isSmall = Utils.isMiniScreen();
const toolbar = isSmall
? [
['view', ['fullscreen']],
['table', ['table']],
['font', ['bold', 'underline']],
//['fontsize', ['fontsize']],
['color', ['color']],
]
: [
['style', ['style']],
['font', ['bold', 'underline', 'clear']],
['fontsize', ['fontsize']],
['fontname', ['fontname']],
['color', ['color']],
['para', ['ul', 'ol', 'paragraph']],
['table', ['table']],
//['insert', ['link', 'picture', 'video']], // iframe tag will be sanitized TODO if iframe[class=note-video-clip] can be added into safe list, insert video can be enabled
['insert', ['link']], //, 'picture']], // modal popup has issue somehow :(
['view', ['fullscreen', 'codeview', 'help']],
];
const cleanPastedHTML = function(input) {
const badTags = [
'style',
'script',
'applet',
'embed',
'noframes',
'noscript',
'meta',
'link',
'button',
'form',
].join('|');
const badPatterns = new RegExp(
`(?:${[
`<(${badTags})s*[^>][\\s\\S]*?<\\/\\1>`,
`<(${badTags})[^>]*?\\/>`,
].join('|')})`,
'gi',
);
let output = input;
// remove bad Tags
output = output.replace(badPatterns, '');
// remove attributes ' style="..."'
const badAttributes = new RegExp(
`(?:${[
'on\\S+=([\'"]?).*?\\1',
'href=([\'"]?)javascript:.*?\\2',
'style=([\'"]?).*?\\3',
'target=\\S+',
].join('|')})`,
'gi',
);
output = output.replace(badAttributes, '');
output = output.replace(/(<a )/gi, '$1target=_ '); // always to new target
return output;
Add Feature: Comments can be richer (can support some safe HTML tags)
6 years ago
};
Added copy button to all editor's
4 years ago
const editor = '.editor';
const selectors = [
`.js-new-description-form ${editor}`,
`.js-new-comment-form ${editor}`,
`.js-edit-comment ${editor}`,
].join(','); // only new comment and edit comment
const inputs = $(selectors);
if (inputs.length === 0) {
// only enable richereditor to new comment or edit comment no others
enableTextarea();
} else {
const placeholder = inputs.attr('placeholder') || '';
const mSummernotes = [];
const getSummernote = function(input) {
const idx = inputs.index(input);
if (idx > -1) {
return mSummernotes[idx];
}
return undefined;
};
inputs.each(function(idx, input) {
mSummernotes[idx] = $(input).summernote({
placeholder,
callbacks: {
onInit(object) {
const originalInput = this;
$(originalInput).on('submitted', function() {
// when comment is submitted, the original textarea will be set to '', so shall we
if (!this.value) {
const sn = getSummernote(this);
sn && sn.summernote('code', '');
}
Add Feature: Comments can be richer (can support some safe HTML tags)
6 years ago
});
Added copy button to all editor's
4 years ago
const jEditor = object && object.editable;
const toolbar = object && object.toolbar;
if (jEditor !== undefined) {
jEditor.escapeableTextComplete(mentions);
}
if (toolbar !== undefined) {
const fBtn = toolbar.find('.btn-fullscreen');
fBtn.on('click', function() {
const $this = $(this),
isActive = $this.hasClass('active');
$('.minicards,#header-quick-access').toggle(!isActive); // mini card is still showing when editor is in fullscreen mode, we hide here manually
});
}
},
onImageUpload(files) {
const $summernote = getSummernote(this);
if (files && files.length > 0) {
const image = files[0];
const currentCard = Utils.getCurrentCard();
const MAX_IMAGE_PIXEL = Utils.MAX_IMAGE_PIXEL;
const COMPRESS_RATIO = Utils.IMAGE_COMPRESS_RATIO;
Ref: Attachment upload handlers
5 years ago
const processUpload = function(file) {
const uploader = Attachments.insert(
{
file,
Ref: original & and use fileObj.meta fileObj.meta is part of the ostrio:files API and be passed to the constructor. This is less hacky than trying tu update a persistet object after the fact.
