Commit graph

128 commits

Author SHA1 Message Date
Gusted
661d3d28e9
Prevent possible XSS when using jQuery (#18289)
In the case of misuse or misunderstanding from a developer whereby,
if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the
creation of a new element. Current usage is using hard-coded selectors
in the templates, but nobody prevents that from expanding to
user-controlled somehow.
2022-01-16 13:14:32 +08:00
zeripath
d7c2a2951c
Webauthn nits (#18284)
This contains some additional fixes and small nits related to #17957 

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-15 17:52:56 +01:00
Lunny Xiao
35c3553870
Support webauthn (#17957)
Migrate from U2F to Webauthn

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-14 16:03:31 +01:00
wxiaoguang
70d7475356
Fix EasyMDE image paste bug during refactoring (#18207) 2022-01-08 21:33:32 +08:00
silverwind
3dbdf36d95
Fix CSS specificity issue with easymde's css (#18201)
* Fix CSS specificity issue with easymde's css

PR #18069 introduced a regression in certain overwritten editor styles
because the dynamic loading of easymde.min.css causes its's style to
apply after our supposed override styles.

Solve this by bundling the styles into index.css. We should later aim to
completely replace easymde.min.css completely with our own styles so there
are no more conflicts.

* Update web_src/js/features/comp/EasyMDE.js

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-07 16:41:31 +08:00
zeripath
21ed4fd8da
Add warning for BIDI characters in page renders and in diffs (#17562)
Fix #17514

Given the comments I've adjusted this somewhat. The numbers of characters detected are increased and include things like the use of U+300 to make à instead of à and non-breaking spaces.

There is a button which can be used to escape the content to show it.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Gwyneth Morgan <gwymor@tilde.club>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-07 02:18:52 +01:00
wxiaoguang
a38ba634a4
Load EasyMDE/CodeMirror dynamically, remove RequireEasyMDE (#18069)
This PR makes frontend load EasyMDE/CodeMirror dynamically, and removes `RequireEasyMDE`.
2022-01-05 13:17:25 +01:00
wxiaoguang
48aab263d1
Fix EasyMDE validation (#18161) 2022-01-03 17:53:53 +01:00
Gusted
496acbe9e5
Require codereview to have content (#18156)
- Report a validityError when the codeReview have no comment.
- Resolves #18151
- Refactor
2022-01-02 23:31:03 +01:00
wxiaoguang
0a9fcf63a4
Clean legacy SimpleMDE code (#17926)
Since we are using EasyMDE now, we do not need to keep the SimpleMDE code anymore.

This PR removes all legacy SimpleMDE code, and makes some related changes:
* `createCommentEasyMDE` can accept native DOM element, and it doesn't need `jQuery.data` to store EasyMDE editor object (as discussed about the frontend guideline).
* introduce `getAttachedEasyMDE` to get the attached EasyMDE editor object, it's easier to find all the usage of EasyMDE.
* rename variable names from `$simplemde` to `easyMDE`, the `$` was incorrect because it is a EasyMDE editor, not a jQuery object.

With this PR, it will be easier to do more refactoring or replacing EasyMDE with other editors.
2021-12-10 10:51:27 +08:00
Anbraten
0ff18a808c
Support sorting for project board issuses (#17152)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-12-08 14:57:18 +08:00
wxiaoguang
4cbe792562
Remove unnecessary X-Remote HTTP header in AJAX request (#17932) 2021-12-08 14:18:07 +08:00
wxiaoguang
a6f961fba4
Refactor install page (db type) (#17919)
* Refactor install page (db type)

* set correct default DB HOST for different DB TYPE
* remove legacy TiDB from documents
* unify the usage of DB TYPE, in code we only use "mysql". "MySQL" is only shown to users for friendly name.

* Gitea can use TiDB via MySQL protocol

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-12-07 13:44:08 +08:00
Gusted
9d6208965c
Fix loading content history on show more (#17819)
* Fix loading content history on show more

- Call `initRepoIssueContentHistory` so that the newly loaded issues
also get their content history.
- Resolves #17767

* apply history to show diff too

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
2021-12-06 11:57:51 +08:00
silverwind
f7094c8161
Update JS dependencies, adjust eslint config (#17904)
- Update all JS dependencies to latest versions
- Add new lint rules, enable es2022 eslint parser features
- Disable github/no-then, I feel the rule was too restricting
2021-12-04 14:43:14 +08:00
KN4CK3R
fbf3208229
Added missing data- prefix. (#17884) 2021-12-03 00:36:00 +08:00
fnetX (aka fralix)
830ab75ce0
Switch archive URL code back to href attributes (#17796)
* Add fallback href link
* Switch async archive generation to use href links
* Edit all templates to use href instead of data-url for archives
* Add consistent rel="nofollow" as per wxiaoguang
2021-11-29 21:50:43 +08:00
silverwind
9450410ff7
Improve ellipsis buttons (#17773)
* Improve ellipsis buttons

- Remove icon font usage
- Add aria-expanded attribute

* rename function to match

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-11-22 21:44:38 -05:00
Jimmy Praet
a3efd048a7
Improvements to content history (#17746)
* Improvements to content history

