LLM: Played with a reduced-scope non-vector LLM query system

Allowing the vector query results and the LLM response to each come back
over the same HTTP request at two different times via a somewhat
standard.

Uses a package for JS SSE client, since native browser client does not
support over POST, which is probably important for this endpoint as we
don't want crawlers or other bots abusing this via accidentally.

.env.example.complete

@@ -351,25 +351,10 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow JavaScript, and other potentiall dangerous content in page content.
-# This also removes CSP-level JavaScript control.
+# Allow <script> tags in page content
 # Note, if set to 'true' the page editor may still escape scripts.
-# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
-# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
-# Control the behaviour of content filtering, primarily used for page content.
-# This setting is a string of characters which represent different available filters:
-# - j - Filter out JavaScript and unknown binary data based content
-# - h - Filter out unexpected, and potentially dangerous, HTML elements
-# - f - Filter out unexpected form elements
-# - a - Run content through a more complex allowlist filter
-# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
-# to ensure you are always using the full range of filters.
-APP_CONTENT_FILTERING="jfha"
-
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

.forgejo/FUNDING.yml

@@ -1,4 +0,0 @@
-# These are supported funding model platforms
-
-github: [ssddanbrown]
-ko_fi: ssddanbrown

.github/CODE_OF_CONDUCT.md

@@ -1,2 +1,84 @@
-Please find our community rules on our website here:
-https://www.bookstackapp.com/about/community-rules/
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+### Project Maintainer Standards
+
+Project maintainers should generally follow these additional standards:
+
+* Avoid using a negative or harsh tone in communication, Even if the other party
+is being negative themselves.
+* When providing criticism, try to make it constructive to lead the other person
+down the correct path.
+* Keep the [project definition](https://github.com/BookStackApp/BookStack#project-definition)
+in mind when deciding what's in scope of the Project.
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior. In addition, Project
+maintainers are responsible for following the standards themselves.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at the email address shown on [the profile here](https://github.com/ssddanbrown). All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -56,13 +56,3 @@ body:
       description: Add any other context or screenshots about the feature request here.
     validations:
       required: false
-  - type: checkboxes
-    id: ai-thoughts
-    attributes:
-      label: Have you used generative AI/LLMs to create any thoughts in this request?
-      description: |
-        We ask that no machine generated thoughts or ideas are provided, to avoid us spending time considering the ideas
-        of a machine instead of a human. Further guidance on this can be found [in the BookStack community rules](https://www.bookstackapp.com/about/community-rules/#use-of-llmsai).
-      options:
-        - label: This request only contains the thoughts & ideas of a human
-          required: true

.github/pull_request_template.md

@@ -1,11 +0,0 @@
-## Details
-
-<!-- Write details of your pull request in here -->
-<!-- Include references to any relevant issues/discussions -->
-
-## Checklist
-
-<!-- Put an 'x' in between the brackets below to confirm these elements -->
-
-- [ ] I have read the [BookStack community rules](https://www.bookstackapp.com/about/community-rules/).
-- [ ] This PR does not feature significant use of LLM/AI generation as per the community rules above.

.github/translators.txt

@@ -444,7 +444,7 @@ Irjan Olsen (Irch) :: Norwegian Bokmal
 Aleksandar Jovanovic (jovanoviczaleksandar) :: Serbian (Cyrillic)
 Red (RedVortex) :: Hebrew
 xgrug :: Chinese Simplified
-Calle Calmar (HrCalmar) :: Danish
+HrCalmar :: Danish
 Avishay Rapp (AvishayRapp) :: Hebrew
 matthias4217 :: French
 Berke BOYLU2 (berkeboylu2) :: Turkish
@@ -521,19 +521,3 @@ setiawan setiawan (culture.setiawan) :: Indonesian
 Donald Mac Kenzie (kiuman) :: Norwegian Bokmal
 Gabriel Silver (GabrielBSilver) :: Hebrew
 Tomas Darius Davainis (Tomasdd) :: Lithuanian
-CriedHero :: Chinese Simplified
-Henrik (henrik2105) :: Norwegian Bokmal
-FoW (fofwisdom) :: Korean
-serinf-lauza :: French
-Diyan Nikolaev (nikolaev.diyan) :: Bulgarian
-Shadluk Avan (quldosh) :: Uzbek
-Marci (MartonPoto) :: Hungarian
-Michał Sadurski (wheeskeey) :: Polish
-JanDziaslo :: Polish
-Charllys Fernandes (CharllysFernandes) :: Portuguese, Brazilian
-Ilgiz Zigangirov (inov8) :: Russian
-Max Israelsson (Blezie) :: Swedish
-Skiddybison5924 (chris-devel0per) :: German
-Veyilla Nightwhisper (Veyilla) :: German
-João Barbosa (hypeedd) :: Portuguese
-Abcdefg Hijklmn (collatek) :: Korean

.github/workflows/analyse-php.yml

@@ -1,7 +1,6 @@
 name: analyse-php
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -12,16 +11,14 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     steps:
-    - uses: https://code.forgejo.org/actions/checkout@v6
+    - uses: actions/checkout@v4
 
     - name: Setup PHP
-      uses: https://github.com/shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.5
+        php-version: 8.3
         extensions: gd, mbstring, json, curl, xml, mysql, ldap
 
     - name: Get Composer Cache Directory
@@ -30,16 +27,14 @@ jobs:
         echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache composer packages
-      uses: https://code.forgejo.org/actions/cache@v5
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
-        key: ${{ runner.os }}-composer-8.5
+        key: ${{ runner.os }}-composer-8.3
         restore-keys: ${{ runner.os }}-composer-
 
     - name: Install composer dependencies
       run: composer install --prefer-dist --no-interaction --ansi
-      env:
-        COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.GH_TOKEN }}"}}'
 
     - name: Run static analysis check
       run: composer check-static

.github/workflows/lint-js.yml

@@ -1,7 +1,6 @@
 name: lint-js
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.js'
@@ -14,11 +13,9 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     steps:
-    - uses: https://code.forgejo.org/actions/checkout@v6
+    - uses: actions/checkout@v4
 
     - name: Install NPM deps
       run: npm ci

.github/workflows/lint-php.yml

@@ -1,7 +1,6 @@
 name: lint-php
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -12,16 +11,14 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     steps:
-    - uses: https://code.forgejo.org/actions/checkout@v6
+    - uses: actions/checkout@v4
 
     - name: Setup PHP
-      uses: https://github.com/shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.5
+        php-version: 8.3
         tools: phpcs
 
     - name: Run formatting check

.github/workflows/test-js.yml

@@ -1,7 +1,6 @@
 name: test-js
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.js'
@@ -16,11 +15,9 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     steps:
-    - uses: https://code.forgejo.org/actions/checkout@v6
+    - uses: actions/checkout@v4
 
     - name: Install NPM deps
       run: npm ci

.github/workflows/test-migrations.yml

@@ -1,7 +1,6 @@
 name: test-migrations
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -14,25 +13,15 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         php: ['8.2', '8.3', '8.4', '8.5']
-    services:
-      mysql:
-        image: docker.io/library/mariadb:12.2.2-noble
-        env:
-          MARIADB_USER: bookstack-test
-          MARIADB_PASSWORD: bookstack-test
-          MARIADB_DATABASE: bookstack-test
-          MARIADB_ROOT_PASSWORD: password
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Setup PHP
-        uses: https://github.com/shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
           extensions: gd, mbstring, json, curl, xml, mysql, ldap
@@ -43,31 +32,34 @@ jobs:
           echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer packages
-        uses: https://code.forgejo.org/actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           key: ${{ runner.os }}-composer-${{ matrix.php }}
           restore-keys: ${{ runner.os }}-composer-
 
+      - name: Start MySQL
+        run: |
+          sudo systemctl start mysql
+
+      - name: Create database & user
+        run: |
+          mysql -uroot -proot -e 'CREATE DATABASE IF NOT EXISTS `bookstack-test`;'
+          mysql -uroot -proot -e "CREATE USER 'bookstack-test'@'localhost' IDENTIFIED WITH mysql_native_password BY 'bookstack-test';"
+          mysql -uroot -proot -e "GRANT ALL ON \`bookstack-test\`.* TO 'bookstack-test'@'localhost';"
+          mysql -uroot -proot -e 'FLUSH PRIVILEGES;'
+
       - name: Install composer dependencies
         run: composer install --prefer-dist --no-interaction --ansi
-        env:
-          COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.GH_TOKEN }}"}}'
 
       - name: Start migration test
-        env:
-          TEST_DATABASE_URL: 'mysql://bookstack-test:bookstack-test@mysql/bookstack-test'
         run: |
           php${{ matrix.php }} artisan migrate --force -n --database=mysql_testing
 
       - name: Start migration:rollback test
-        env:
-          TEST_DATABASE_URL: 'mysql://bookstack-test:bookstack-test@mysql/bookstack-test'
         run: |
           php${{ matrix.php }} artisan migrate:rollback --force -n --database=mysql_testing
 
       - name: Start migration rerun test
-        env:
-          TEST_DATABASE_URL: 'mysql://bookstack-test:bookstack-test@mysql/bookstack-test'
         run: |
           php${{ matrix.php }} artisan migrate --force -n --database=mysql_testing

.github/workflows/test-php.yml

@@ -1,7 +1,6 @@
 name: test-php
 
 on:
-  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -14,25 +13,15 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: docker
-    container:
-      image: docker.io/library/node:24-trixie
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         php: ['8.2', '8.3', '8.4', '8.5']
-    services:
-      mysql:
-        image: docker.io/library/mariadb:12.2.2-noble
-        env:
-          MARIADB_USER: bookstack-test
-          MARIADB_PASSWORD: bookstack-test
-          MARIADB_DATABASE: bookstack-test
-          MARIADB_ROOT_PASSWORD: password
     steps:
-    - uses: https://code.forgejo.org/actions/checkout@v6
+    - uses: actions/checkout@v4
 
