Gitlab Community Edition Instance

Commit 35b0fbe9 authored by Gregor Thiem's avatar Gregor Thiem
Browse files

Update to 1.8.2

parent bb0ff1f4
......@@ -6,6 +6,16 @@ cat << EOF > config.json
{
"production": {
"db": {
"dialect": "postgres",
"protocol": "postgres",
"dialectOptions": {
"ssl": {
"require": true,
"rejectUnauthorized": false
}
}
}
}
}
......
......@@ -50,7 +50,7 @@ echo "Installing packages..."
yarn install --production=true --pure-lockfile
cat << EOF
If you want to build the frontend yourself, you need to run 'yarn install' before 'yarn build' to install the devDependencies for the build process.
Edit the following config file to setup HedgeDoc server and client.
Read more info at https://docs.hedgedoc.org/configuration/
......
......@@ -3,7 +3,7 @@ openapi: 3.0.1
info:
title: HedgeDoc
description: HedgeDoc is an open source collaborative note editor. Several tasks of HedgeDoc can be automated through this API.
version: 1.8.1
version: 1.8.2
contact:
name: HedgeDoc on GitHub
url: https://github.com/hedgedoc/hedgedoc
......
......@@ -28,7 +28,7 @@ services:
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.8.1
image: quay.io/hedgedoc/hedgedoc:1.8.2
environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_DOMAIN=localhost
......
......@@ -16,7 +16,7 @@
1. Check if you meet the [requirements at the top of this document](#manual-installation).
2. Download the [latest release](https://hedgedoc.org/latest-release/) and extract it.
<small>Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.8.1 https://github.com/hedgedoc/hedgedoc.git`.</small>
<small>Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.8.2 https://github.com/hedgedoc/hedgedoc.git`.</small>
3. Enter the directory and execute `bin/setup`, which will install the dependencies and create example configs.
4. Configure HedgeDoc: To get started, you can use this minimal `config.json`:
```json
......@@ -34,7 +34,7 @@
It's also possible to use environment variables.
For details, have a look at [the configuration documentation](../configuration.md).
5. *:octicons-light-bulb-16: If you use the release tarball for 1.7.0 or newer, this step can be skipped.*
Build the frontend bundle by running `yarn run build`.
Build the frontend bundle by running `yarn install` and then `yarn build`. The extra `yarn install` is necessary as `bin/setup` does not install the build dependencies.
6. It is recommended to start your server manually once:
```shell
NODE_ENV=production yarn start
......@@ -58,10 +58,10 @@ If you want to upgrade HedgeDoc from an older version, follow these steps:
and the latest release.
2. Fully stop your old HedgeDoc server.
3. [Download](https://hedgedoc.org/latest-release/) the new release and extract it over the old directory.
<small>If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.8.1`</small>
<small>If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.8.2`</small>
5. Run `bin/setup`. This will take care of installing dependencies. It is safe to run on an existing installation.
6. *:octicons-light-bulb-16: If you used the release tarball for 1.7.0 or newer, this step can be skipped.*
Build the frontend bundle by running `yarn run build`.
Build the frontend bundle by running `yarn install` and `yarn build`. The extra `yarn install` is necessary as `bin/setup` does not install the build dependencies.
7. It is recommended to start your server manually once:
```shell
NODE_ENV=production yarn start
......
mkdocs==1.1.2
mkdocs-material==7.1.4
pymdown-extensions==8.1.1
pymdown-extensions==8.2
mdx_truly_sane_lists==1.2
......@@ -2,6 +2,7 @@
// external modules
const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf')
const filterXSS = require('xss')
// core
const logger = require('../logger')
......@@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
}
if (profile) {
profile = {
name: profile.displayName || profile.username,
name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true)
}
......@@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username)
break
}
return photo
return filterXSS(photo)
}
User.parseProfileByEmail = function (email) {
return {
......
{
"name": "HedgeDoc",
"version": "1.8.1",
"version": "1.8.2",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",
......@@ -157,7 +157,7 @@
"emojify.js": "1.1.0",
"esbuild-loader": "2.13.0",
"escape-html": "1.0.3",
"eslint": "7.25.0",
"eslint": "7.26.0",
"eslint-config-standard": "16.0.2",
"eslint-plugin-import": "2.22.1",
"eslint-plugin-node": "11.1.0",
......@@ -185,9 +185,9 @@
"less-loader": "7.3.0",
"list.js": "2.3.1",
"mathjax": "2.7.9",
"mermaid": "8.9.3",
"mermaid": "8.10.1",
"mini-css-extract-plugin": "1.6.0",
"mocha": "8.3.2",
"mocha": "8.4.0",
"mock-require": "3.0.3",
"optimize-css-assets-webpack-plugin": "5.0.4",
"prismjs": "1.23.0",
......
# Release Notes
## <i class="fa fa-tag"></i> 1.8.2 <i class="fa fa-calendar-o"></i> 2021-05-11
This release fixes two security issues. We recommend upgrading as soon as possible.
### Security Fixes
- [CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq)
- Fix a potential XSS-vector in the handling of usernames and profile pictures
## <i class="fa fa-tag"></i> 1.8.1 <i class="fa fa-calendar-o"></i> 2021-05-06
### Enhancements
- Speed up `yarn install` in production mode (as performed by `bin/setup`) by marking frontend-only dependencies as dev-dependencies.
......
......@@ -7,7 +7,7 @@
<%- include('../includes/favicon') %>
<% for (var og in opengraph) { %>
<% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
<meta property="og:<%- og %>" content="<%- opengraph[og] %>">
<meta property="og:<%= og %>" content="<%= opengraph[og] %>">
<% }} if (!opengraph.hasOwnProperty('image')) { %>
<meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png">
<meta property="og:image:alt" content="HedgeDoc logo">
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment