Commit Graph

5496 Commits

Author SHA1 Message Date
Dan Brown
6107161275 URLs: Fixed issue in comparisons when elements missing 2026-07-02 10:21:01 +01:00
Dan Brown
ad283ef0ed Updated packages, translators and licensing pre v26.05.2 2026-07-02 09:41:17 +01:00
Dan Brown
b87789dde6 Merge branch 'sec_jun26' into development 2026-07-02 09:38:17 +01:00
Dan Brown
a213175004 Merge pull request 'Updated translations with latest crowdin changes' (#6166) from l10n_development into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6166
2026-07-02 10:36:35 +02:00
Crowdin Bot
b6e3d304fe New Crowdin translations by GitHub Action 2026-07-02 08:34:05 +00:00
Dan Brown
6bba39196c Merge pull request 'Added Serbian language to language_select array' (#6153) from PolarniMeda/bookstack:development into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6153
2026-07-02 10:32:48 +02:00
Dan Brown
caeea658d1 Access: Hardened usage of referring URLs via login
Adds a more substantial URL check, via a new class which is shared and
used in other parts of the app for consistency.

Thanks to mfk25 for reporting.
2026-07-01 10:45:59 +01:00
Dan Brown
fe39b69c1f Comments: Added visibility check to comment delete
Aligns it with other actions/endpoints, and ensures an extra layer of
control against malicious use.

Thanks to mfk25 for reporting.
2026-07-01 10:20:32 +01:00
Dan Brown
01dc1e71c5 Attachments: Added more extensive URL filtering
Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).

Thanks to mfk25 for reporting.
2026-07-01 00:41:19 +01:00
Dan Brown
59bbf504cf Content filtering: Added srcset protocol filter
Upstream libraries used did not specifically treat values in srcset as
URIs like other attributes, so this adds a simple filter for possible
bad values.
Updated tests to cover.

Thanks for Gurmandeep Deol for reporting.
2026-06-30 18:35:34 +01:00
Dan Brown
f7df78b91b CI: Attempted to fix snyk workflow 2026-06-24 13:58:20 +01:00
Dan Brown
c511f7d935 CI: Added workflow to sync with snyk 2026-06-24 13:48:20 +01:00
Dan Brown
79a2e017bb Maintenance: Fixed type and CI issues
- Fixed issues picked up by PHPStan updates.
  - Not sure why it was flagging the BookSorter issue, but swapping if
    statements made it go away.
- Updated BookSortMapItem with modern syntax.
- Attempted to fix CI issues by adding DOM extension.
- Attempted to make migration CI more efficient via tmpfs
2026-06-11 14:24:09 +01:00
PolarniMeda
dad83d473d Added Serbian language to language_select array 2026-06-11 10:32:03 +02:00
Dan Brown
c74df7e06b Updated translator & dependency attribution before release v26.05.1 2026-06-09 12:50:16 +01:00
Dan Brown
6b545d600c Merge branch 'v26051_sec' into development 2026-06-09 12:48:39 +01:00
Dan Brown
cc0b059fa4 Deps: Updated PHP package versions 2026-06-09 12:47:28 +01:00
Crowdin Bot
9fc46f76f6 New Crowdin translations by GitHub Action 2026-06-08 04:30:58 +00:00
Dan Brown
84a23fb23f Logs: Prevented NotifyExceptions for reporting to error logs
This is to reduce the amount of content which will be logged, since
these messages don't really indicate an actual system error but advise
the user of something which went wrong with their request.
2026-06-07 11:25:51 +01:00
Dan Brown
b7325fdf0e Attachments: Moved perm checks before validation
Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.

Thanks to Rafael Castilho for reporting.
2026-06-07 10:35:14 +01:00
Dan Brown
81f77a95de Content Filtering: Limited file protocol to just anchor hrefs
Updated allow list/purifier system to only allow file protocol use on
anchor hrefs to avoid potential security concerns with, after export,
content being auto loaded via interactive elements like
embeds/objects/videos etc...

Updated tests to cover.
Thanks to Gurmandeep Deol at Seneca Polytechnic for reporting.
2026-06-06 15:30:57 +01:00
Dan Brown
37f2d05118 Search: Prevented tag search using unusable numbers
These would trigger an error on use, and could be abused to fill logs.
Added test to cover.

Thanks to Stephen O. / Sakusen for reporting.
2026-06-06 10:37:06 +01:00
Dan Brown
f01bb749ab Workflows: Attempted fixing crowdin files
Currently causing extra files to be created alongside previous files in
crowdin
2026-05-30 13:45:25 +01:00
Dan Brown
d421a19193 Updated translator & dependency attribution before release v26.05 2026-05-28 12:32:17 +01:00
Dan Brown
67529dd883 Deps: Updated PHP packages, fixed some types for phpstan 2026-05-28 10:34:04 +01:00
Dan Brown
c26b66887f Updated translations with changes from Crowdin (#6139)
## Details

<!-- Write details of your pull request in here -->
<!-- Include references to any relevant issues/discussions -->

## Checklist

<!-- Put an 'x' in between the brackets below to confirm these elements -->

- [ ] I have read the [BookStack community rules](https://www.bookstackapp.com/about/community-rules/).
- [ ] This PR does not feature significant use of LLM/AI generation as per the community rules above.

Co-authored-by: Crowdin Bot <support+bot@crowdin.com>
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6139
2026-05-28 11:29:39 +02:00
Dan Brown
17b76bb876 Merge pull request 'Page Editor Contents List View' (#6131) from page_editor_contents into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6131
2026-05-26 14:54:13 +02:00
Dan Brown
0de1196b62 Page Editor: Minor fixes
- Removed unused import
- Added some trailing newlines to code files
- Prevented <hr>s confusing logic in MD editor
- Aligned logic to select end of header across editors
2026-05-26 13:28:40 +01:00
Dan Brown
99e405f80f Page Editor: Added contents click handling for TinyMCE editor 2026-05-26 12:58:48 +01:00
Dan Brown
d7ba0dc430 CSP: Renamed CSS CSP option 2026-05-26 12:50:19 +01:00
Dan Brown
2c49502345 Merge pull request 'Merge Further v26.03 changes' (#6133) from v26-03 into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6133
2026-05-25 17:26:29 +02:00
Dan Brown
ef82119226 MFA: Added verify attempt rate limiting 2026-05-21 13:25:57 +01:00
Dan Brown
1b9ec75903 Deps: Updated PHP package versions 2026-05-21 09:48:20 +01:00
Dan Brown
c58eb91893 Page Editor: Added contents view click logic
Added jump-to-header logic for lexical WYSIWYG, and both codemirror &
plaintext markdown editor windows.
2026-05-20 12:12:38 +01:00
Dan Brown
49aa025012 Page Editor: Started contents view in toolbox
Added visual system, not yet added on-click logic.
Related to #4218
2026-05-19 17:56:48 +01:00
Dan Brown
5ebfa65a46 Testing: Changed ordering in tests to help prevent flaky test
Think it would primariy use the created_at ordering based in the
relation which could cause trouble in CI test environment.
This better forces Id based ordering
2026-05-19 13:29:26 +01:00
Dan Brown
b5d3ba2726 Testing: Added extra page edit test
Added during investigation for #6062
Might as well leave in even though it does not trigger the cause for
that particuluar issue.
2026-05-18 17:39:00 +01:00
Dan Brown
0cd773a5d3 CSP Headers: Review of #6071
- Removed extra non-needed docs in repo
- Tweaked some wording.
- Added extra test scenarios.
- Added options to phpunit default env.
- Added auto-quote-handling for unsafe-inline CSS rule.

For #6033
2026-05-17 18:40:02 +01:00
Dan Brown
dfc91d533b Merge branch 'development' into Zhey-on/feature/csp-image-css-controls-6033 2026-05-17 17:57:54 +01:00
Dan Brown
39a14cff8f User MFA: Reviewed addition of reset, added tests
Review of #6056
Added test coverage.
2026-05-17 13:05:50 +01:00
Dan Brown
321271e7bd Merge branch 'development' into clauvaldez/mfaReset 2026-05-17 11:59:41 +01:00
Dan Brown
c87abbd23f Images: Increased validation against related page on upload
Adds validation that the related page exists, is visible, and that the
user has page edit permissions for the page.
Aligns with attachment permission model, and aligns across different
image endpoints.

Added tests to cover.
Closes #6126
2026-05-14 18:10:46 +01:00
Dan Brown
c5c066c3e7 Merge pull request 'Merge v26.03 branch changes' (#6122) from v26-03 into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6122
2026-05-14 16:08:26 +02:00
Dan Brown
ddb0a22504 Lexical: Made table cell up/down arrow nav smarter
Added logic to attempt to retain x position when navigating cells
up/down via arrow keys.
2026-05-13 17:09:32 +01:00
Dan Brown
9f4afac7bc Lexical: Improved ability to break out of lists
Updates list handling so that you can break out of a list (or move down
a level) via enter on an existing empty list item at any point in the
list, not just the end.
Added test to cover.
2026-05-12 18:49:35 +01:00
Dan Brown
5d429ea9bb Lexical: Added better support for block content in list items
Improved the ability to set/use block formats in lists.
Setting a format, will now attempt to create that, if just plain text to
start with, when in a list.
Added handling so that blocks split into new list elements instead of
new blocks within the list element.

Also fixed some issues with cyclic import references, and updated editor
event types to always include their type for easier debug.
2026-05-11 19:14:16 +01:00
Dan Brown
2aba39b176 Lexical: Updated toolbars to re-focus on editor on escape press 2026-05-10 17:37:56 +01:00
Dan Brown
6367f007c1 Lexical: Added fade to table resizers 2026-05-10 13:04:39 +01:00
Dan Brown
e982443988 Lexical: Made toolbar placement smarter
- Set z-index so toolbars for deeper (more specific) content is bought
  forward above more general toolbars.
- Added some basic overlap checking as an indicator to whether the
  toolbar should sit above the target.
2026-05-10 12:58:17 +01:00
Dan Brown
16a50b0ca9 Lexical: Fixed updating of TextNode text on export 2026-05-09 19:36:43 +01:00