     - name: Setup PHP
-      uses: https://github.com/shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@v2
       with:
         php-version: ${{ matrix.php }}
         extensions: gd, mbstring, json, curl, xml, mysql, ldap, gmp
@@ -43,25 +32,30 @@ jobs:
         echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache composer packages
-      uses: https://code.forgejo.org/actions/cache@v5
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ matrix.php }}
         restore-keys: ${{ runner.os }}-composer-
 
+    - name: Start Database
+      run: |
+        sudo systemctl start mysql
+
+    - name: Setup Database
+      run: |
+        mysql -uroot -proot -e 'CREATE DATABASE IF NOT EXISTS `bookstack-test`;'
+        mysql -uroot -proot -e "CREATE USER 'bookstack-test'@'localhost' IDENTIFIED WITH mysql_native_password BY 'bookstack-test';"
+        mysql -uroot -proot -e "GRANT ALL ON \`bookstack-test\`.* TO 'bookstack-test'@'localhost';"
+        mysql -uroot -proot -e 'FLUSH PRIVILEGES;'
+
     - name: Install composer dependencies
       run: composer install --prefer-dist --no-interaction --ansi
-      env:
-        COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.GH_TOKEN }}"}}'
 
     - name: Migrate and seed the database
-      env:
-        TEST_DATABASE_URL: 'mysql://bookstack-test:bookstack-test@mysql/bookstack-test'
       run: |
         php${{ matrix.php }} artisan migrate --force -n --database=mysql_testing
         php${{ matrix.php }} artisan db:seed --force -n --class=DummyContentSeeder --database=mysql_testing
 
     - name: Run PHP tests
-      env:
-        TEST_DATABASE_URL: 'mysql://bookstack-test:bookstack-test@mysql/bookstack-test'
       run: php${{ matrix.php }} ./vendor/bin/phpunit

.gitignore

@@ -2,7 +2,6 @@
 /node_modules
 /.vscode
 /composer
-/composer.phar
 /coverage
 Homestead.yaml
 .env

app/Access/Controllers/ForgotPasswordController.php

@@ -45,11 +45,11 @@ class ForgotPasswordController extends Controller
         );
 
         if ($response === Password::RESET_LINK_SENT) {
-            $this->logActivity(ActivityType::AUTH_PASSWORD_RESET, $request->input('email'));
+            $this->logActivity(ActivityType::AUTH_PASSWORD_RESET, $request->get('email'));
         }
 
         if (in_array($response, [Password::RESET_LINK_SENT, Password::INVALID_USER, Password::RESET_THROTTLED])) {
-            $message = trans('auth.reset_password_sent', ['email' => $request->input('email')]);
+            $message = trans('auth.reset_password_sent', ['email' => $request->get('email')]);
             $this->showSuccessNotification($message);
 
             return redirect('/password/email')->with('status', trans($response));

app/Access/Controllers/LoginController.php

@@ -32,12 +32,12 @@ class LoginController extends Controller
     {
         $socialDrivers = $this->socialDriverManager->getActive();
         $authMethod = config('auth.method');
-        $preventInitiation = $request->input('prevent_auto_init') === 'true';
+        $preventInitiation = $request->get('prevent_auto_init') === 'true';
 
         if ($request->has('email')) {
             session()->flashInput([
-                'email'    => $request->input('email'),
-                'password' => (config('app.env') === 'demo') ? $request->input('password', '') : '',
+                'email'    => $request->get('email'),
+                'password' => (config('app.env') === 'demo') ? $request->get('password', '') : '',
             ]);
         }
 
@@ -62,7 +62,7 @@ class LoginController extends Controller
     public function login(Request $request)
     {
         $this->validateLogin($request);
-        $username = $request->input($this->username());
+        $username = $request->get($this->username());
 
         // Check login throttling attempts to see if they've gone over the limit
         if ($this->hasTooManyLoginAttempts($request)) {

app/Access/Controllers/MfaBackupCodesController.php

@@ -84,7 +84,7 @@ class MfaBackupCodesController extends Controller
             ],
         ]);
 
-        $updatedCodes = $codeService->removeInputCodeFromSet($request->input('code'), $codes);
+        $updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);
         MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);
 
         $mfaSession->markVerifiedForUser($user);

app/Access/Controllers/MfaController.php

@@ -51,14 +51,14 @@ class MfaController extends Controller
      */
     public function verify(Request $request)
     {
-        $desiredMethod = $request->input('method');
+        $desiredMethod = $request->get('method');
         $userMethods = $this->currentOrLastAttemptedUser()
             ->mfaValues()
             ->get(['id', 'method'])
             ->groupBy('method');
 
         // Basic search for the default option for a user.
-        // (Prioritises TOTP over backup codes)
+        // (Prioritises totp over backup codes)
         $method = $userMethods->has($desiredMethod) ? $desiredMethod : $userMethods->keys()->sort()->reverse()->first();
         $otherMethods = $userMethods->keys()->filter(function ($userMethod) use ($method) {
             return $method !== $userMethod;

app/Access/Controllers/RegisterController.php

@@ -48,7 +48,8 @@ class RegisterController extends Controller
     public function postRegister(Request $request)
     {
         $this->registrationService->ensureRegistrationAllowed();
-        $userData = $this->validator($request->all())->validate();
+        $this->validator($request->all())->validate();
+        $userData = $request->all();
 
         try {
             $user = $this->registrationService->registerUser($userData);

app/Access/Controllers/ResetPasswordController.php

@@ -48,7 +48,7 @@ class ResetPasswordController extends Controller
 
         // Here we will attempt to reset the user's password. If it is successful we
         // will update the password on an actual user model and persist it to the
-        // database. Otherwise, we will parse the error and return the response.
+        // database. Otherwise we will parse the error and return the response.
         $credentials = $request->only('email', 'password', 'password_confirmation', 'token');
         $response = Password::broker()->reset($credentials, function (User $user, string $password) {
             $user->password = Hash::make($password);
@@ -63,7 +63,7 @@ class ResetPasswordController extends Controller
         // redirect them back to where they came from with their error message.
         return $response === Password::PASSWORD_RESET
             ? $this->sendResetResponse()
-            : $this->sendResetFailedResponse($request, $response, $request->input('token'));
+            : $this->sendResetFailedResponse($request, $response, $request->get('token'));
     }
 
     /**

app/Access/Controllers/Saml2Controller.php

@@ -78,7 +78,7 @@ class Saml2Controller extends Controller
      */
     public function startAcs(Request $request)
     {
-        $samlResponse = $request->input('SAMLResponse', null);
+        $samlResponse = $request->get('SAMLResponse', null);
 
         if (empty($samlResponse)) {
             $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
@@ -100,7 +100,7 @@ class Saml2Controller extends Controller
      */
     public function processAcs(Request $request)
     {
-        $acsId = $request->input('id', null);
+        $acsId = $request->get('id', null);
         $cacheKey = 'saml2_acs:' . $acsId;
         $samlResponse = null;
 

app/Access/Controllers/SocialController.php

@@ -67,7 +67,7 @@ class SocialController extends Controller
         if ($request->has('error') && $request->has('error_description')) {
             throw new SocialSignInException(trans('errors.social_login_bad_response', [
                 'socialAccount' => $socialDriver,
-                'error'         => $request->input('error_description'),
+                'error'         => $request->get('error_description'),
             ]), '/login');
         }
 

app/Access/Controllers/UserInviteController.php

@@ -67,7 +67,7 @@ class UserInviteController extends Controller
         }
 
         $user = $this->userRepo->getById($userId);
-        $user->password = Hash::make($request->input('password'));
+        $user->password = Hash::make($request->get('password'));
         $user->email_confirmed = true;
         $user->save();
 

app/Access/EmailConfirmationService.php

@@ -5,7 +5,6 @@ namespace BookStack\Access;
 use BookStack\Access\Notifications\ConfirmEmailNotification;
 use BookStack\Exceptions\ConfirmationEmailException;
 use BookStack\Users\Models\User;
-use Exception;
 
 class EmailConfirmationService extends UserTokenService
 {
@@ -17,7 +16,6 @@ class EmailConfirmationService extends UserTokenService
      * Also removes any existing old ones.
      *
      * @throws ConfirmationEmailException
-     * @throws Exception
      */
     public function sendConfirmation(User $user): void
     {

app/Access/LoginService.php

@@ -71,7 +71,7 @@ class LoginService
         }
 
         $lastLoginDetails = $this->getLastLoginAttemptDetails();
-        $this->login($user, $lastLoginDetails['method'], $lastLoginDetails['remember']);
+        $this->login($user, $lastLoginDetails['method'], $lastLoginDetails['remember'] ?? false);
     }
 
     /**

app/Access/Mfa/MfaValue.php

@@ -48,16 +48,17 @@ class MfaValue extends Model
     }
 
     /**
-     * Get the decrypted MFA value for the given user and method.
+     * Easily get the decrypted MFA value for the given user and method.
      */
     public static function getValueForUser(User $user, string $method): ?string
     {
+        /** @var MfaValue $mfaVal */
         $mfaVal = static::query()
             ->where('user_id', '=', $user->id)
             ->where('method', '=', $method)
             ->first();
 
-        return $mfaVal?->getValue();
+        return $mfaVal ? $mfaVal->getValue() : null;
     }
 
     /**

app/Access/Oidc/OidcJwtSigningKey.php

@@ -9,7 +9,10 @@ use phpseclib3\Math\BigInteger;
 
 class OidcJwtSigningKey
 {
-    protected PublicKey $key;
+    /**
+     * @var PublicKey
+     */
+    protected $key;
 
     /**
      * Can be created either from a JWK parameter array or local file path to load a certificate from.
@@ -17,13 +20,15 @@ class OidcJwtSigningKey
      * 'file:///var/www/cert.pem'
      * ['kty' => 'RSA', 'alg' => 'RS256', 'n' => 'abc123...'].
      *
+     * @param array|string $jwkOrKeyPath
+     *
      * @throws OidcInvalidKeyException
      */
-    public function __construct(array|string $jwkOrKeyPath)
+    public function __construct($jwkOrKeyPath)
     {
         if (is_array($jwkOrKeyPath)) {
             $this->loadFromJwkArray($jwkOrKeyPath);
-        } elseif (str_starts_with($jwkOrKeyPath, 'file://')) {
+        } elseif (is_string($jwkOrKeyPath) && strpos($jwkOrKeyPath, 'file://') === 0) {
             $this->loadFromPath($jwkOrKeyPath);
         } else {
             throw new OidcInvalidKeyException('Unexpected type of key value provided');
@@ -33,7 +38,7 @@ class OidcJwtSigningKey
     /**
      * @throws OidcInvalidKeyException
      */
-    protected function loadFromPath(string $path): void
+    protected function loadFromPath(string $path)
     {
         try {
             $key = PublicKeyLoader::load(
@@ -53,7 +58,7 @@ class OidcJwtSigningKey
     /**
      * @throws OidcInvalidKeyException
      */
-    protected function loadFromJwkArray(array $jwk): void
+    protected function loadFromJwkArray(array $jwk)
     {
         // 'alg' is optional for a JWK, but we will still attempt to validate if
         // it exists otherwise presume it will be compatible.
@@ -77,7 +82,7 @@ class OidcJwtSigningKey
             throw new OidcInvalidKeyException('A "n" parameter on the provided key is expected');
         }
 
-        $n = strtr($jwk['n'], '-_', '+/');
+        $n = strtr($jwk['n'] ?? '', '-_', '+/');
 
         try {
             $key = PublicKeyLoader::load([

app/Access/Oidc/OidcJwtWithClaims.php

@@ -102,12 +102,12 @@ class OidcJwtWithClaims implements ProvidesClaims
     protected function validateTokenStructure(): void
     {
         foreach (['header', 'payload'] as $prop) {
-            if (empty($this->$prop)) {
+            if (empty($this->$prop) || !is_array($this->$prop)) {
                 throw new OidcInvalidTokenException("Could not parse out a valid {$prop} within the provided token");
             }
         }
 
-        if (empty($this->signature)) {
+        if (empty($this->signature) || !is_string($this->signature)) {
             throw new OidcInvalidTokenException('Could not parse out a valid signature within the provided token');
         }
     }

app/Access/Oidc/OidcService.php

@@ -49,11 +49,6 @@ class OidcService
         $url = $provider->getAuthorizationUrl();
         session()->put('oidc_pkce_code', $provider->getPkceCode() ?? '');
 
-        $returnUrl = Theme::dispatch(ThemeEvents::OIDC_AUTH_PRE_REDIRECT, $url);
-        if (is_string($returnUrl)) {
-            $url = $returnUrl;
-        }
-
         return [
             'url'   => $url,
             'state' => $provider->getState(),

app/Access/Oidc/OidcUserDetails.php

@@ -39,7 +39,7 @@ class OidcUserDetails
     ): void {
         $this->externalId = $claims->getClaim($idClaim) ?? $this->externalId;
         $this->email = $claims->getClaim('email') ?? $this->email;
-        $this->name = static::getUserDisplayName($displayNameClaims, $claims) ?: $this->name;
+        $this->name = static::getUserDisplayName($displayNameClaims, $claims) ?? $this->name;
         $this->groups = static::getUserGroups($groupsClaim, $claims) ?? $this->groups;
         $this->picture = static::getPicture($claims) ?: $this->picture;
     }

app/Access/RegistrationService.php

@@ -83,7 +83,7 @@ class RegistrationService
         // Email restriction
         $this->ensureEmailDomainAllowed($userEmail);
 
-        // Ensure the user does not already exist
+        // Ensure user does not already exist
         $alreadyUser = !is_null($this->userRepo->getByEmail($userEmail));
         if ($alreadyUser) {
             throw new UserRegistrationException(trans('errors.error_user_exists_different_creds', ['email' => $userEmail]), '/login');
@@ -99,7 +99,7 @@ class RegistrationService
         $newUser = $this->userRepo->createWithoutActivity($userData, $emailConfirmed);
         $newUser->attachDefaultRole();
 
-        // Assign a social account if given
+        // Assign social account if given
         if ($socialAccount) {
             $newUser->socialAccounts()->save($socialAccount);
         }
@@ -107,7 +107,7 @@ class RegistrationService
         Activity::add(ActivityType::AUTH_REGISTER, $socialAccount ?? $newUser);
         Theme::dispatch(ThemeEvents::AUTH_REGISTER, $authSystem, $newUser);
 
-        // Start the email confirmation flow if required
+        // Start email confirmation flow if required
         if ($this->emailConfirmationService->confirmationRequired() && !$emailConfirmed) {
             $newUser->save();
 

app/Access/Saml2Service.php

@@ -266,7 +266,7 @@ class Saml2Service
     /**
      * Extract the details of a user from a SAML response.
      *
-     * @return array{external_id: string, name: string, email: string|null, saml_id: string}
+     * @return array{external_id: string, name: string, email: string, saml_id: string}
      */
     protected function getUserDetails(string $samlID, $samlAttributes): array
     {
@@ -357,7 +357,7 @@ class Saml2Service
             ]);
         }
 
-        if (empty($userDetails['email'])) {
+        if ($userDetails['email'] === null) {
             throw new SamlException(trans('errors.saml_no_email_address'));
         }
 

app/Access/SocialAuthService.php

@@ -117,14 +117,14 @@ class SocialAuthService
         }
 
         // When a user is logged in and the social account exists and is already linked to the current user.
-        if ($isLoggedIn && $socialAccount->user->id === $currentUser->id) {
+        if ($isLoggedIn && $socialAccount !== null && $socialAccount->user->id === $currentUser->id) {
             session()->flash('error', trans('errors.social_account_existing', ['socialAccount' => $titleCaseDriver]));
 
             return redirect('/my-account/auth#social_accounts');
         }
 
         // When a user is logged in, A social account exists but the users do not match.
-        if ($isLoggedIn && $socialAccount->user->id != $currentUser->id) {
+        if ($isLoggedIn && $socialAccount !== null && $socialAccount->user->id != $currentUser->id) {
             session()->flash('error', trans('errors.social_account_already_used_existing', ['socialAccount' => $titleCaseDriver]));
 
             return redirect('/my-account/auth#social_accounts');

app/Activity/Controllers/AuditLogController.php

@@ -17,19 +17,19 @@ class AuditLogController extends Controller
         $this->checkPermission(Permission::SettingsManage);
         $this->checkPermission(Permission::UsersManage);
 
-        $sort = $request->input('sort', 'activity_date');
-        $order = $request->input('order', 'desc');
+        $sort = $request->get('sort', 'activity_date');
+        $order = $request->get('order', 'desc');
         $listOptions = (new SimpleListOptions('', $sort, $order))->withSortOptions([
             'created_at' => trans('settings.audit_table_date'),
             'type' => trans('settings.audit_table_event'),
         ]);
 
         $filters = [
-            'event'     => $request->input('event', ''),
-            'date_from' => $request->input('date_from', ''),
-            'date_to'   => $request->input('date_to', ''),
-            'user'      => $request->input('user', ''),
-            'ip'        => $request->input('ip', ''),
+            'event'     => $request->get('event', ''),
+            'date_from' => $request->get('date_from', ''),
+            'date_to'   => $request->get('date_to', ''),
+            'user'      => $request->get('user', ''),
+            'ip'        => $request->get('ip', ''),
         ];
 
         $query = Activity::query()

app/Activity/Controllers/FavouriteController.php

@@ -20,7 +20,7 @@ class FavouriteController extends Controller
     public function index(Request $request, QueryTopFavourites $topFavourites)
     {
         $viewCount = 20;
-        $page = intval($request->input('page', 1));
+        $page = intval($request->get('page', 1));
         $favourites = $topFavourites->run($viewCount + 1, (($page - 1) * $viewCount));
 
         $hasMoreLink = ($favourites->count() > $viewCount) ? url('/favourites?page=' . ($page + 1)) : null;

app/Activity/Controllers/TagApiController.php

@@ -1,68 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace BookStack\Activity\Controllers;
-
-use BookStack\Activity\TagRepo;
-use BookStack\Http\ApiController;
-use Illuminate\Http\JsonResponse;
-use Illuminate\Http\Request;
-
-/**
- * Endpoints to query data about tags in the system.
- * You'll only see results based on tags applied to content you have access to.
- * There are no general create/update/delete endpoints here since tags do not exist
- * by themselves, they are managed via the items they are assigned to.
- */
-class TagApiController extends ApiController
-{
-    public function __construct(
-        protected TagRepo $tagRepo,
-    ) {
-    }
-
-    protected function rules(): array
-    {
-        return [
-            'listValues' => [
-                'name' => ['required', 'string'],
-            ],
-        ];
-    }
-
-    /**
-     * Get a list of tag names used in the system.
-     * Only the name field can be used in filters.
-     */
-    public function listNames(): JsonResponse
-    {
-        $tagQuery = $this->tagRepo
-            ->queryWithTotalsForApi('');
-
-        return $this->apiListingResponse($tagQuery, [
-            'name', 'values', 'usages', 'page_count', 'chapter_count', 'book_count', 'shelf_count',
-        ], [], [
-            'name'
-        ]);
-    }
-
-    /**
-     * Get a list of tag values, which have been set for the given tag name,
-     * which must be provided as a query parameter on the request.
-     * Only the value field can be used in filters.
-     */
-    public function listValues(Request $request): JsonResponse
-    {
-        $data = $this->validate($request, $this->rules()['listValues']);
-        $name = $data['name'];
-
-        $tagQuery = $this->tagRepo->queryWithTotalsForApi($name);
-
-        return $this->apiListingResponse($tagQuery, [
-            'name', 'value', 'usages', 'page_count', 'chapter_count', 'book_count', 'shelf_count',
-        ], [], [
-            'value',
-        ]);
-    }
-}

app/Activity/Controllers/TagController.php

@@ -24,9 +24,9 @@ class TagController extends Controller
             'usages' => trans('entities.tags_usages'),
         ]);
 