5 years ago
meta: Utils.getCommonAttachmentMetaFrom(card),
Ref: Attachment upload handlers
5 years ago
chunkSize: 'dynamic',
Added copy button to all editor's
4 years ago
},
Ref: Attachment upload handlers
5 years ago
false,
Added copy button to all editor's
4 years ago
);
Ref: original & and use fileObj.meta fileObj.meta is part of the ostrio:files API and be passed to the constructor. This is less hacky than trying tu update a persistet object after the fact.
5 years ago
uploader.on('uploaded', (error, fileRef) => {
Ref: Attachment upload handlers
5 years ago
if (!error) {
Ref: original & and use fileObj.meta fileObj.meta is part of the ostrio:files API and be passed to the constructor. This is less hacky than trying tu update a persistet object after the fact.
5 years ago
if (fileRef.isImage) {
const img = document.createElement('img');
img.src = fileRef.link();
img.setAttribute('width', '100%');
$summernote.summernote('insertNode', img);
Ref: Attachment upload handlers
5 years ago
}
}
});
uploader.start();
Added copy button to all editor's
4 years ago
};
if (MAX_IMAGE_PIXEL) {
const reader = new FileReader();
reader.onload = function(e) {
const dataurl = e && e.target && e.target.result;
if (dataurl !== undefined) {
// need to shrink image
Utils.shrinkImage({
dataurl,
maxSize: MAX_IMAGE_PIXEL,
ratio: COMPRESS_RATIO,
toBlob: true,
callback(blob) {
if (blob !== false) {
blob.name = image.name;
Ref: Attachment upload handlers
5 years ago
processUpload(blob);
Move In Progress ostrio-files changes to separate branch, and revert ostrio-files changes, so that: - Export to CSV/TSV with custom fields works - Attachments are not exported to disk - It is possible to build arm64/s390x versions again. Thanks to xet7 ! Related #3110
6 years ago
}
Added copy button to all editor's
4 years ago
},
Move In Progress ostrio-files changes to separate branch, and revert ostrio-files changes, so that: - Export to CSV/TSV with custom fields works - Attachments are not exported to disk - It is possible to build arm64/s390x versions again. Thanks to xet7 ! Related #3110
6 years ago
});
Add Feature: Richer Editor insert picture as attachment instead of b64 string
6 years ago
}
Added copy button to all editor's
4 years ago
};
reader.readAsDataURL(image);
} else {
Ref: Attachment upload handlers
5 years ago
processUpload(image);
Added copy button to all editor's
4 years ago
}
Add Feature: Richer Editor insert picture as attachment instead of b64 string
6 years ago
}
Added copy button to all editor's
4 years ago
},
onPaste(e) {
var clipboardData = e.clipboardData;
var pastedData = clipboardData.getData('Text');
Images are uploaded twice - make sure only pastes which contain text are processed - remove execCommand() as it results in errors - enable drag & drop - fix resize buttons to be the proper summernote commands - remove un-needed comma
5 years ago
Added copy button to all editor's
4 years ago
//if pasted data is an image, exit
if (!pastedData.length) {
e.preventDefault();
return;
}
Images are uploaded twice - make sure only pastes which contain text are processed - remove execCommand() as it results in errors - enable drag & drop - fix resize buttons to be the proper summernote commands - remove un-needed comma
5 years ago
Added copy button to all editor's
4 years ago
// clear up unwanted tag info when user pasted in text
const thisNote = this;
const updatePastedText = function(object) {
const someNote = getSummernote(object);
// Fix Pasting text into a card is adding a line before and after
// (and multiplies by pasting more) by changing paste "p" to "br".
// Fixes https://github.com/wekan/wekan/2890 .
// == Fix Start ==
someNote.execCommand('defaultParagraphSeparator', false, 'br');
// == Fix End ==
const original = someNote.summernote('code');
const cleaned = cleanPastedHTML(original); //this is where to call whatever clean function you want. I have mine in a different file, called CleanPastedHTML.
someNote.summernote('code', ''); //clear original
someNote.summernote('pasteHTML', cleaned); //this sets the displayed content editor to the cleaned pasted code.
