Merge remote-tracking branch 'upstream/main'
This commit is contained in:
commit
6b26aaa1ef
|
@ -337,11 +337,10 @@ package-app:
|
||||||
[
|
[
|
||||||
"debian-bookworm",
|
"debian-bookworm",
|
||||||
"debian-bullseye",
|
"debian-bullseye",
|
||||||
|
"debian-buster",
|
||||||
"ubuntu-jammy",
|
"ubuntu-jammy",
|
||||||
"ubuntu-focal",
|
"ubuntu-focal",
|
||||||
"ubuntu-bionic",
|
"ubuntu-bionic",
|
||||||
"alpine-3.17.5",
|
|
||||||
"alpine-3.18.4",
|
|
||||||
"fedora-38",
|
"fedora-38",
|
||||||
"fedora-39",
|
"fedora-39",
|
||||||
]
|
]
|
||||||
|
|
63
CHANGELOG.md
63
CHANGELOG.md
|
@ -5,6 +5,69 @@ All notable changes to this project will be documented in this file.
|
||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
|
## 4.0.2 (2023-12-07)
|
||||||
|
|
||||||
|
### Security issues
|
||||||
|
|
||||||
|
This release fixes different security issues reported by the potsda.mn collective. Please make sure to upgrade as soon as possible.
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fixes XSS issues in notifier and participant and event contacts list formatting
|
||||||
|
|
||||||
|
|
||||||
|
* fix(front-end): add more security fixes for formatted lists and notifier ([1af8e37](https://framagit.org/framasoft/mobilizon/commits/1af8e37))
|
||||||
|
|
||||||
|
|
||||||
|
## 4.0.1 (2023-12-07)
|
||||||
|
|
||||||
|
### Security issues
|
||||||
|
|
||||||
|
This release fixes different security issues reported by the potsda.mn collective. Please make sure to upgrade as soon as possible.
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Added a CLI task to test if emails configuration works properly
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- Fixes XSS issues in groups descriptions, report contents, messages from anonymous participations and resources descriptions
|
||||||
|
- Fixes Docker configuration that prevented the image to launch
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Added back Debian Buster builds
|
||||||
|
|
||||||
|
### Complete changelog
|
||||||
|
|
||||||
|
* build(packages): add back Debian Buster as it seems people are still using it ([795ef24](https://framagit.org/framasoft/mobilizon/commits/795ef24))
|
||||||
|
* build(packages): remove alpine packages as there's no demand for it ([0caaf2b](https://framagit.org/framasoft/mobilizon/commits/0caaf2b))
|
||||||
|
* Translated using Weblate (Croatian) ([9c88fae](https://framagit.org/framasoft/mobilizon/commits/9c88fae))
|
||||||
|
* Translated using Weblate (Croatian) ([623f4ee](https://framagit.org/framasoft/mobilizon/commits/623f4ee))
|
||||||
|
* Translated using Weblate (Croatian) ([1162dd0](https://framagit.org/framasoft/mobilizon/commits/1162dd0))
|
||||||
|
* Translated using Weblate (Galician) ([97c53bb](https://framagit.org/framasoft/mobilizon/commits/97c53bb))
|
||||||
|
* Translated using Weblate (Galician) ([e08b057](https://framagit.org/framasoft/mobilizon/commits/e08b057))
|
||||||
|
* Translated using Weblate (Galician) ([ec5e436](https://framagit.org/framasoft/mobilizon/commits/ec5e436))
|
||||||
|
* Translated using Weblate (Korean) ([1a1ad52](https://framagit.org/framasoft/mobilizon/commits/1a1ad52))
|
||||||
|
* Translated using Weblate (Korean) ([7b4c31d](https://framagit.org/framasoft/mobilizon/commits/7b4c31d))
|
||||||
|
* fix: always consider report content as text ([ffff379](https://framagit.org/framasoft/mobilizon/commits/ffff379))
|
||||||
|
* fix: sanitize descriptions from resources ([dc6647f](https://framagit.org/framasoft/mobilizon/commits/dc6647f))
