Dan Brown
5ebfa65a46
Testing: Changed ordering in tests to help prevent flaky test
...
Think it would primariy use the created_at ordering based in the
relation which could cause trouble in CI test environment.
This better forces Id based ordering
2026-05-19 13:29:26 +01:00
Dan Brown
b5d3ba2726
Testing: Added extra page edit test
...
Added during investigation for #6062
Might as well leave in even though it does not trigger the cause for
that particuluar issue.
2026-05-18 17:39:00 +01:00
Dan Brown
0cd773a5d3
CSP Headers: Review of #6071
...
- Removed extra non-needed docs in repo
- Tweaked some wording.
- Added extra test scenarios.
- Added options to phpunit default env.
- Added auto-quote-handling for unsafe-inline CSS rule.
For #6033
2026-05-17 18:40:02 +01:00
Dan Brown
dfc91d533b
Merge branch 'development' into Zhey-on/feature/csp-image-css-controls-6033
2026-05-17 17:57:54 +01:00
Dan Brown
39a14cff8f
User MFA: Reviewed addition of reset, added tests
...
Review of #6056
Added test coverage.
2026-05-17 13:05:50 +01:00
Dan Brown
c87abbd23f
Images: Increased validation against related page on upload
...
Adds validation that the related page exists, is visible, and that the
user has page edit permissions for the page.
Aligns with attachment permission model, and aligns across different
image endpoints.
Added tests to cover.
Closes #6126
2026-05-14 18:10:46 +01:00
Dan Brown
c5c066c3e7
Merge pull request 'Merge v26.03 branch changes' ( #6122 ) from v26-03 into development
...
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6122
2026-05-14 16:08:26 +02:00
Dan Brown
1532a99d4e
Meta: Updated issue template labels, fixed minor issues
2026-05-05 20:35:45 +01:00
Dan Brown
cf648906e9
SSR: Hardened URL validator against a range of workarounds
...
Added a more comprehensive range of tests to cover.
Thanks to naruhodoowl (https://github.com/kilhsrito-crypto ) for
reporting.
2026-04-30 10:18:50 +01:00
Dan Brown
3ddfa9b948
Meta: Updated security info and fixed some tests/links
2026-04-30 00:32:27 +01:00
Dan Brown
fddeb9030b
Attachments: Added page access check to attachment delete
...
Thanks to github.com/404-pkj for reporting.
2026-04-29 18:31:11 +01:00
Dan Brown
fc220dea39
Search: Fixed exact saerch term negation causing no results
...
Closes #6121
2026-04-29 18:07:32 +01:00
Dan Brown
55317039ac
Meta: Converted GitHub references in codebase to Codeberg
2026-04-28 09:30:48 +01:00
Dan Brown
cc6e9e0546
CI: Attempt a more robust avif support check
2026-04-27 13:17:58 +01:00
Dan Brown
241563e8fc
Exports: Added testing coverage for DOMPDF font usage
2026-04-22 13:12:34 +01:00
Dan Brown
426f9ac493
Permissions: Prevent export revision metadata view without permission
2026-04-19 16:23:16 +01:00
Dan Brown
e7e019d3d4
Permissions: Added testing coverage for revision-view-all
2026-04-19 15:56:54 +01:00
Dan Brown
18364d1e6e
WYSIWYG: Added inline code support to minimal editor
...
Used for comments and descriptions.
Also updated shortcut handling that we're not registering shortcuts for
edits which can't use the related formatting types.
For #6003
2026-04-16 11:11:06 +01:00
Dan Brown
208629ee1f
API: Some changes to tag API endpoints
...
- Updated tag values endpoint to use query param instead of path
argument, so a better range of values can be provided (including those
with slashes).
- Updated image gallery example request to align with docs use changes.
2026-04-14 12:03:29 +01:00
Dan Brown
346dc27979
API: Added testing to cover tags API endpoints
2026-04-14 11:31:34 +01:00
Dan Brown
93f84a81b2
Merge pull request #6083 from BookStackApp/better_plain_text
...
New HTML to Plaintext handling
2026-04-12 17:01:45 +01:00
Dan Brown
c7e2b487c1
Attachments: Aligned ZipExportAttachment link validation
...
With controller routes.
Don't consider this as a security issue, since the filtered URLs
by that validation are very likely to be blocked by browser security
or CSP, and there's a level of assumed privilege to the users that
are able to create such attachments links already.
Closes #6093
2026-04-12 15:17:31 +01:00
Dan Brown
4e3fa4822f
Sort Rules: Added creation hints to sort rule selection
...
To help direct/indicate how rules can be created.
For #5967
2026-04-12 14:31:40 +01:00
Dan Brown
684a94c419
Theme Modules: Prevented zip-slip in new module extraction method
...