* initialize content history when making an edit to an old item created before the introduction of content history
* show edit history for code comments on pull request files tab

* Fix a flaw in keepLimitedContentHistory
Fix a flaw in keepLimitedContentHistory, the first and the last should never be deleted

* Remove obsolete eager initialization of content history
2021-11-22 20:20:16 +08:00
wxiaoguang
49b2cb998b
Fix project board bug and improve documents (#17753)
* the project board was broken, this PR fixes it, and refactor the code, and we prevent the uncategorized column from being dragged.
* improve the frontend guideline (as discussed in https://github.com/go-gitea/gitea/pull/17699)
2021-11-22 19:40:17 +08:00
silverwind
a159c3175f
Add new JS linter rules (#17699)
* Add new JS linter rules

Adds a few useful rules from eslint-plugin-github. Notable changes:

- Forbid dataset usage, its camel-casing behaviour makes it hard to
  grep for attributes.
- Forbid .then() and .catch(), we should generally prefer await for new
  code. For rare cases where they are useful, a eslint-disable-line
  directive can be set.
- Add docs js to linting

* also enable github/array-foreach

* small tweak

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-11-22 16:19:01 +08:00
zeripath
8511eec4d4
Allow Loading of Diffs that are too large (#17739)
* Allow Loading of Diffs that are too large

This PR allows the loading of diffs that are suppressed because the file
is too large. It does not handle diffs of files which have lines which
are too long.

Fix #17738

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-22 00:51:08 +08:00
zeripath
0d69e64e03
Make a.add-code-comment click handler an event handler (#17737)
Instead of directly attaching the add-code-comment on click handler to
the a.add-code-comment elements - make this an event handler on the
document instead.

Fix #17736

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-20 20:12:59 +08:00
Gusted
96ec656cf1
perf: sent data-path once for each file (#17657)
- Don't sent it with each line, instead send it at the top-element for each file.
- Related:
https://github.com/go-gitea/gitea/pull/17618#issuecomment-968192761

2.5K Additions:
No-Patch:
Unified: 2.14 MB (2.14 MB size)
Split: 2.59 MB (2.59 MB size)

Patch:
Unified: 2.10 MB (2.10 MB size) (-1.8%)
Split: 2.55 MB (2.55 MB size) (-1.5%)
2021-11-19 10:28:27 +08:00
wxiaoguang
55be5fe339
Refactor repo-legacy.js, remove messy global variables. Fix errors. (#17646)
Refactor repo-legacy.js, remove messy global variables. Fix errors.
Fix an error in Sortable
Fix a incorrect call assignMenuAttributes from the template
2021-11-19 00:45:00 +08:00
silverwind
6874fe90e5
Cleanup and use global style on popups (#17674)
* Cleanup and use global style on popups

- Fix typo 'poping' to 'popping'
- Remove most inline 'data-variation' attributes
- Initialize all popups with 'inverted tiny' variation

* misc tweaks

* rename to .tooltip, use jQuery

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-11-18 11:26:50 +08:00
Gusted
d8a8961b99
Sanitize user-input on file name (#17666)
* Sanitize user-input on file name

- Sanitize user-input before it get passed into the DOM.
- Prevent things like "<iframe onload=alert(1)></iframe>" from being
executed. This isn't a XSS attack as the server seems to be santizing
the path as well.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-11-17 18:08:25 +00:00
zeripath
bbffcc3aec
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
    
This is an extensive PR attempting to fix these issues.

1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-16 18:18:25 +00:00
Gusted
447428f446
Remove superfluous argument (#17667)
As title.
2021-11-16 19:36:03 +08:00
silverwind
23bd7b1211
Add copy button to markdown code blocks (#17638)
* Add copy button to markdown code blocks

Done mostly in JS because I think it's better not to try getting buttons
past the markup sanitizer.

* add svg module tests

* fix sanitizer regexp

* remove outdated comment

* vertically center button in issue comments as well

* add comment to css

* fix undefined on view file line copy

* combine animation less files

* Update modules/markup/markdown/markdown.go

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

* add test for different sizes

* add cloneNode and add tests for it

* use deep clone

* remove useless optional chaining

* remove the svg node cache

* unify clipboard copy string and i18n

* remove unused var

* remove unused localization

* minor css tweaks to the button

* comment tweak

* remove useless attribute

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-11-16 16:16:05 +08:00
wxiaoguang
6292603215
Fix database deadlock when update issue labels (#17649)
This fix updates issue labels one by one, and won't cause database deadlock.
In future, we can use a batch API to update all changed labels by one request.
2021-11-16 10:21:13 +08:00
Gusted
8eddb75508
perf: only generate data-comment-url once (#17618) 2021-11-14 00:28:57 -05:00
wxiaoguang
7f802631c5
Fix some incorrect async functions, improve frontend document. (#17597) 2021-11-12 20:37:45 +08:00
silverwind
433e81aecf
Update JS dependencies (#17611)
- Update monaco, adapting to breaking changes
- Update dropzone, adapting to breaking changes
- Update linters, fix new issues, disable opinionated stylelint rules
- Rebuild SVGs and images
- Tested Dropzone and Monaco

Replaces: https://github.com/go-gitea/gitea/pull/17574
2021-11-11 09:52:16 +08:00
wxiaoguang
bb71ceeeb2
Improve async/await usage, and sort init calls in index.js (#17386)
* clean up async/await, and sort init calls in `index.js
* use `const _promise` to indicate that we do not need await an async function
2021-11-09 17:27:25 +08:00
zeripath
513951bc16
Remove appSubUrl from pasted images (#17572)
* Remove appSubUrl from pasted images

Since we fixed the url base for the links in repositories we no longer need to add
the appsuburl to pasted image links.