-        $nameFilter = $request->input('name', '');
+        $nameFilter = $request->get('name', '');
         $tags = $this->tagRepo
-            ->queryWithTotalsForList($listOptions, $nameFilter)
+            ->queryWithTotals($listOptions, $nameFilter)
             ->paginate(50)
             ->appends(array_filter(array_merge($listOptions->getPaginationAppends(), [
                 'name'   => $nameFilter,
@@ -46,7 +46,7 @@ class TagController extends Controller
      */
     public function getNameSuggestions(Request $request)
     {
-        $searchTerm = $request->input('search', '');
+        $searchTerm = $request->get('search', '');
         $suggestions = $this->tagRepo->getNameSuggestions($searchTerm);
 
         return response()->json($suggestions);
@@ -57,8 +57,8 @@ class TagController extends Controller
      */
     public function getValueSuggestions(Request $request)
     {
-        $searchTerm = $request->input('search', '');
-        $tagName = $request->input('name', '');
+        $searchTerm = $request->get('search', '');
+        $tagName = $request->get('name', '');
         $suggestions = $this->tagRepo->getValueSuggestions($searchTerm, $tagName);
 
         return response()->json($suggestions);

app/Activity/Models/Comment.php

@@ -8,8 +8,6 @@ use BookStack\Permissions\PermissionApplicator;
 use BookStack\Users\Models\HasCreatorAndUpdater;
 use BookStack\Users\Models\OwnableInterface;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
-use BookStack\Util\HtmlToPlainText;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
@@ -84,14 +82,7 @@ class Comment extends Model implements Loggable, OwnableInterface
 
     public function safeHtml(): string
     {
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($this->html ?? '');
-    }
-
-    public function getPlainText(): string
-    {
-        $converter = new HtmlToPlainText();
-        return $converter->convert($this->html ?? '');
+        return HtmlContentFilter::removeScriptsFromHtmlString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/Activity/Notifications/Messages/CommentCreationNotification.php

@@ -24,7 +24,7 @@ class CommentCreationNotification extends BaseActivityNotification
             $locale->trans('notifications.detail_page_name') => new EntityLinkMessageLine($page),
             $locale->trans('notifications.detail_page_path') => $this->buildPagePathLine($page, $notifiable),
             $locale->trans('notifications.detail_commenter') => $this->user->name,
-            $locale->trans('notifications.detail_comment') => $comment->getPlainText(),
+            $locale->trans('notifications.detail_comment') => strip_tags($comment->html),
         ]);
 
         return $this->newMailMessage($locale)

app/Activity/Notifications/Messages/CommentMentionNotification.php

@@ -24,7 +24,7 @@ class CommentMentionNotification extends BaseActivityNotification
             $locale->trans('notifications.detail_page_name') => new EntityLinkMessageLine($page),
             $locale->trans('notifications.detail_page_path') => $this->buildPagePathLine($page, $notifiable),
             $locale->trans('notifications.detail_commenter') => $this->user->name,
-            $locale->trans('notifications.detail_comment') => $comment->getPlainText(),
+            $locale->trans('notifications.detail_comment') => strip_tags($comment->html),
         ]);
 
         return $this->newMailMessage($locale)

app/Activity/Notifications/NotificationManager.php

@@ -15,14 +15,14 @@ use BookStack\Users\Models\User;
 class NotificationManager
 {
     /**
-     * @var array<string, class-string<NotificationHandler>[]>
+     * @var class-string<NotificationHandler>[]
      */
-    protected array $handlersByActivity = [];
+    protected array $handlers = [];
 
     public function handle(Activity $activity, string|Loggable $detail, User $user): void
     {
         $activityType = $activity->type;
-        $handlersToRun = $this->handlersByActivity[$activityType] ?? [];
+        $handlersToRun = $this->handlers[$activityType] ?? [];
         foreach ($handlersToRun as $handlerClass) {
             /** @var NotificationHandler $handler */
             $handler = new $handlerClass();
@@ -35,12 +35,12 @@ class NotificationManager
      */
     public function registerHandler(string $activityType, string $handlerClass): void
     {
-        if (!isset($this->handlersByActivity[$activityType])) {
-            $this->handlersByActivity[$activityType] = [];
+        if (!isset($this->handlers[$activityType])) {
+            $this->handlers[$activityType] = [];
         }
 
-        if (!in_array($handlerClass, $this->handlersByActivity[$activityType])) {
-            $this->handlersByActivity[$activityType][] = $handlerClass;
+        if (!in_array($handlerClass, $this->handlers[$activityType])) {
+            $this->handlers[$activityType][] = $handlerClass;
         }
     }
 

app/Activity/TagRepo.php

@@ -18,10 +18,9 @@ class TagRepo
     }
 
     /**
-     * Start a query against all tags in the system, with total counts for their usage,
-     * suitable for a system interface list with listing options.
+     * Start a query against all tags in the system.
      */
-    public function queryWithTotalsForList(SimpleListOptions $listOptions, string $nameFilter): Builder
+    public function queryWithTotals(SimpleListOptions $listOptions, string $nameFilter): Builder
     {
         $searchTerm = $listOptions->getSearch();
         $sort = $listOptions->getSort();
@@ -29,34 +28,17 @@ class TagRepo
             $sort = 'value';
         }
 
-        $query = $this->baseQueryWithTotals($nameFilter, $searchTerm)
-            ->orderBy($sort, $listOptions->getOrder());
-
-        return $this->permissions->restrictEntityRelationQuery($query, 'tags', 'entity_id', 'entity_type');
-    }
-
-    /**
-     * Start a query against all tags in the system, with total counts for their usage,
-     * which can be used via the API.
-     */
-    public function queryWithTotalsForApi(string $nameFilter): Builder
-    {
-        $query = $this->baseQueryWithTotals($nameFilter, '');
-        return $this->permissions->restrictEntityRelationQuery($query, 'tags', 'entity_id', 'entity_type');
-    }
-
-    protected function baseQueryWithTotals(string $nameFilter, string $searchTerm): Builder
-    {
         $query = Tag::query()
             ->select([
                 'name',
                 ($searchTerm || $nameFilter) ? 'value' : DB::raw('COUNT(distinct value) as `values`'),
                 DB::raw('COUNT(id) as usages'),
-                DB::raw('CAST(SUM(IF(entity_type = \'page\', 1, 0)) as UNSIGNED) as page_count'),
-                DB::raw('CAST(SUM(IF(entity_type = \'chapter\', 1, 0)) as UNSIGNED) as chapter_count'),
-                DB::raw('CAST(SUM(IF(entity_type = \'book\', 1, 0)) as UNSIGNED) as book_count'),
-                DB::raw('CAST(SUM(IF(entity_type = \'bookshelf\', 1, 0)) as UNSIGNED) as shelf_count'),
+                DB::raw('SUM(IF(entity_type = \'page\', 1, 0)) as page_count'),
+                DB::raw('SUM(IF(entity_type = \'chapter\', 1, 0)) as chapter_count'),
+                DB::raw('SUM(IF(entity_type = \'book\', 1, 0)) as book_count'),
+                DB::raw('SUM(IF(entity_type = \'bookshelf\', 1, 0)) as shelf_count'),
             ])
+            ->orderBy($sort, $listOptions->getOrder())
             ->whereHas('entity');
 
         if ($nameFilter) {
@@ -75,7 +57,7 @@ class TagRepo
             });
         }
 
-        return $query;
+        return $this->permissions->restrictEntityRelationQuery($query, 'tags', 'entity_id', 'entity_type');
     }
 
     /**

app/Api/ApiDocsGenerator.php

@@ -17,14 +17,7 @@ use ReflectionMethod;
 
 class ApiDocsGenerator
 {
-    /**
-     * @var array<string, ReflectionClass>
-     */
     protected array $reflectionClasses = [];
-
-    /**
-     * @var array<string, ApiController>
-     */
     protected array $controllerClasses = [];
 
     /**
@@ -114,6 +107,7 @@ class ApiDocsGenerator
      */
     protected function getBodyParamsFromClass(string $className, string $methodName): ?array
     {
+        /** @var ApiController $class */
         $class = $this->controllerClasses[$className] ?? null;
         if ($class === null) {
             $class = app()->make($className);
@@ -159,7 +153,7 @@ class ApiDocsGenerator
         $matches = [];
         preg_match_all('/^\s*?\*\s?($|((?![\/@\s]).*?))$/m', $comment, $matches);
 
-        $text = implode(' ', $matches[1]);
+        $text = implode(' ', $matches[1] ?? []);
         return str_replace('  ', "\n", $text);
     }
 
@@ -195,12 +189,11 @@ class ApiDocsGenerator
     protected function getFlatApiRoutes(): Collection
     {
         return collect(Route::getRoutes()->getRoutes())->filter(function ($route) {
-            return str_starts_with($route->uri, 'api/');
+            return strpos($route->uri, 'api/') === 0;
         })->map(function ($route) {
             [$controller, $controllerMethod] = explode('@', $route->action['uses']);
             $baseModelName = explode('.', explode('/', $route->uri)[1])[0];
-            $controllerMethodKebab = Str::kebab($controllerMethod);
-            $shortName = $baseModelName . '-' . $controllerMethodKebab;
+            $shortName = $baseModelName . '-' . $controllerMethod;
 
             return [
                 'name'                    => $shortName,
@@ -208,7 +201,7 @@ class ApiDocsGenerator
                 'method'                  => $route->methods[0],
                 'controller'              => $controller,
                 'controller_method'       => $controllerMethod,
-                'controller_method_kebab' => $controllerMethodKebab,
+                'controller_method_kebab' => Str::kebab($controllerMethod),
                 'base_model'              => $baseModelName,
             ];
         });

app/Api/ApiEntityListFormatter.php

@@ -74,21 +74,18 @@ class ApiEntityListFormatter
 
     /**
      * Include parent book/chapter info in the formatted data.
-     * These functions are careful to not load the relation themselves, since they should
-     * have already been loaded in a more efficient manner, with permissions applied, by the time
-     * the parent fields are handled here.
      */
     public function withParents(): self
     {
         $this->withField('book', function (Entity $entity) {
-            if ($entity instanceof BookChild && $entity->relationLoaded('book') && $entity->getRelationValue('book')) {
+            if ($entity instanceof BookChild && $entity->book) {
                 return $entity->book->only(['id', 'name', 'slug']);
             }
             return null;
         });
 