|
||||||
|
* fix(config): fix setting path for Mobilizon.Service.SiteMap ([7d725bd](https://framagit.org/framasoft/mobilizon/commits/7d725bd))
|
||||||
|
* fix(docker): fix getting configuration value from env MOBILIZON_SMTP_TLS ([28063bd](https://framagit.org/framasoft/mobilizon/commits/28063bd)), closes [#1381](https://framagit.org/framasoft/mobilizon/issues/1381)
|
||||||
|
* fix(docker): fix getting default value for MOBILIZON_SMTP_SSL env ([126727b](https://framagit.org/framasoft/mobilizon/commits/126727b))
|
||||||
|
* fix(docker): use separate env for tzdata dir path ([9907f88](https://framagit.org/framasoft/mobilizon/commits/9907f88))
|
||||||
|
* fix(emails): use tls_certificate_check to add tls config for mailer ([db38550](https://framagit.org/framasoft/mobilizon/commits/db38550))
|
||||||
|
* fix(front): anonymous participant text is plain text, avoid using v-html ([2c12fbf](https://framagit.org/framasoft/mobilizon/commits/2c12fbf))
|
||||||
|
* fix(front): fix editing group ([935799f](https://framagit.org/framasoft/mobilizon/commits/935799f))
|
||||||
|
* fix(front): fix XSS because of bad operations when setting the group's summary ([ded59be](https://framagit.org/framasoft/mobilizon/commits/ded59be))
|
||||||
|
* fix(front): put correct value for CONVERSATION_LIST enum value ([94bf2e5](https://framagit.org/framasoft/mobilizon/commits/94bf2e5))
|
||||||
|
* fix(graphql): set default value for resource type parameter ([09f4132](https://framagit.org/framasoft/mobilizon/commits/09f4132))
|
||||||
|
* feat(cli): add command to test emails send correctly ([7210f86](https://framagit.org/framasoft/mobilizon/commits/7210f86))
|
||||||
|
* feat(docker): allow to configure loglevel at runtime through env variable ([4855af8](https://framagit.org/framasoft/mobilizon/commits/4855af8))
|
||||||
|
* test: add new tests for XSS in actors summary ([58e50e3](https://framagit.org/framasoft/mobilizon/commits/58e50e3))
|
||||||
|
* style: linting front-end ([41227d9](https://framagit.org/framasoft/mobilizon/commits/41227d9))
|
||||||
|
* refactor(activitypub): handle failure finding public key in actor keys ([5b337f9](https://framagit.org/framasoft/mobilizon/commits/5b337f9))
|
||||||
|
|
||||||
|
|
||||||
## 4.0.0 (2023-12-05)
|
## 4.0.0 (2023-12-05)
|
||||||
|
|
||||||
### Breaking changes
|
### Breaking changes
|
||||||
|
|
2
mix.exs
2
mix.exs
|
@ -1,7 +1,7 @@
|
||||||
defmodule Mobilizon.Mixfile do
|
defmodule Mobilizon.Mixfile do
|
||||||
use Mix.Project
|
use Mix.Project
|
||||||
|
|
||||||
@version "4.0.0"
|
@version "4.0.2"
|
||||||
|
|
||||||
def project do
|
def project do
|
||||||
[
|
[
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "mobilizon",
|
"name": "mobilizon",
|
||||||
"version": "4.0.0",
|
"version": "4.0.2",
|
||||||
"private": true,
|
"private": true,
|
||||||
"scripts": {
|
"scripts": {
|
||||||
"dev": "vite",
|
"dev": "vite",
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
<span dir="ltr">@{{ usernameWithDomain(actor) }}</span>
|
<span dir="ltr">@{{ usernameWithDomain(actor) }}</span>
|
||||||
</p>
|
</p>
|
||||||
<div
|
<div
|
||||||
v-if="full"
|
v-if="full && actor.type === ActorType.GROUP"
|
||||||
class="only-first-child"
|
class="only-first-child"
|
||||||
:class="{
|
:class="{
|
||||||
'line-clamp-3': limit,
|
'line-clamp-3': limit,
|
||||||
|
@ -38,6 +38,15 @@
|
||||||
}"
|
}"
|
||||||
v-html="actor.summary"
|
v-html="actor.summary"
|
||||||
/>
|
/>
|
||||||
|
<div
|
||||||
|
v-if="full && actor.type === ActorType.PERSON"