Fix #17057

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-08 14:27:40 +08:00
qwerty287
f46e67b519
Move key forms before list and add cancel button (#17432)
* Move GPG form before list and add cancel button
* Move SSH form before list and add cancel button

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-10-28 18:55:48 +08:00
wxiaoguang
2b2eb5d0ad
make commit-statuses popup can be shown correctly. (#17447)
Close #17443

Maybe we do not need to backport this PR, the bug doesn't break daily usage.

After the fix, the commit statuses popup can show a lot of lines with scroll bars:

![image](https://user-images.githubusercontent.com/2114189/139026160-f01b484c-6207-494a-a190-a6dd184ceb2b.png)
2021-10-28 02:34:18 +01:00
wxiaoguang
89beceeb9a
Fix a UI error when folding a file content in a commit view (#17446) 2021-10-27 19:11:56 +08:00
David Jimenez
a462fcaac8
Show client-side error if wiki page is empty (#17415)
* fix: show client-side error if wiki page is empty

Implement a JS, client-side validation workaround for a bug in the upstream
editor library SimpleMDE which breaks HTML5 client-side validation when
a wiki page is submitted.

This allows native, client-side errors to appear if
the text editor contents are empty.

See upstream bugfix report: https://github.com/sparksuite/simplemde-markdown-editor/issues/324

Signed-off-by: David Jimenez <dvejmz@sgfault.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-10-27 12:33:22 +08:00
wxiaoguang
943dc08722
Fix issue content history problems, improve UI (#17404)
* Improve: make diff result better, make the HTML element fit the full height in the content history diff dialog
* Bug fix: when edit the main issue, the poster is wrongly set to the issue poster
2021-10-23 22:47:38 +08:00
wxiaoguang
406bd3780e
Fix context popup error (#17398)
* Fix context popup error
2021-10-22 22:34:01 +08:00
wxiaoguang
a115309f4f
Fix the click behavior for <tr> and <td> with [data-href] (#17388) 2021-10-21 19:19:32 +01:00
wxiaoguang
2add8fe9be
Frontend refactor, PascalCase to camelCase, remove unused code (#17365)
* Frontend refactor, PascalCase to camelCase, remove unused code

* fix
2021-10-21 15:37:43 +08:00
Mario Lubenka
0208ea0248
"Copy branch name" button in pull request (#17323)
* Drop data-original from clipboard

data-original attribute was removed. Instead, the original value from
data-content is set after success/fail message was displayed.

Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>

* "Copy branch name" button in pull request

Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>

* Update templates/repo/issue/view_title.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
2021-10-19 13:32:11 -04:00
Netduma Luke M
9f3d5c0a23
Re-allow clipboard copy on non-https sites (#17118)
* Re-allow clipboard copy on non-https sites
* fallback clipboard functions
2021-10-19 18:22:16 +08:00
silverwind
eaf493be5d
Update JS dependencies (#17357)
* Update JS dependencies

- Upgrade to eslint 8 and add new plugin rules
- Adapt to various API changes
- Rebuild SVGs

* fix webpack warning on license

* order options alphabetically

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-10-19 15:23:58 +08:00
wxiaoguang
7333104e89
Fix the PR review form bug during frontend refactor (#17332) 2021-10-16 22:30:31 +02:00
wxiaoguang
1a7473ff45
Split index.js to separate files (#17315)
* split `index.js` to separate files

* tune clipboard

* fix promise

* fix document

* remove intermediate empty file

* fix async event listener

* use `export function` instead of `export {}`, add more comments

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2021-10-17 01:28:04 +08:00
zeripath
a889d0cc8c
Add buttons to allow loading of incomplete diffs (#16829)
This PR adds two buttons to the stats and the end of the diffs list to load the (some of) the remaining incomplete diff sections.

Contains #16775
    
Signed-off-by: Andrew Thornton <art27@cantab.net>


## Screenshots

### Show more button at the end of the diff
![Screenshot from 2021-09-04 11-12-37](https://user-images.githubusercontent.com/1824502/132091009-b1f6113e-2c04-4be5-8a04-b8ecea56887b.png)

### Show more button at the end of the diff stats box
![Screenshot from 2021-09-04 11-14-54](https://user-images.githubusercontent.com/1824502/132091063-86da5a6d-6628-4b82-bea9-3655cd9f40f6.png)
2021-10-15 17:05:33 +01:00