         $this->withField('chapter', function (Entity $entity) {
-            if ($entity instanceof Page && $entity->relationLoaded('chapter') && $entity->getRelationValue('chapter')) {
+            if ($entity instanceof Page && $entity->chapter) {
                 return $entity->chapter->only(['id', 'name', 'slug']);
             }
             return null;

app/Api/ApiTokenGuard.php

@@ -17,14 +17,29 @@ class ApiTokenGuard implements Guard
     use GuardHelpers;
 
     /**
-     * The last auth exception thrown in this request.
+     * The request instance.
      */
-    protected ApiAuthException|null $lastAuthException = null;
+    protected $request;
 
-    public function __construct(
-        protected Request $request,
-        protected LoginService $loginService
-    ) {
+    /**
+     * @var LoginService
+     */
+    protected $loginService;
+
+    /**
+     * The last auth exception thrown in this request.
+     *
+     * @var ApiAuthException
+     */
+    protected $lastAuthException;
+
+    /**
+     * ApiTokenGuard constructor.
+     */
+    public function __construct(Request $request, LoginService $loginService)
+    {
+        $this->request = $request;
+        $this->loginService = $loginService;
     }
 
     /**
@@ -52,7 +67,7 @@ class ApiTokenGuard implements Guard
     }
 
     /**
-     * Determine if the current user is authenticated. If not, throw an exception.
+     * Determine if current user is authenticated. If not, throw an exception.
      *
      * @throws ApiAuthException
      *
@@ -106,7 +121,7 @@ class ApiTokenGuard implements Guard
             throw new ApiAuthException(trans('errors.api_no_authorization_found'));
         }
 
-        if (!str_contains($authToken, ':') || !str_starts_with($authToken, 'Token ')) {
+        if (strpos($authToken, ':') === false || strpos($authToken, 'Token ') !== 0) {
             throw new ApiAuthException(trans('errors.api_bad_authorization_format'));
         }
     }
@@ -140,7 +155,7 @@ class ApiTokenGuard implements Guard
     /**
      * {@inheritdoc}
      */
-    public function validate(array $credentials = []): bool
+    public function validate(array $credentials = [])
     {
         if (empty($credentials['id']) || empty($credentials['secret'])) {
             return false;
@@ -160,7 +175,7 @@ class ApiTokenGuard implements Guard
     /**
      * "Log out" the currently authenticated user.
      */
-    public function logout(): void
+    public function logout()
     {
         $this->user = null;
     }

app/Api/ListingResponseBuilder.php

@@ -18,13 +18,6 @@ class ListingResponseBuilder
      */
     protected array $fields;
 
-    /**
-     * Which fields are filterable.
-     * When null, the $fields above are used instead (Allow all fields).
-     * @var string[]|null
-     */
-    protected array|null $filterableFields = null;
-
     /**
      * @var array<callable>
      */
@@ -61,7 +54,7 @@ class ListingResponseBuilder
     {
         $filteredQuery = $this->filterQuery($this->query);
 
-        $total = $filteredQuery->getCountForPagination();
+        $total = $filteredQuery->count();
         $data = $this->fetchData($filteredQuery)->each(function ($model) {
             foreach ($this->resultModifiers as $modifier) {
                 $modifier($model);
@@ -84,14 +77,6 @@ class ListingResponseBuilder
         $this->resultModifiers[] = $modifier;
     }
 
-    /**
-     * Limit filtering to just the given set of fields.
-     */
-    public function setFilterableFields(array $fields): void
-    {
-        $this->filterableFields = $fields;
-    }
-
     /**
      * Fetch the data to return within the response.
      */
@@ -109,7 +94,7 @@ class ListingResponseBuilder
     protected function filterQuery(Builder $query): Builder
     {
         $query = clone $query;
-        $requestFilters = $this->request->input('filter', []);
+        $requestFilters = $this->request->get('filter', []);
         if (!is_array($requestFilters)) {
             return $query;
         }
@@ -129,11 +114,10 @@ class ListingResponseBuilder
     protected function requestFilterToQueryFilter($fieldKey, $value): ?array
     {
         $splitKey = explode(':', $fieldKey);
-        $field = strtolower($splitKey[0]);
+        $field = $splitKey[0];
         $filterOperator = $splitKey[1] ?? 'eq';
 
-        $filterFields = $this->filterableFields ?? $this->fields;
-        if (!in_array($field, $filterFields)) {
+        if (!in_array($field, $this->fields)) {
             return null;
         }
 
@@ -156,8 +140,8 @@ class ListingResponseBuilder
         $defaultSortName = $this->fields[0];
         $direction = 'asc';
 
-        $sort = $this->request->input('sort', '');
-        if (str_starts_with($sort, '-')) {
+        $sort = $this->request->get('sort', '');
+        if (strpos($sort, '-') === 0) {
             $direction = 'desc';
         }
 
@@ -176,9 +160,9 @@ class ListingResponseBuilder
     protected function countAndOffsetQuery(Builder $query): Builder
     {
         $query = clone $query;
-        $offset = max(0, $this->request->input('offset', 0));
+        $offset = max(0, $this->request->get('offset', 0));
         $maxCount = config('api.max_item_count');
-        $count = $this->request->input('count', config('api.default_item_count'));
+        $count = $this->request->get('count', config('api.default_item_count'));
         $count = max(min($maxCount, $count), 1);
 
         return $query->skip($offset)->take($count);

app/Api/UserApiTokenController.php

@@ -48,11 +48,11 @@ class UserApiTokenController extends Controller
         $secret = Str::random(32);
 
         $token = (new ApiToken())->forceFill([
-            'name'       => $request->input('name'),
+            'name'       => $request->get('name'),
             'token_id'   => Str::random(32),
             'secret'     => Hash::make($secret),
             'user_id'    => $user->id,
-            'expires_at' => $request->input('expires_at') ?: ApiToken::defaultExpiry(),
+            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
         ]);
 
         while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {
@@ -100,8 +100,8 @@ class UserApiTokenController extends Controller
 
         [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
         $token->fill([
-            'name'       => $request->input('name'),
-            'expires_at' => $request->input('expires_at') ?: ApiToken::defaultExpiry(),
+            'name'       => $request->get('name'),
+            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
         ])->save();
 
         $this->logActivity(ActivityType::API_TOKEN_UPDATE, $token);

app/App/Providers/AppServiceProvider.php

@@ -65,13 +65,6 @@ class AppServiceProvider extends ServiceProvider
             URL::forceScheme($isHttps ? 'https' : 'http');
         }
 
-        // Set SMTP mail driver to use a local domain matching the app domain,
-        // which helps avoid defaulting to a 127.0.0.1 domain
-        if ($appUrl) {
-            $hostName = parse_url($appUrl, PHP_URL_HOST) ?: null;
-            config()->set('mail.mailers.smtp.local_domain', $hostName);
-        }
-
         // Allow longer string lengths after upgrade to utf8mb4
         Schema::defaultStringLength(191);
 

app/App/Providers/ThemeServiceProvider.php

@@ -4,8 +4,6 @@ namespace BookStack\App\Providers;
 
 use BookStack\Theming\ThemeEvents;
 use BookStack\Theming\ThemeService;
-use BookStack\Theming\ThemeViews;
-use Illuminate\Support\Facades\Blade;
 use Illuminate\Support\ServiceProvider;
 
 class ThemeServiceProvider extends ServiceProvider
@@ -26,26 +24,7 @@ class ThemeServiceProvider extends ServiceProvider
     {
         // Boot up the theme system
         $themeService = $this->app->make(ThemeService::class);
-        $viewFactory = $this->app->make('view');
-        $themeViews = new ThemeViews($viewFactory->getFinder());
-
-        // Use a custom include so that we can insert theme views before/after includes.
-        // This is done, even if no theme is active, so that view caching does not create problems
-        // when switching between themes or when switching a theme on/off.
-        $viewFactory->share('__themeViews', $themeViews);
-        Blade::directive('include', function ($expression) {
-            return "<?php echo \$__themeViews->handleViewInclude({$expression}, array_diff_key(get_defined_vars(), ['__data' => 1, '__path' => 1])); ?>";
-        });
-
-        if (!$themeService->getTheme()) {
-            return;
-        }
-
-        $themeService->loadModules();
         $themeService->readThemeActions();
         $themeService->dispatch(ThemeEvents::APP_BOOT, $this->app);
-
-        $themeViews->registerViewPathsForTheme($themeService->getModules());
-        $themeService->dispatch(ThemeEvents::THEME_REGISTER_VIEWS, $themeViews);
     }
 }

app/App/helpers.php

@@ -81,7 +81,8 @@ function setting(?string $key = null, mixed $default = null): mixed
 
 /**
  * Get a path to a theme resource.
- * Returns null if a theme is not configured, and therefore a full path is not available for use.
+ * Returns null if a theme is not configured and
+ * therefore a full path is not available for use.
  */
 function theme_path(string $path = ''): ?string
 {

app/Config/app.php

@@ -37,15 +37,10 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Control the behaviour of content filtering, primarily used for page content.
-    // This setting is a string of characters which represent different available filters:
-    // - j - Filter out JavaScript and unknown binary data based content
-    // - h - Filter out unexpected, and potentially dangerous, HTML elements
-    // - f - Filter out unexpected form elements
-    // - a - Run content through a more complex allowlist filter
-    // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
+    // Allow <script> tags to entered within page content.
+    // <script> tags are escaped by default.
+    // Even when overridden the WYSIWYG editor may still escape script content.
+    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading
@@ -53,8 +48,8 @@ return [
     'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
 
     // Override the default behaviour for allowing crawlers to crawl the instance.
-    // May be ignored if the underlying view has been overridden or modified.
-    // Defaults to null in which case the 'app-public' status is used instead.
+    // May be ignored if view has be overridden or modified.
+    // Defaults to null since, if not set, 'app-public' status used instead.
     'allow_robots' => env('ALLOW_ROBOTS', null),
 
     // Application Base URL, Used by laravel in development commands

app/Config/exports.php

@@ -68,7 +68,7 @@ return [
          * Times-Roman, Times-Bold, Times-BoldItalic, Times-Italic,
          * Symbol, ZapfDingbats.
          */
-        'font_dir' => storage_path('fonts/dompdf'),  // advised by dompdf (https://github.com/dompdf/dompdf/pull/782)
+        'font_dir' => storage_path('fonts/'),  // advised by dompdf (https://github.com/dompdf/dompdf/pull/782)
 
         /**
          * The location of the DOMPDF font cache directory.
@@ -78,7 +78,7 @@ return [
          *
          * Note: This directory must exist and be writable by the webserver process.
          */
-        'font_cache' => storage_path('fonts/dompdf/cache'),
+        'font_cache' => storage_path('fonts/'),
 
         /**
          * The location of a temporary directory.

app/Config/services.php

@@ -22,6 +22,18 @@ return [
     // Callback URL for social authentication methods
     'callback_url' => env('APP_URL', false),
 
+    // LLM Service
+    // Options: openai
+    'llm' => env('LLM_SERVICE', ''),
+
+    // OpenAI API-compatible service details
+    'openai' => [
+        'endpoint' => env('OPENAI_ENDPOINT', 'https://api.openai.com'),
+        'key' => env('OPENAI_KEY', ''),
+        'embedding_model' => env('OPENAI_EMBEDDING_MODEL', 'text-embedding-3-small'),
+        'query_model' => env('OPENAI_QUERY_MODEL', 'gpt-4o'),
+    ],
+
     'github'   => [
         'client_id'     => env('GITHUB_APP_ID', false),
         'client_secret' => env('GITHUB_APP_SECRET', false),

app/Config/view.php

@@ -8,6 +8,12 @@
  * Do not edit this file unless you're happy to maintain any changes yourself.
  */
 
+// Join up possible view locations
+$viewPaths = [realpath(base_path('resources/views'))];
+if ($theme = env('APP_THEME', false)) {
+    array_unshift($viewPaths, base_path('themes/' . $theme));
+}
+
 return [
 
     // App theme
@@ -20,7 +26,7 @@ return [
     // Most templating systems load templates from disk. Here you may specify
     // an array of paths that should be checked for your views. Of course
     // the usual Laravel view path has already been registered for you.
-    'paths' => [realpath(base_path('resources/views'))],
+    'paths' => $viewPaths,
 
     // Compiled View Path
     // This option determines where all the compiled Blade templates will be

app/Console/Commands/AssignSortRuleCommand.php

@@ -32,7 +32,7 @@ class AssignSortRuleCommand extends Command
      */
     public function handle(BookSorter $sorter): int
     {
-        $sortRuleId = intval($this->argument('sort-rule'));
+        $sortRuleId = intval($this->argument('sort-rule')) ?? 0;
         if ($sortRuleId === 0) {
             return $this->listSortRules();
         }

app/Console/Commands/CopyShelfPermissionsCommand.php

@@ -32,7 +32,6 @@ class CopyShelfPermissionsCommand extends Command
     {
         $shelfSlug = $this->option('slug');
         $cascadeAll = $this->option('all');
-        $noInteraction = boolval($this->option('no-interaction'));
         $shelves = null;
 
         if (!$cascadeAll && !$shelfSlug) {
@@ -42,16 +41,14 @@ class CopyShelfPermissionsCommand extends Command
         }
 
         if ($cascadeAll) {
-            if (!$noInteraction) {
-                $continue = $this->confirm(
-                    'Permission settings for all shelves will be cascaded. ' .
-                    'Books assigned to multiple shelves will receive only the permissions of it\'s last processed shelf. ' .
-                    'Are you sure you want to proceed?',
-                );
+            $continue = $this->confirm(
+                'Permission settings for all shelves will be cascaded. ' .
+                        'Books assigned to multiple shelves will receive only the permissions of it\'s last processed shelf. ' .
+                        'Are you sure you want to proceed?'
+            );
 
-                if (!$continue) {
-                    return 0;
-                }
+            if (!$continue && !$this->hasOption('no-interaction')) {
+                return 0;
             }
 
             $shelves = $queries->start()->get(['id']);

app/Console/Commands/InstallModuleCommand.php

@@ -1,320 +0,0 @@
-<?php
-
-namespace BookStack\Console\Commands;
-
-use BookStack\Http\HttpRequestService;
-use BookStack\Theming\ThemeModule;
-use BookStack\Theming\ThemeModuleException;
-use BookStack\Theming\ThemeModuleManager;
-use BookStack\Theming\ThemeModuleZip;
-use GuzzleHttp\Psr7\Request;
-use Illuminate\Console\Command;
-use Illuminate\Support\Str;
-
-class InstallModuleCommand extends Command
-{
-    /**
-     * The name and signature of the console command.
-     *
-     * @var string
-     */
-    protected $signature = 'bookstack:install-module
-                            {location : The URL or path of the module file}';
-
-    /**
-     * The console command description.
-     *
-     * @var string
-     */
-    protected $description = 'Install a module to the currently configured theme';
-
-    protected array $cleanupActions = [];
-
-    /**
-     * Execute the console command.
-     */
-    public function handle(): int
-    {
-        $location = $this->argument('location');
-
-        // Get the ZIP file containing the module files
-        $zipPath = $this->getPathToZip($location);
-        if (!$zipPath) {
-            $this->cleanup();
-            return 1;
-        }
-
-        // Validate module zip file (metadata, size, etc...) and get module instance
-        $zip = new ThemeModuleZip($zipPath);
-        $themeModule = $this->validateAndGetModuleInfoFromZip($zip);
-        if (!$themeModule) {
-            $this->cleanup();
-            return 1;
-        }
-
-        // Get the theme folder in use, attempting to create one if no active theme in use
-        $themeFolder = $this->getThemeFolder();
-        if (!$themeFolder) {
-            $this->cleanup();
-            return 1;
-        }
-
-        // Get the modules folder of the theme, attempting to create it if not existing,
-        // and create a new module manager instance.
-        $moduleFolder = $this->getModuleFolder($themeFolder);
-        if (!$moduleFolder) {
-            $this->cleanup();
-            return 1;
-        }
-
-        $manager = new ThemeModuleManager($moduleFolder);
-
-        // Handle existing modules with the same name
-        $exitingModulesWithName = $manager->getByName($themeModule->name);
-        $shouldContinue = $this->handleExistingModulesWithSameName($exitingModulesWithName, $manager);
-        if (!$shouldContinue) {
-            $this->cleanup();
-            return 1;
-        }
-
-        // Extract module ZIP into the theme modules folder
-        try {
-            $newModule = $manager->addFromZip($themeModule->name, $zip);
-        } catch (ThemeModuleException $exception) {
-            $this->error("ERROR: Failed to install module with error: {$exception->getMessage()}");
-            $this->cleanup();
-            return 1;
-        }
-
-        $this->info("Module \"{$newModule->name}\" ({$newModule->getVersion()}) successfully installed!");
-        $this->info("Install location: {$moduleFolder}/{$newModule->folderName}");
-        $this->cleanup();
-        return 0;
-    }
-
-    /**
-     * @param ThemeModule[] $existingModules
-     */
-    protected function handleExistingModulesWithSameName(array $existingModules, ThemeModuleManager $manager): bool
-    {
-        if (count($existingModules) === 0) {
-            return true;
-        }
-
-        $this->warn("The following modules already exist with the same name:");
-        foreach ($existingModules as $folder => $module) {
-            $this->line("{$module->name} ({$folder}:{$module->getVersion()}) - {$module->description}");
-        }
-        $this->line('');
-
-        $choices = ['Cancel module install', 'Add alongside existing module'];
-        if (count($existingModules) === 1) {
-            $choices[] = 'Replace existing module';
-        }
-        $choice = $this->choice("What would you like to do?", $choices, 0, null, false);
-        if ($choice === 'Cancel module install') {
-            return false;
-        }
-
-        if ($choice === 'Replace existing module') {
-            $existingModuleFolder = array_key_first($existingModules);
-            $this->info("Replacing existing module in {$existingModuleFolder} folder");
-            $manager->deleteModuleFolder($existingModuleFolder);
-        }
-
-        return true;
-    }
-
-    protected function getModuleFolder(string $themeFolder): string|null
-    {
-        $path = $themeFolder . DIRECTORY_SEPARATOR . 'modules';
-
-        if (file_exists($path) && !is_dir($path)) {
-            $this->error("ERROR: Cannot create a modules folder, file already exists at {$path}");
-            return null;
-        }
-
-        if (!file_exists($path)) {
-            $created = mkdir($path, 0755, true);
-            if (!$created) {
-                $this->error("ERROR: Failed to create a modules folder at {$path}");
-                return null;
-            }
-        }
-
-        return $path;
-    }
-
-    protected function getThemeFolder(): string|null
-    {
-        $path = theme_path('');
-        if (!$path || !is_dir($path)) {
-            $shouldCreate = $this->confirm('No active theme folder found, would you like to create one?');
-            if (!$shouldCreate) {
-                return null;
-            }
-
-            $folder = 'custom';
-            while (file_exists(base_path("themes" . DIRECTORY_SEPARATOR  . $folder))) {
-                $folder = 'custom-' . Str::random(4);
-            }
-
-            $path = base_path("themes/{$folder}");
-            $created = mkdir($path, 0755, true);
-            if (!$created) {
-                $this->error('Failed to create a theme folder to use. This may be a permissions issue. Try manually configuring an active theme');
-                return null;
-            }
-
-            $this->info("Created theme folder at {$path}");
-            $this->warn("You will need to set APP_THEME={$folder} in your BookStack env configuration to enable this theme!");
-        }
-
-        return $path;
-    }
-
-    protected function validateAndGetModuleInfoFromZip(ThemeModuleZip $zip): ThemeModule|null
-    {
-        if (!$zip->exists()) {
-            $this->error("ERROR: Cannot open ZIP file at {$zip->getPath()}");
-            return null;
-        }
-
-        if ($zip->getContentsSize() > (50 * 1024 * 1024)) {
-            $this->error("ERROR: Module ZIP file contents are too large. Maximum size is 50MB");
-            return null;
-        }
-
-        try {
-            $themeModule = $zip->getModuleInstance();
-        } catch (ThemeModuleException $exception) {
-            $this->error("ERROR: Failed to read module metadata with error: {$exception->getMessage()}");
-            return null;
-        }
-
-        return $themeModule;
-    }
-
-    protected function downloadModuleFile(string $location): string|null
-    {
-        $httpRequests = app()->make(HttpRequestService::class);
-        $client = $httpRequests->buildClient(30, ['stream' => true]);
-        $originalUrl = parse_url($location);
-        $currentLocation = $location;
-        $maxRedirects = 3;
-        $redirectCount = 0;
-
-        // Follow redirects up to 3 times for the same hostname
-        do {
-            $resp = $client->sendRequest(new Request('GET', $currentLocation));
-            $statusCode = $resp->getStatusCode();
-
-            if ($statusCode >= 300 && $statusCode < 400 && $redirectCount < $maxRedirects) {
-                $redirectLocation = $resp->getHeaderLine('Location');
-                if ($redirectLocation) {
-                    $redirectUrl = parse_url($redirectLocation);
-                    $redirectOriginMatches = ($originalUrl['host'] ?? '') === ($redirectUrl['host'] ?? '')
-                        && ($originalUrl['scheme'] ?? '') === ($redirectUrl['scheme'] ?? '')
-                        && ($originalUrl['port'] ?? '') === ($redirectUrl['port'] ?? '');
-
-                    if (!$redirectOriginMatches) {
-                        $redirectOrigin = ($redirectUrl['scheme'] ?? '') . '://' . ($redirectUrl['host'] ?? '') . (isset($redirectUrl['port']) ? ':' . $redirectUrl['port'] : '');
-                        $this->info("The download URL is redirecting to a different site: {$redirectOrigin}");
-                        $shouldContinue = $this->confirm("Do you trust downloading the module from this site?");
-                        if (!$shouldContinue) {
-                            $this->error("Stopping module installation");
-                            return null;
-                        }
-                    }
-
-                    $currentLocation = $redirectLocation;
-                    $redirectCount++;
-                    continue;
-                }
-            }
-
-            break;
-        } while (true);
-
-        if ($resp->getStatusCode() >= 300) {
-            $this->error("ERROR: Failed to download module from {$location}");
-            $this->error("Download failed with status code {$resp->getStatusCode()}");
-            return null;
-        }
-
-        $tempFile = tempnam(sys_get_temp_dir(), 'bookstack_module_');
-        $fileHandle = fopen($tempFile, 'w');
-        $respBody = $resp->getBody();
-        $size = 0;
-        $maxSize = 50 * 1024 * 1024;
-
-        while (!$respBody->eof()) {
-            fwrite($fileHandle, $respBody->read(1024));
-            $size += 1024;
-            if ($size > $maxSize) {
-                fclose($fileHandle);
-                unlink($tempFile);
-                $this->error("ERROR: Module ZIP file is too large. Maximum size is 50MB");
-                return '';
-            }
-        }
-
-        fclose($fileHandle);
-
-        $this->cleanupActions[] = function () use ($tempFile) {
-            unlink($tempFile);
-        };
-
-        return $tempFile;
-    }
-
-    protected function getPathToZip(string $location): string|null
-    {
-        $lowerLocation = strtolower($location);
-        $isRemote = str_starts_with($lowerLocation, 'http://') || str_starts_with($lowerLocation, 'https://');
-
-        if ($isRemote) {
-            // Warning about fetching from source
-            $host = parse_url($location, PHP_URL_HOST);
-            $this->warn("\nThis will download a module from: {$host}\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.");
-            $trustHost = $this->confirm('Are you sure you trust this source?');
-            if (!$trustHost) {
-                return null;
-            }
-
-            // Check if the connection is http. If so, warn the user.
-            if (str_starts_with($lowerLocation, 'http://')) {
-                $this->warn("You are downloading a module from an insecure HTTP source.\nWe recommend only using HTTPS sources to avoid various security risks.");
-                if (!$this->confirm('Are you sure you want to continue without HTTPS?')) {
-                    return null;
-                }
-            }
-
-            // Download ZIP and get its location
-            return $this->downloadModuleFile($location);
-        }
-
-        // Validate the file and get the full location
-        $zipPath = realpath($location);
-
-        if (!$zipPath || !is_file($zipPath)) {
-            $this->error("ERROR: Module file not found at {$location}");
-            return null;
-        }
-
-        $this->warn("\nThis will install a module from: {$zipPath}\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.");
-        $trustHost = $this->confirm('Are you sure you want to install this module?');
-        if (!$trustHost) {
-            return null;
-        }
-
-        return $zipPath;
-    }
-
-    protected function cleanup(): void
-    {
-        foreach ($this->cleanupActions as $action) {
-            $action();
-        }
-    }
-}

app/Console/Commands/RegenerateVectorsCommand.php

@@ -0,0 +1,46 @@
+<?php
+
+namespace BookStack\Console\Commands;
+
+use BookStack\Entities\EntityProvider;
+use BookStack\Entities\Models\Entity;
+use BookStack\Search\Queries\SearchVector;
+use BookStack\Search\Queries\StoreEntityVectorsJob;
+use Illuminate\Console\Command;
+
+class RegenerateVectorsCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'bookstack:regenerate-vectors';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Re-index vectors for all content in the system';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(EntityProvider $entityProvider)
+    {
+        // TODO - Add confirmation before run regarding deletion/time/effort/api-cost etc...
+        SearchVector::query()->delete();
+
+        $types = $entityProvider->all();
+        foreach ($types as $type => $typeInstance) {
+            $this->info("Creating jobs to store vectors for {$type} data...");
+            /** @var Entity[] $entities  */
+            $typeInstance->newQuery()->chunkById(100, function ($entities) {
+                foreach ($entities as $entity) {
+                    dispatch(new StoreEntityVectorsJob($entity));
+                }
+            });
+        }
+    }
+}

app/Entities/Controllers/BookApiController.php

@@ -7,14 +7,11 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\BookQueries;
-use BookStack\Entities\Queries\BookshelfQueries;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Http\ApiController;
 use BookStack\Permissions\Permission;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
 
@@ -24,7 +21,6 @@ class BookApiController extends ApiController
         protected BookRepo $bookRepo,
         protected BookQueries $queries,
         protected PageQueries $pageQueries,
-        protected BookshelfQueries $shelfQueries,
     ) {
     }
 
@@ -64,20 +60,13 @@ class BookApiController extends ApiController
      * View the details of a single book.
      * The response data will contain a 'content' property listing the chapter and pages directly within, in
      * the same structure as you'd see within the BookStack interface when viewing a book. Top-level
-     * contents will have a 'type' property to distinguish between pages and chapters.
+     * contents will have a 'type' property to distinguish between pages & chapters.
      */
     public function read(string $id)
     {
         $book = $this->queries->findVisibleByIdOrFail(intval($id));
         $book = $this->forJsonDisplay($book);
-        $book->load([
-            'createdBy',
-            'updatedBy',
-            'ownedBy',
-            'shelves' => function (BelongsToMany $query) {
-                $query->select(['id', 'name', 'slug'])->scopes('visible');
-            }
-        ]);
+        $book->load(['createdBy', 'updatedBy', 'ownedBy']);
 
         $contents = (new BookContents($book))->getTree(true, false)->all();
         $contentsApiData = (new ApiEntityListFormatter($contents))

app/Entities/Controllers/BookController.php

@@ -144,7 +144,7 @@ class BookController extends Controller
 
         View::incrementFor($book);
         if ($request->has('shelf')) {
-            $this->shelfContext->setShelfContext(intval($request->input('shelf')));
+            $this->shelfContext->setShelfContext(intval($request->get('shelf')));
         }
 
         $this->setPageTitle($book->getShortName());
@@ -224,14 +224,9 @@ class BookController extends Controller
     {
         $book = $this->queries->findVisibleBySlugOrFail($bookSlug);
         $this->checkOwnablePermission(Permission::BookDelete, $book);
-        $contextShelf = $this->shelfContext->getContextualShelfForBook($book);
 
         $this->bookRepo->destroy($book);
 
-        if ($contextShelf) {
-            return redirect($contextShelf->getUrl());
-        }
-
         return redirect('/books');
     }
 
@@ -263,7 +258,7 @@ class BookController extends Controller
         $this->checkOwnablePermission(Permission::BookView, $book);
         $this->checkPermission(Permission::BookCreateAll);
 
-        $newName = $request->input('name') ?: $book->name;
+        $newName = $request->get('name') ?: $book->name;
         $bookCopy = $cloner->cloneBook($book, $newName);
         $this->showSuccessNotification(trans('entities.books_copy_success'));
 

app/Entities/Controllers/BookshelfApiController.php

@@ -49,7 +49,7 @@ class BookshelfApiController extends ApiController
         $this->checkPermission(Permission::BookshelfCreateAll);
         $requestData = $this->validate($request, $this->rules()['create']);
 
-        $bookIds = $request->input('books', []);
+        $bookIds = $request->get('books', []);
         $shelf = $this->bookshelfRepo->create($requestData, $bookIds);
 
         return response()->json($this->forJsonDisplay($shelf));
@@ -88,7 +88,7 @@ class BookshelfApiController extends ApiController
         $this->checkOwnablePermission(Permission::BookshelfUpdate, $shelf);
 
         $requestData = $this->validate($request, $this->rules()['update']);
-        $bookIds = $request->input('books', null);
+        $bookIds = $request->get('books', null);
 
         $shelf = $this->bookshelfRepo->update($shelf, $requestData, $bookIds);
 

app/Entities/Controllers/BookshelfController.php

@@ -94,7 +94,7 @@ class BookshelfController extends Controller
             'tags'             => ['array'],
         ]);
 
-        $bookIds = explode(',', $request->input('books', ''));
+        $bookIds = explode(',', $request->get('books', ''));
         $shelf = $this->shelfRepo->create($validated, $bookIds);
 
         return redirect($shelf->getUrl());
@@ -196,7 +196,7 @@ class BookshelfController extends Controller
             unset($validated['image']);
         }
 