};
setTimeout(function() {
//this kinda sucks, but if you don't do a setTimeout,
//the function is called before the text is really pasted.
updatePastedText(thisNote);
}, 10);
},
},
dialogsInBody: true,
spellCheck: true,
disableGrammar: false,
disableDragAndDrop: false,
toolbar,
popover: {
image: [
['imagesize', ['imageSize100', 'imageSize50', 'imageSize25']],
['float', ['floatLeft', 'floatRight', 'floatNone']],
['remove', ['removeMedia']],
],
link: [['link', ['linkDialogShow', 'unlink']]],
table: [
['add', ['addRowDown', 'addRowUp', 'addColLeft', 'addColRight']],
['delete', ['deleteRow', 'deleteCol', 'deleteTable']],
],
air: [
['color', ['color']],
['font', ['bold', 'underline', 'clear']],
],
Fixed Non-ASCII attachment filename will crash when downloading. Thanks to xet7 ! Fixes #2759
5 years ago
},
Added copy button to all editor's
4 years ago
height: 200,
});
Add Feature: Comments can be richer (can support some safe HTML tags)
6 years ago
});
Added copy button to all editor's
4 years ago
}
} else {
enableTextarea();
Add Feature: Comments can be richer (can support some safe HTML tags)
6 years ago
}
Added copy button to all editor's
4 years ago
},
events() {
return [
{
Changed copy icon to a "href" link - mouse hover changes the icon
4 years ago
'click a.fa.fa-copy'(event) {
Added copy button to all editor's
4 years ago
const $editor = this.$('textarea.editor');
const promise = Utils.copyTextToClipboard($editor[0].value);
Moved "copied!" code to Utils - same implementation in all files, so it's better to have one function for it
4 years ago
const $tooltip = this.$('.copied-tooltip');
Utils.showCopied(promise, $tooltip);
Added copy button to all editor's
4 years ago
},
}
]
Add Feature: Comments can be richer (can support some safe HTML tags)
6 years ago
}
Added copy button to all editor's
4 years ago
}).register('editor');
Implement a new system to handle "escape actions" The new EscapeActions object decide what to do when the user press the Escape key (such as closing a opened popup or inlined form). This commit also re-introduced the sidebar current view as a sidebar component local state.
11 years ago
Try to fix some security issues. Part 2. Thanks to responsible security disclosure contributors and xet7 !
3 years ago
import DOMPurify from 'dompurify';
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky. Logged in users could run javascript in input fields. This affects Wekan versions v3.12-v3.84. In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release) there was [changes for XSS filter to allow inserting images, videos etc on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593) so features related to that are now removed. After this fix, Javascript in input fields is not executed. Thanks to Cyb3rjunky and xet7 !
6 years ago
Alter call to sanitizeXss Addressing feature: Custom URL Schemes autolinked #3218 Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.
5 years ago
// Additional safeAttrValue function to allow for other specific protocols
// See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify. Thanks to xuguotong and xet7 ! Fixes #3794
5 years ago
/*
Alter call to sanitizeXss Addressing feature: Custom URL Schemes autolinked #3218 Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.
5 years ago
function mySafeAttrValue(tag, name, value, cssFilter) {
// only when the tag is 'a' and attribute is 'href'
// then use your custom function
if (tag === 'a' && name === 'href') {
// only filter the value if starts with 'cbthunderlink:' or 'aodroplink'
Fix lint.
5 years ago
if (
/^thunderlink:/gi.test(value) ||
/^cbthunderlink:/gi.test(value) ||
Try to allow links to onenote, mailspring and file. Thanks to lime918, rgalonso, ocdtrekkie, gkarachuk and xet7 ! Fixes #1615
5 years ago
/^aodroplink:/gi.test(value) ||
/^onenote:/gi.test(value) ||
/^file:/gi.test(value) ||
Update editor.js add custom URL schemes for SolidWorks PDM (conisio:) and abas ERP (abasurl:)
5 years ago
/^abasurl:/gi.test(value) ||
/^conisio:/gi.test(value) ||
Try to allow links to onenote, mailspring and file. Thanks to lime918, rgalonso, ocdtrekkie, gkarachuk and xet7 ! Fixes #1615
5 years ago
/^mailspring:/gi.test(value)
Fix lint.