|
||||||
|
class="only-first-child"
|
||||||
|
:class="{
|
||||||
|
'line-clamp-3': limit,
|
||||||
|
'line-clamp-10': !limit,
|
||||||
|
}"
|
||||||
|
v-text="actor.summary"
|
||||||
|
/>
|
||||||
</div>
|
</div>
|
||||||
<div class="flex pr-2" v-if="actor.type === ActorType.PERSON">
|
<div class="flex pr-2" v-if="actor.type === ActorType.PERSON">
|
||||||
<router-link
|
<router-link
|
||||||
|
|
|
@ -96,6 +96,7 @@ import { useI18n } from "vue-i18n";
|
||||||
import { formatList } from "@/utils/i18n";
|
import { formatList } from "@/utils/i18n";
|
||||||
import { displayName } from "@/types/actor";
|
import { displayName } from "@/types/actor";
|
||||||
import { useCurrentActorClient } from "@/composition/apollo/actor";
|
import { useCurrentActorClient } from "@/composition/apollo/actor";
|
||||||
|
import { escapeHtml } from "@/utils/html";
|
||||||
|
|
||||||
const props = defineProps<{
|
const props = defineProps<{
|
||||||
conversation: IConversation;
|
conversation: IConversation;
|
||||||
|
@ -137,7 +138,7 @@ const actualDate = computed((): string => {
|
||||||
const formattedListOfParticipants = computed(() => {
|
const formattedListOfParticipants = computed(() => {
|
||||||
return formatList(
|
return formatList(
|
||||||
otherParticipants.value.map(
|
otherParticipants.value.map(
|
||||||
(participant) => `<b>${displayName(participant)}</b>`
|
(participant) => `<b>${escapeHtml(displayName(participant))}</b>`
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
import { escapeHtml } from "@/utils/html";
|
||||||
import { App } from "vue";
|
import { App } from "vue";
|
||||||
|
|
||||||
export class Notifier {
|
export class Notifier {
|
||||||
|
@ -21,7 +22,7 @@ export class Notifier {
|
||||||
|
|
||||||
private notification(message: string, type: string) {
|
private notification(message: string, type: string) {
|
||||||
this.app.config.globalProperties.$oruga.notification.open({
|
this.app.config.globalProperties.$oruga.notification.open({
|
||||||
message,
|
message: escapeHtml(message),
|
||||||
duration: 5000,
|
duration: 5000,
|
||||||
position: "bottom-right",
|
position: "bottom-right",
|
||||||
type,
|
type,
|
||||||
|
|
|
@ -5,3 +5,13 @@ export const getValueFromMeta = (name: string): string | null => {
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export function escapeHtml(html: string) {
|
||||||
|
const p = document.createElement("p");
|
||||||
|
p.appendChild(document.createTextNode(html.trim()));
|
||||||
|
|
||||||
|
const escapedContent = p.innerHTML;
|
||||||
|
p.remove();
|
||||||
|
|
||||||
|
return escapedContent;
|
||||||
|
}
|
||||||
|
|
|
@ -180,7 +180,7 @@
|
||||||
{
|
{
|
||||||
contact: formatList(
|
contact: formatList(
|
||||||
event.contacts.map((contact) =>
|
event.contacts.map((contact) =>
|
||||||
displayNameAndUsername(contact)
|
escapeHtml(displayNameAndUsername(contact))
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
},
|
},
|
||||||
|
@ -628,6 +628,7 @@ import { useHead } from "@unhead/vue";
|
||||||
import { useProgrammatic } from "@oruga-ui/oruga-next";
|
import { useProgrammatic } from "@oruga-ui/oruga-next";
|
||||||
import type { Locale } from "date-fns";
|
import type { Locale } from "date-fns";
|
||||||
import sortBy from "lodash/sortBy";
|
import sortBy from "lodash/sortBy";
|
||||||
|
import { escapeHtml } from "@/utils/html";
|
||||||
|
|
||||||
const DEFAULT_LIMIT_NUMBER_OF_PLACES = 10;
|
const DEFAULT_LIMIT_NUMBER_OF_PLACES = 10;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue