Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).
Thanks to mfk25 for reporting.
Upstream libraries used did not specifically treat values in srcset as
URIs like other attributes, so this adds a simple filter for possible
bad values.
Updated tests to cover.
Thanks for Gurmandeep Deol for reporting.
- Fixed issues picked up by PHPStan updates.
- Not sure why it was flagging the BookSorter issue, but swapping if
statements made it go away.
- Updated BookSortMapItem with modern syntax.
- Attempted to fix CI issues by adding DOM extension.
- Attempted to make migration CI more efficient via tmpfs
This is to reduce the amount of content which will be logged, since
these messages don't really indicate an actual system error but advise
the user of something which went wrong with their request.
Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.
Thanks to Rafael Castilho for reporting.
Updated allow list/purifier system to only allow file protocol use on
anchor hrefs to avoid potential security concerns with, after export,
content being auto loaded via interactive elements like
embeds/objects/videos etc...
Updated tests to cover.
Thanks to Gurmandeep Deol at Seneca Polytechnic for reporting.
- Removed extra non-needed docs in repo
- Tweaked some wording.
- Added extra test scenarios.
- Added options to phpunit default env.
- Added auto-quote-handling for unsafe-inline CSS rule.
For #6033
Adds validation that the related page exists, is visible, and that the
user has page edit permissions for the page.
Aligns with attachment permission model, and aligns across different
image endpoints.
Added tests to cover.
Closes#6126
Used for comments and descriptions.
Also updated shortcut handling that we're not registering shortcuts for
edits which can't use the related formatting types.
For #6003
- Updated tag values endpoint to use query param instead of path
argument, so a better range of values can be provided (including those
with slashes).
- Updated image gallery example request to align with docs use changes.
With controller routes.
Don't consider this as a security issue, since the filtered URLs
by that validation are very likely to be blocked by browser security
or CSP, and there's a level of assumed privilege to the users that
are able to create such attachments links already.
Closes#6093
Theme module ZIPs will now support their files being in a single nested
directory within a ZIP, to support common ZIP structure approaches.
Added test to cover.
For #6066
To centralise logic to be more consistent, and to have smarter logic
which avoids just following newline format from input, preventing
smushing HTML elements (like list elements) next to eachother
From testing, don't think this could exploited directly, as the response
would error instead of allowing control characters, but this adds an
extra layer of sanitization, and switches to encoded disposition
filenames for better UTF8 support.