Gitlab Community Edition Instance

Commit 9b2d339f authored by Gregor Thiem's avatar Gregor Thiem
Browse files

test 1.9 RC

parent 35b0fbe9
......@@ -4,22 +4,26 @@ const { v4: uuidv4 } = require('uuid')
const CspStrategy = {}
const defaultDirectives = {
defaultSrc: ['\'self\''],
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
imgSrc: ['*'],
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
defaultSrc: ['\'none\''],
baseUri: ['\'self\''],
connectSrc: ['\'self\''],
fontSrc: ['\'self\''],
manifestSrc: ['\'self\''],
frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
imgSrc: ['*'], // we allow using arbitrary images
scriptSrc: [
config.serverURL + '/build/',
config.serverURL + '/js/',
config.serverURL + '/config',
'https://gist.github.com/',
'https://vimeo.com/api/oembed.json',
'https://www.slideshare.net/api/oembed/2',
'\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
],
styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
mediaSrc: ['*'],
childSrc: ['*'],
connectSrc: ['*']
}
const cdnDirectives = {
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
formAction: ['\'self\''],
mediaSrc: ['*']
}
const disqusDirectives = {
......@@ -36,17 +40,25 @@ const dropboxDirectives = {
scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
}
const disallowFramingDirectives = {
frameAncestors: ['\'self\'']
}
const allowPDFEmbedDirectives = {
objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
frameSrc: ['*'] // Chrome also checks PDFs against frame-src
}
CspStrategy.computeDirectives = function () {
const directives = {}
mergeDirectives(directives, config.csp.directives)
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
if (!areAllInlineScriptsAllowed(directives)) {
addInlineScriptExceptions(directives)
}
mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
addInlineScriptExceptions(directives)
addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
return directives
......@@ -68,10 +80,6 @@ function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
}
}
function areAllInlineScriptsAllowed (directives) {
return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
}
function addInlineScriptExceptions (directives) {
directives.scriptSrc.push(getCspNonce)
// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
......@@ -80,11 +88,11 @@ function addInlineScriptExceptions (directives) {
}
function getCspNonce (req, res) {
return "'nonce-" + res.locals.nonce + "'"
return '\'nonce-' + res.locals.nonce + '\''
}
function addUpgradeUnsafeRequestsOptionTo (directives) {
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
directives.upgradeInsecureRequests = []
} else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = []
......
......@@ -82,7 +82,10 @@ db.runMigrations = async function runMigrations () {
// exit in case of unsuccessful migrations
await umzug.up().catch(error => {
logger.error(error)
logger.error('Database migration failed. Exiting…')
logger.error(`Database migration failed.
This can be the result of upgrading from quite old versions and requires manual database intervention.
See https://docs.hedgedoc.org/guides/migration-troubleshooting/ for help.
Exiting…`)
process.exit(1)
})
logger.info('All migrations performed successfully')
......
......@@ -25,3 +25,12 @@ exports.getImageMimeType = function getImageMimeType (imagePath) {
return undefined
}
}
exports.useUnless = function excludeRoute (paths, middleware) {
return function (req, res, next) {
if (paths.includes(req.path)) {
return next()
}
return middleware(req, res, next)
}
}
......@@ -16,7 +16,7 @@ passport.use(new SamlStrategy({
callbackUrl: config.serverURL + '/auth/saml/callback',
entryPoint: config.saml.idpSsoUrl,
issuer: config.saml.issuer || config.serverURL,
privateCert: config.saml.clientCert === undefined
privateKey: config.saml.clientCert === undefined
? undefined
: (function () {
try {
......
......@@ -22,7 +22,7 @@ exports.uploadImage = function (imagePath, callback) {
try {
fs.copyFileSync(imagePath, path.join(config.uploadsPath, fileName))
} catch (e) {
callback(new Error('Error while moving file'), null)
callback(new Error(`Error while moving file: ${e.message}`), null)
return
}
callback(null, (new URL(fileName, config.serverURL + '/uploads/')).href)
......
......@@ -46,7 +46,7 @@ exports.uploadImage = function (imagePath, callback) {
if (config.s3.endpoint) {
s3Endpoint = config.s3.endpoint
} else if (config.s3.region && config.s3.region !== 'us-east-1') {
s3Endpoint = `s3-${config.s3.region}.amazonaws.com`
s3Endpoint = `s3.${config.s3.region}.amazonaws.com`
}
callback(null, `https://${s3Endpoint}/${config.s3bucket}/${params.Key}`)
})
......