5 years ago
) {
Alter call to sanitizeXss Addressing feature: Custom URL Schemes autolinked #3218 Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.
5 years ago
return value;
Fix lint.
5 years ago
} else {
Replace tabs with spaces
5 years ago
// use the default safeAttrValue function to process all non cbthunderlinks
return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
}
Alter call to sanitizeXss Addressing feature: Custom URL Schemes autolinked #3218 Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.
5 years ago
} else {
// use the default safeAttrValue function to process it
return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
}
Fix lint.
5 years ago
}
Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify. Thanks to xuguotong and xet7 ! Fixes #3794
5 years ago
*/
Alter call to sanitizeXss Addressing feature: Custom URL Schemes autolinked #3218 Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.
5 years ago
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
// XXX I believe we should compute a HTML rendered field on the server that
Remove Emoji support, so MAC addresses etc show correctly. Thanks to xet7 ! Closes #1248, closes #323
8 years ago
// would handle markdown and user mentions. We can simply have two
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
// fields, one source, and one compiled version (in HTML) and send only the
// compiled version to most users -- who don't need to edit.
// In the meantime, all the transformation are done on the client using the
// Blaze API.
Prettier & eslint project style update
7 years ago
const at = HTML.CharRef({ html: '&commat;', str: '@' });
Blaze.Template.registerHelper(
'mentions',
new Template('mentions', function() {
const view = this;
let content = Blaze.toHTML(view.templateContentBlock);
Move every Boards.findOne(Session.get('currentBoard')) to the ReactiveCache
3 years ago
const currentBoard = Utils.getCurrentBoard();
Fix lint.
5 years ago
if (!currentBoard)
Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify. Thanks to xuguotong and xet7 ! Fixes #3794
5 years ago
return HTML.Raw(
DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
);
adds handles to notifiy board or card members
4 years ago
const knowedUsers = _.union(currentBoard.members.map(member => {
Move every Users.findOne() to the ReactiveCache
3 years ago
const u = ReactiveCache.getUser(member.userId);
Prettier & eslint project style update
7 years ago
if (u) {
member.username = u.username;
}
return member;
adds handles to notifiy board or card members
4 years ago
}), [...specialHandles]);
User mentions now return @username (full name)
4 years ago
const mentionRegex = /\B@([\w.-]*)/gi;
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
Prettier & eslint project style update
7 years ago
let currentMention;
while ((currentMention = mentionRegex.exec(content)) !== null) {
Buxfixed: if username contains space, it will cause @ commment failed to send out email and other
6 years ago
const [fullMention, quoteduser, simple] = currentMention;
const username = quoteduser || simple;
Prettier & eslint project style update
7 years ago
const knowedUser = _.findWhere(knowedUsers, { username });
if (!knowedUser) {
continue;
}
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
Prettier & eslint project style update
7 years ago
const linkValue = [' ', at, knowedUser.username];
let linkClass = 'atMention js-open-member';
if (knowedUser.userId === Meteor.userId()) {
linkClass += ' me';
}
1) Fix Pasting text into a card is adding a line before and after (and multiplies by pasting more) by changing paste "p" to "br". 2) Fixes to summernote and markdown comment editors, related to keeping them open when adding comments, having @member mention not close card, and disabling clicking of @member mention. Thanks to xet7 ! Closes #2890
6 years ago
// This @user mention link generation did open same Wekan
// window in new tab, so now A is changed to U so it's
// underlined and there is no link popup. This way also
// text can be selected more easily.
//const link = HTML.A(
const link = HTML.U(
Prettier & eslint project style update
7 years ago
{
class: linkClass,
// XXX Hack. Since we stringify this render function result below with
// `Blaze.toHTML` we can't rely on blaze data contexts to pass the
// `userId` to the popup as usual, and we need to store it in the DOM
// using a data attribute.
'data-userId': knowedUser.userId,
},
linkValue,
);
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
Prettier & eslint project style update
7 years ago
content = content.replace(fullMention, Blaze.toHTML(link));
}
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky. Logged in users could run javascript in input fields. This affects Wekan versions v3.12-v3.84. In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release) there was [changes for XSS filter to allow inserting images, videos etc on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593) so features related to that are now removed. After this fix, Javascript in input fields is not executed. Thanks to Cyb3rjunky and xet7 !
6 years ago
Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify. Thanks to xuguotong and xet7 ! Fixes #3794
5 years ago
return HTML.Raw(
DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
);
Prettier & eslint project style update
7 years ago
}),
);
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky. Logged in users could run javascript in input fields. This affects Wekan versions v3.12-v3.84. In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release) there was [changes for XSS filter to allow inserting images, videos etc on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593) so features related to that are now removed. After this fix, Javascript in input fields is not executed. Thanks to Cyb3rjunky and xet7 !
6 years ago
Avoid side effects while clicking on a link in a card description Fixes #261
10 years ago
Template.viewer.events({
// Viewer sometimes have click-able wrapper around them (for instance to edit
// the corresponding text). Clicking a link shouldn't fire these actions, stop
// we stop these event at the viewer component level.
Prettier & eslint project style update
7 years ago
'click a'(event, templateInstance) {
Card vote options in new fork
6 years ago
const prevent = true;
Prettier & eslint project style update
7 years ago
const userId = event.currentTarget.dataset.userid;
UI: Fix overlapping click event handler (#614) The click event handler for links in the card display are overlapping: The general event for opening the link in a new window matches on user mentions, too. But user mentions cannot be opened in a new window.
10 years ago
if (userId) {
Prettier & eslint project style update
7 years ago
Popup.open('member').call({ userId }, event, templateInstance);
} else {
const href = event.currentTarget.href;
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky. Logged in users could run javascript in input fields. This affects Wekan versions v3.12-v3.84. In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release) there was [changes for XSS filter to allow inserting images, videos etc on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593) so features related to that are now removed. After this fix, Javascript in input fields is not executed. Thanks to Cyb3rjunky and xet7 !
6 years ago
if (href) {
Revert Fix Open card links in current tab. So now links open in new tab. Thanks to dvsk, mfilser and xet7 ! Fixes https://github.com/wekan/wekan/discussions/3534
3 years ago
// Open links in current browser tab, changed from _blank to _self, and back to _blank:
Fix Open card links in current tab. Not in new tab anymore. Thanks to bronger, ManZosh and xet7 ! Fixes https://github.com/wekan/wekan/discussions/3534
3 years ago
// https://github.com/wekan/wekan/discussions/3534
Revert Fix Open card links in current tab. So now links open in new tab. Thanks to dvsk, mfilser and xet7 ! Fixes https://github.com/wekan/wekan/discussions/3534
3 years ago
//window.open(href, '_self');
window.open(href, '_blank');
UI: Fix overlapping click event handler (#614) The click event handler for links in the card display are overlapping: The general event for opening the link in a new window matches on user mentions, too. But user mentions cannot be opened in a new window.
10 years ago
}
Fix some dead links This commit fixes the download link in the activity feed on the sidebar and the mention link on card description and comments (replaced by a popup). `eslint .` now passes without any error or warning. Fixes #286
10 years ago
}
Bug fix: bug#2589 #2575, Add Features: allowing user to insert/paste link, image, video
6 years ago
if (prevent) {
event.stopPropagation();
// XXX We hijack the build-in browser action because we currently don't have
// `_blank` attributes in viewer links, and the transformer function is
// handled by a third party package that we can't configure easily. Fix that
// by using directly `_blank` attribute in the rendered HTML.
event.preventDefault();
}
Enforce a consistent ES6 coding style Replace the old (and broken) jshint + jscsrc by eslint and configure it to support some of the ES6 features. The command `eslint` currently has one error which is a bug that was discovered by its static analysis and should be fixed (usage of a dead object).
10 years ago
},
Avoid side effects while clicking on a link in a card description Fixes #261
10 years ago
});