Updated the new (development only) approach which could result in
zip-slip causing trouble. This adds path normalisation, and testing to
cover.
2026-04-11 18:49:34 +01:00
Dan Brown
5fbaab4740
Theme modules: Allowed cross-origin redirects on download
...
With a prompt to the user to confirm they trust the origin.
For #6066
Added tests to cover.
2026-04-11 17:23:11 +01:00
Dan Brown
3d9d5fef51
Theme Modules: Updated install command to handle nested folder
...
Theme module ZIPs will now support their files being in a single nested
directory within a ZIP, to support common ZIP structure approaches.
Added test to cover.
For #6066
2026-04-11 15:04:53 +01:00
Dan Brown
5e78dc6ed5
Maintenance: Updated PHPStan to Level 4 ( #6085 )
2026-04-08 21:03:20 +01:00
Dan Brown
abed4eae0c
Exports: Updated plaintext export to use new converter
2026-04-05 17:51:19 +01:00
Dan Brown
c7d3775bb9
Plain text: Created a new HTML to plain text converter
...
To centralise logic to be more consistent, and to have smarter logic
which avoids just following newline format from input, preventing
smushing HTML elements (like list elements) next to eachother
2026-04-05 00:05:10 +01:00
Zhey
e42fda893c
Add CSP controls for image and CSS sources
2026-03-26 12:00:08 +01:00
Dan Brown
5763d26b17
Updated registration to use validated input instead of all
2026-03-19 21:29:30 +00:00
Dan Brown
8a59895ba0
Merge branch 'sec_chapter_export' into development
2026-03-17 10:41:51 +00:00
Dan Brown
a9ffd3e0c7
Responses: Added extra sanitization for download names
...
From testing, don't think this could exploited directly, as the response
would error instead of allowing control characters, but this adds an
extra layer of sanitization, and switches to encoded disposition
filenames for better UTF8 support.
2026-03-16 18:28:44 +00:00
Dan Brown
49df47836e
Merge pull request #6057 from BookStackApp/v25-12
...
V25.12 changes v3
2026-03-15 12:51:02 +00:00
Dan Brown
f4c9d2b049
Exports: Fixed scope of pages in chapter MD export
...
Added tests to cover children of all MD exports
2026-03-13 13:35:28 +00:00
Dan Brown
6e7cc169d1
Preferences: Updated return redirect with better origin checks
...
As suggested by Alex Dan in their security report.
2026-03-10 18:31:51 +00:00
Dan Brown
404e67afbc
Page Revisions: Added testing coverage to basic diffing
2026-03-10 17:47:07 +00:00
Dan Brown
6d64262a61
Revision Diffs: Added filtering post-diff render
2026-03-10 15:03:43 +00:00
Dan Brown
151823b84e
Theme Modules: Added easier way to insert HTML head content
2026-03-08 10:26:00 +00:00
Dan Brown
27240be499
Theme System: Added new page-content focused events
...
Closes #6049
2026-03-06 12:40:22 +00:00
Dan Brown
d0d1bb9829
Merge pull request #6035 from BookStackApp/v25-12
...
Merge further v25-12 changes into development
2026-03-06 10:26:41 +00:00
Dan Brown
f2f76a3c56
Modules: Improved install command based on testing
...
- Updated output to be clearer
- Added warning and confirmation to local install flow
- Adjusted module folder name creation
2026-03-06 09:28:46 +00:00
Dan Brown
ec3dd856db
Mail: Set domain for EHLO based upon the APP_URL
...
For #5990
2026-02-28 18:46:05 +00:00
Dan Brown
10c46534e0
Logical Theme: Added OIDC_AUTH_PRE_REDIRECT event
...
Allows customization of the auth URL before the user is redirected
to that URL.
Related to #6014
2026-02-27 09:34:33 +00:00
Dan Brown
9a12e3a8b7
Book API: Added shelves list to show endpoint
...
For #6006
Added test to cover.
2026-02-24 10:25:17 +00:00
Dan Brown
7aef0a48b3
Content: Updated filters to allow some required attributes
...
- Allows target attribute on links.
- Allows custom mention attribute on links.
Adds test case to cover these.
For #6034
2026-02-23 08:08:44 +00:00
Dan Brown
1077a4efd0
Merge branch 'v25-12' into development
2026-02-21 13:59:29 +00:00
Dan Brown
229a99ba24
Descriptions: Improved empty field handling, reduces whitespace
...
For #5724
2026-02-20 14:22:54 +00:00
Dan Brown
8e99fc6783
Books: On delete, redirect to shelf if in context
...
For #6029
Added tests to cover
2026-02-20 11:23:26 +00:00
Dan Brown
80204518a2
Page Content: Better handling for empty content filtering
...
For #6028
2026-02-19 23:25:00 +00:00