{
"name": "HedgeDoc",
"version": "1.8.2",
"version": "1.9.0-rc1",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",
......@@ -21,7 +21,7 @@
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^5.0.2",
"async": "^3.0.0",
"aws-sdk": "^2.888.0",
"aws-sdk": "^2.977.0",
"azure-storage": "^2.7.0",
"base64url": "^3.0.0",
"body-parser": "^1.15.2",
......@@ -40,7 +40,6 @@
"file-type": "^16.1.0",
"formidable": "^1.0.17",
"graceful-fs": "^4.1.11",
"handlebars": "^4.5.2",
"helmet": "^4.5.0",
"i18n": "^0.13.0",
"is-svg": "^4.3.1",
......@@ -66,7 +65,7 @@
"meta-marked": "git+https://github.com/hedgedoc/meta-marked",
"method-override": "^3.0.0",
"minimist": "^1.2.0",
"minio": "^7.0.0",
"minio": "^7.0.19",
"moment": "^2.17.1",
"morgan": "^1.7.0",
"mysql2": "^2.0.0",
......@@ -80,7 +79,7 @@
"passport-ldapauth": "^3.0.0",
"passport-local": "^1.0.0",
"passport-oauth2": "^1.4.0",
"passport-saml": "^2.0.0",
"passport-saml": "^3.1.2",
"passport-twitter": "^1.0.4",
"passport.socketio": "^3.7.0",
"pdfobject": "^2.0.201604172",
......@@ -98,13 +97,11 @@
"sqlite3": "^5.0.0",
"store": "^2.0.12",
"string": "^3.3.3",
"tedious": "^6.6.0",
"toobusy-js": "^0.5.1",
"umzug": "^2.3.0",
"uuid": "^8.0.0",
"validator": "^13.0.0",
"winston": "^3.1.0",
"ws": "^7.4.4",
"xss": "^1.0.3"
},
"resolutions": {
......@@ -133,7 +130,7 @@
"url": "https://shivering-isles.com"
},
{
"name":"David Mehren",
"name": "David Mehren",
"email": "hedgedoc@herrmehren.de"
}
],
......@@ -142,6 +139,7 @@
"url": "https://github.com/hedgedoc/hedgedoc.git"
},
"devDependencies": {
"abcjs": "5.12.0",
"babel-cli": "6.26.0",
"babel-core": "6.26.3",
"babel-loader": "7.1.5",
......@@ -153,30 +151,31 @@
"bootstrap-validator": "0.11.9",
"codemirror": "git+https://github.com/hedgedoc/CodeMirror.git",
"copy-webpack-plugin": "6.4.1",
"css-loader": "5.2.4",
"css-loader": "5.2.7",
"emojify.js": "1.1.0",
"esbuild-loader": "2.13.0",
"esbuild-loader": "2.15.1",
"escape-html": "1.0.3",
"eslint": "7.26.0",
"eslint-config-standard": "16.0.2",
"eslint-plugin-import": "2.22.1",
"eslint": "7.32.0",
"eslint-config-standard": "16.0.3",
"eslint-plugin-import": "2.24.2",
"eslint-plugin-node": "11.1.0",
"eslint-plugin-promise": "5.1.0",
"eslint-plugin-standard": "4.1.0",
"exports-loader": "1.1.1",
"expose-loader": "1.0.3",
"file-loader": "6.2.0",
"file-saver": "2.0.5",
"flowchart.js": "1.15.0",
"fork-awesome": "1.1.7",
"fork-awesome": "1.2.0",
"gist-embed": "2.6.0",
"highlight.js": "10.7.2",
"highlight.js": "10.7.3",
"html-webpack-plugin": "4.5.2",
"imports-loader": "1.2.0",
"ionicons": "2.0.1",
"jquery": "3.6.0",
"jquery-mousewheel": "3.1.13",
"jquery-ui": "1.12.1",
"js-cookie": "2.2.1",
"js-cookie": "3.0.0",
"js-sequence-diagrams": "git+https://github.com/hedgedoc/js-sequence-diagrams.git",
"js-yaml": "3.14.1",
"jsonlint": "1.6.3",
......@@ -185,29 +184,28 @@
"less-loader": "7.3.0",
"list.js": "2.3.1",
"mathjax": "2.7.9",
"mermaid": "8.10.1",
"mini-css-extract-plugin": "1.6.0",
"mocha": "8.4.0",
"mermaid": "8.12.0",
"mini-css-extract-plugin": "1.6.2",
"mocha": "9.1.1",
"mock-require": "3.0.3",
"optimize-css-assets-webpack-plugin": "5.0.4",
"prismjs": "1.23.0",
"optimize-css-assets-webpack-plugin": "6.0.1",
"prismjs": "1.24.1",
"raphael": "2.3.0",
"remark-cli": "9.0.0",
"remark-preset-lint-markdown-style-guide": "4.0.0",
"remark-cli": "10.0.0",
"remark-preset-lint-markdown-style-guide": "5.0.1",
"reveal.js": "3.9.2",
"script-loader": "0.7.2",
"select2": "3.5.2-browserify",
"socket.io-client": "2.4.0",
"spin.js": "4.1.0",
"string-loader": "0.0.1",
"turndown": "7.0.0",
"turndown": "7.1.1",
"url-loader": "4.1.1",
"velocity-animate": "1.5.2",
"visibilityjs": "2.0.2",
"viz.js": "1.8.2",
"webpack": "4.46.0",
"webpack-cli": "4.7.0",
"webpack-merge": "5.7.3",
"webpack-cli": "4.8.0",
"webpack-merge": "5.8.0",
"wurl": "2.5.4"
},
"optionalDependencies": {
......
......@@ -3,7 +3,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 300;
src: local('Source Code Pro Light'), local('SourceCodePro-Light'), url('../fonts/SourceCodePro-Light.woff') format('woff');
src: url('../fonts/SourceCodePro-Light.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -11,7 +11,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 300;
src: local('Source Code Pro Light'), local('SourceCodePro-Light'), url('../fonts/SourceCodePro-Light.woff') format('woff');
src: url('../fonts/SourceCodePro-Light.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* latin-ext */
......@@ -19,7 +19,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 400;
src: local('Source Code Pro'), local('SourceCodePro-Regular'), url('../fonts/SourceCodePro-Regular.woff') format('woff');
src: url('../fonts/SourceCodePro-Regular.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -27,7 +27,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 400;
src: local('Source Code Pro'), local('SourceCodePro-Regular'), url('../fonts/SourceCodePro-Regular.woff') format('woff');
src: url('../fonts/SourceCodePro-Regular.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* latin-ext */
......@@ -35,7 +35,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 500;
src: local('Source Code Pro Medium'), local('SourceCodePro-Medium'), url('../fonts/SourceCodePro-Medium.woff') format('woff');
src: url('../fonts/SourceCodePro-Medium.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -43,7 +43,7 @@
font-family: 'Source Code Pro';
font-style: normal;
font-weight: 500;
src: local('Source Code Pro Medium'), local('SourceCodePro-Medium'), url('../fonts/SourceCodePro-Medium.woff') format('woff');
src: url('../fonts/SourceCodePro-Medium.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -51,7 +51,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 300;
src: local('Source Sans Pro Light'), local('SourceSansPro-Light'), url('../fonts/SourceCodePro-Medium.woff') format('woff');
src: url('../fonts/SourceCodePro-Medium.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -59,7 +59,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 300;
src: local('Source Sans Pro Light'), local('SourceSansPro-Light'), url('../fonts/SourceSansPro-Light.woff') format('woff');
src: url('../fonts/SourceSansPro-Light.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -67,7 +67,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 300;
src: local('Source Sans Pro Light'), local('SourceSansPro-Light'), url('../fonts/SourceSansPro-Light.woff') format('woff');
src: url('../fonts/SourceSansPro-Light.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -75,7 +75,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 400;
src: local('Source Sans Pro'), local('SourceSansPro-Regular'), url('../fonts/SourceSansPro-Regular.woff') format('woff');
src: url('../fonts/SourceSansPro-Regular.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -83,7 +83,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 400;
src: local('Source Sans Pro'), local('SourceSansPro-Regular'), url('../fonts/SourceSansPro-Regular.woff') format('woff');
src: url('../fonts/SourceSansPro-Regular.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -91,7 +91,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 400;
src: local('Source Sans Pro'), local('SourceSansPro-Regular'), url('../fonts/SourceSansPro-Regular.woff') format('woff');
src: url('../fonts/SourceSansPro-Regular.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -99,7 +99,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 600;
src: local('Source Sans Pro Semibold'), local('SourceSansPro-Semibold'), url('../fonts/SourceSansPro-Semibold.woff') format('woff');
src: url('../fonts/SourceSansPro-Semibold.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -107,7 +107,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 600;
src: local('Source Sans Pro Semibold'), local('SourceSansPro-Semibold'), url('../fonts/SourceSansPro-Semibold.woff') format('woff');
src: url('../fonts/SourceSansPro-Semibold.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -115,7 +115,7 @@
font-family: 'Source Sans Pro';
font-style: normal;
font-weight: 600;
src: local('Source Sans Pro Semibold'), local('SourceSansPro-Semibold'), url('../fonts/SourceSansPro-Semibold.woff') format('woff');
src: url('../fonts/SourceSansPro-Semibold.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -123,7 +123,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 300;
src: local('Source Sans Pro Light Italic'), local('SourceSansPro-LightIt'), url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -131,7 +131,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 300;
src: local('Source Sans Pro Light Italic'), local('SourceSansPro-LightIt'), url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -139,7 +139,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 300;
src: local('Source Sans Pro Light Italic'), local('SourceSansPro-LightIt'), url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-LightItalic.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -147,7 +147,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 400;
src: local('Source Sans Pro Italic'), local('SourceSansPro-It'), url('../fonts/SourceSansPro-Italic.woff') format('woff');
src: url('../fonts/SourceSansPro-Italic.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -155,7 +155,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 400;
src: local('Source Sans Pro Italic'), local('SourceSansPro-It'), url('../fonts/SourceSansPro-Italic.woff') format('woff');
src: url('../fonts/SourceSansPro-Italic.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -163,7 +163,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 400;
src: local('Source Sans Pro Italic'), local('SourceSansPro-It'), url('../fonts/SourceSansPro-Italic.woff') format('woff');
src: url('../fonts/SourceSansPro-Italic.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* vietnamese */
......@@ -171,7 +171,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 600;
src: local('Source Sans Pro Semibold Italic'), local('SourceSansPro-SemiboldIt'), url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
unicode-range: U+0102-0103, U+1EA0-1EF9, U+20AB;
}
/* latin-ext */
......@@ -179,7 +179,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 600;
src: local('Source Sans Pro Semibold Italic'), local('SourceSansPro-SemiboldIt'), url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -187,7 +187,7 @@
font-family: 'Source Sans Pro';
font-style: italic;
font-weight: 600;
src: local('Source Sans Pro Semibold Italic'), local('SourceSansPro-SemiboldIt'), url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
src: url('../fonts/SourceSansPro-SemiboldItalic.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
/* latin-ext */
......@@ -195,7 +195,7 @@
font-family: 'Source Serif Pro';
font-style: normal;
font-weight: 400;
src: local('Source Serif Pro'), local('SourceSerifPro-Regular'), url('../fonts/SourceSerifPro-Regular.woff') format('woff');
src: url('../fonts/SourceSerifPro-Regular.woff') format('woff');
unicode-range: U+0100-024F, U+1E00-1EFF, U+20A0-20AB, U+20AD-20CF, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
......@@ -203,6 +203,6 @@
font-family: 'Source Serif Pro';
font-style: normal;
font-weight: 400;
src: local('Source Serif Pro'), local('SourceSerifPro-Regular'), url('../fonts/SourceSerifPro-Regular.woff') format('woff');
src: url('../fonts/SourceSerifPro-Regular.woff') format('woff');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
}
@import url(https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,400italic,600,600italic,300italic,300|Source+Serif+Pro|Source+Code+Pro:400,300,500&subset=latin,latin-ext);
......@@ -71,14 +71,6 @@ There are four possible options:
**Only the owner of the note can change the note's permissions.**
### Embed a Note
Notes can be embedded as follows:
```xml
<iframe width="100%" height="500" src="https://demo.hedgedoc.org/features" frameborder="0"></iframe>
```
### [Slide Mode](./slide-example)
You can use a special syntax to organize your note into slides.
......@@ -253,7 +245,7 @@ When you’re a carpenter making a beautiful chest of drawers, you’re not goin
#### PDF
**Caution: this might be blocked by your browser if not using an `https` URL.**
Note that not all servers allow embedding their content. See [our FAQ](https://hedgedoc.org/faq/#why-cant-i-embed-some-pdfs) for details.
Note that not all servers allow embedding their content. See [our FAQ](https://docs.hedgedoc.org/faq/#why-cant-i-embed-some-pdfs) for details.
{%pdf https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf %}
### MathJax
......
# Release Notes
## <i class="fa fa-tag"></i> 1.9.0-rc1 <i class="fa fa-calendar-o"></i> 2021-08-29
### Security Fixes
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
they were repeatedly used to exploit security vulnerabilities.
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details
### Features
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
XSS attacks
- Add additional environment variables to configure the database.
This allows easier configuration in containerised environments, such as Kubernetes
### Enhancements
- Further improvements to the frontend build process, reducing the initial bundle size by 60%
- Improve the error handling of the `filesystem` upload method
- Improve the error message of failing migrations
### Bugfixes
- Fix crash when trying to read the current Git commit on startup
- Fix endless loop on shutdown when HedgeDoc can't connect to the database
- Ensure that all cookies are set with the `secure` flag, if HedgeDoc is loaded via HTTPS
- Fix session cookies being created on calls to `/metrics` and `/status`
- Fix incorrect creation of S3 endpoint domain (thanks to [@matejc](https://github.com/matejc))
- Remove CDN support, fixing inconsistencies in library versions delivered to the client
- Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
- Fix links between slides not working