-        $bookIds = explode(',', $request->input('books', ''));
+        $bookIds = explode(',', $request->get('books', ''));
         $shelf = $this->shelfRepo->update($shelf, $validated, $bookIds);
 
         return redirect($shelf->getUrl());

app/Entities/Controllers/ChapterApiController.php

@@ -64,7 +64,7 @@ class ChapterApiController extends ApiController
     {
         $requestData = $this->validate($request, $this->rules['create']);
 
-        $bookId = $request->input('book_id');
+        $bookId = $request->get('book_id');
         $book = $this->entityQueries->books->findVisibleByIdOrFail(intval($bookId));
         $this->checkOwnablePermission(Permission::ChapterCreate, $book);
 

app/Entities/Controllers/ChapterController.php

@@ -203,7 +203,7 @@ class ChapterController extends Controller
         $this->checkOwnablePermission(Permission::ChapterUpdate, $chapter);
         $this->checkOwnablePermission(Permission::ChapterDelete, $chapter);
 
-        $entitySelection = $request->input('entity_selection', null);
+        $entitySelection = $request->get('entity_selection', null);
         if ($entitySelection === null || $entitySelection === '') {
             return redirect($chapter->getUrl());
         }
@@ -248,7 +248,7 @@ class ChapterController extends Controller
     {
         $chapter = $this->queries->findVisibleBySlugsOrFail($bookSlug, $chapterSlug);
 
-        $entitySelection = $request->input('entity_selection') ?: null;
+        $entitySelection = $request->get('entity_selection') ?: null;
         $newParentBook = $entitySelection ? $this->entityQueries->findVisibleByStringIdentifier($entitySelection) : $chapter->getParent();
 
         if (!$newParentBook instanceof Book) {
@@ -259,7 +259,7 @@ class ChapterController extends Controller
 
         $this->checkOwnablePermission(Permission::ChapterCreate, $newParentBook);
 
-        $newName = $request->input('name') ?: $chapter->name;
+        $newName = $request->get('name') ?: $chapter->name;
         $chapterCopy = $cloner->cloneChapter($chapter, $newParentBook, $newName);
         $this->showSuccessNotification(trans('entities.chapters_copy_success'));
 

app/Entities/Controllers/PageApiController.php

@@ -74,9 +74,9 @@ class PageApiController extends ApiController
         $this->validate($request, $this->rules['create']);
 
         if ($request->has('chapter_id')) {
-            $parent = $this->entityQueries->chapters->findVisibleByIdOrFail(intval($request->input('chapter_id')));
+            $parent = $this->entityQueries->chapters->findVisibleByIdOrFail(intval($request->get('chapter_id')));
         } else {
-            $parent = $this->entityQueries->books->findVisibleByIdOrFail(intval($request->input('book_id')));
+            $parent = $this->entityQueries->books->findVisibleByIdOrFail(intval($request->get('book_id')));
         }
         $this->checkOwnablePermission(Permission::PageCreate, $parent);
 
@@ -133,9 +133,9 @@ class PageApiController extends ApiController
 
         $parent = null;
         if ($request->has('chapter_id')) {
-            $parent = $this->entityQueries->chapters->findVisibleByIdOrFail(intval($request->input('chapter_id')));
+            $parent = $this->entityQueries->chapters->findVisibleByIdOrFail(intval($request->get('chapter_id')));
         } elseif ($request->has('book_id')) {
-            $parent = $this->entityQueries->books->findVisibleByIdOrFail(intval($request->input('book_id')));
+            $parent = $this->entityQueries->books->findVisibleByIdOrFail(intval($request->get('book_id')));
         }
 
         if ($parent && !$parent->matches($page->getParent())) {

app/Entities/Controllers/PageController.php

@@ -21,8 +21,6 @@ use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\References\ReferenceFetcher;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use Exception;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Http\Request;
@@ -88,7 +86,7 @@ class PageController extends Controller
 
         $page = $this->pageRepo->getNewDraftPage($parent);
         $this->pageRepo->publishDraft($page, [
-            'name' => $request->input('name'),
+            'name' => $request->get('name'),
         ]);
 
         return redirect($page->getUrl('/edit'));
@@ -175,7 +173,7 @@ class PageController extends Controller
     }
 
     /**
-     * Get a page from an ajax request.
+     * Get page from an ajax request.
      *
      * @throws NotFoundException
      */
@@ -185,10 +183,6 @@ class PageController extends Controller
         $page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
         $page->makeHidden(['book']);
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $page->html = $filter->filterString($page->html);
-
         return response()->json($page);
     }
 
@@ -408,7 +402,7 @@ class PageController extends Controller
         $this->checkOwnablePermission(Permission::PageUpdate, $page);
         $this->checkOwnablePermission(Permission::PageDelete, $page);
 
-        $entitySelection = $request->input('entity_selection', null);
+        $entitySelection = $request->get('entity_selection', null);
         if ($entitySelection === null || $entitySelection === '') {
             return redirect($page->getUrl());
         }
@@ -453,7 +447,7 @@ class PageController extends Controller
         $page = $this->queries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         $this->checkOwnablePermission(Permission::PageView, $page);
 
-        $entitySelection = $request->input('entity_selection') ?: null;
+        $entitySelection = $request->get('entity_selection') ?: null;
         $newParent = $entitySelection ? $this->entityQueries->findVisibleByStringIdentifier($entitySelection) : $page->getParent();
 
         if (!$newParent instanceof Book && !$newParent instanceof Chapter) {
@@ -464,7 +458,7 @@ class PageController extends Controller
 
         $this->checkOwnablePermission(Permission::PageCreate, $newParent);
 
-        $newName = $request->input('name') ?: $page->name;
+        $newName = $request->get('name') ?: $page->name;
         $pageCopy = $cloner->clonePage($page, $newParent, $newName);
         $this->showSuccessNotification(trans('entities.pages_copy_success'));
 

app/Entities/Controllers/PageRevisionController.php

@@ -12,8 +12,6 @@ use BookStack\Exceptions\NotFoundException;
 use BookStack\Facades\Activity;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\SimpleListOptions;
 use Illuminate\Http\Request;
 use Ssddanbrown\HtmlDiff\Diff;
@@ -34,7 +32,6 @@ class PageRevisionController extends Controller
      */
     public function index(Request $request, string $bookSlug, string $pageSlug)
     {
-        $this->checkPermission(Permission::RevisionViewAll);
         $page = $this->pageQueries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         $listOptions = SimpleListOptions::fromRequest($request, 'page_revisions', true)->withSortOptions([
             'id' => trans('entities.pages_revisions_sort_number')
@@ -66,8 +63,6 @@ class PageRevisionController extends Controller
      */
     public function show(string $bookSlug, string $pageSlug, int $revisionId)
     {
-        $this->checkPermission(Permission::RevisionViewAll);
-
         $page = $this->pageQueries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         /** @var ?PageRevision $revision */
         $revision = $page->revisions()->where('id', '=', $revisionId)->first();
@@ -97,8 +92,6 @@ class PageRevisionController extends Controller
      */
     public function changes(string $bookSlug, string $pageSlug, int $revisionId)
     {
-        $this->checkPermission(Permission::RevisionViewAll);
-
         $page = $this->pageQueries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         /** @var ?PageRevision $revision */
         $revision = $page->revisions()->where('id', '=', $revisionId)->first();
@@ -108,15 +101,12 @@ class PageRevisionController extends Controller
 
         $prev = $revision->getPreviousRevision();
         $prevContent = $prev->html ?? '';
-
-        // TODO - Refactor PageContent so we can de-dupe these steps
-        $rawDiff = Diff::excecute($prevContent, $revision->html);
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $diff = $filter->filterString($rawDiff);
+        $diff = Diff::excecute($prevContent, $revision->html);
 
         $page->fill($revision->toArray());
-        $page->html = '';
+        // TODO - Refactor PageContent so we don't need to juggle this
+        $page->html = $revision->html;
+        $page->html = (new PageContent($page))->render();
         $this->setPageTitle(trans('entities.pages_revision_named', ['pageName' => $page->getShortName()]));
 
         return view('pages.revision', [
@@ -134,7 +124,6 @@ class PageRevisionController extends Controller
      */
     public function restore(string $bookSlug, string $pageSlug, int $revisionId)
     {
-        $this->checkPermission(Permission::RevisionViewAll);
         $page = $this->pageQueries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         $this->checkOwnablePermission(Permission::PageUpdate, $page);
 
@@ -150,7 +139,6 @@ class PageRevisionController extends Controller
      */
     public function destroy(string $bookSlug, string $pageSlug, int $revId)
     {
-        $this->checkPermission(Permission::RevisionViewAll);
         $page = $this->pageQueries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         $this->checkOwnablePermission(Permission::PageDelete, $page);
 

app/Entities/Controllers/PageTemplateController.php

@@ -21,8 +21,8 @@ class PageTemplateController extends Controller
      */
     public function list(Request $request)
     {
-        $page = $request->input('page', 1);
-        $search = $request->input('search', '');
+        $page = $request->get('page', 1);
+        $search = $request->get('search', '');
         $count = 10;
 
         $query = $this->pageQueries->visibleTemplates()

app/Entities/Models/Book.php

@@ -17,7 +17,7 @@ use Illuminate\Support\Collection;
  *
  * @property string                                   $description
  * @property string                                   $description_html
- * @property ?int                                     $image_id
+ * @property int                                      $image_id
  * @property ?int                                     $default_template_id
  * @property ?int                                     $sort_rule_id
  * @property \Illuminate\Database\Eloquent\Collection $chapters

app/Entities/Models/Bookshelf.php

@@ -19,7 +19,7 @@ class Bookshelf extends Entity implements HasDescriptionInterface, HasCoverInter
 
     public float $searchFactor = 1.2;
 
-    protected $hidden = ['pivot', 'image_id', 'deleted_at', 'description_html', 'priority', 'default_template_id', 'sort_rule_id', 'entity_id', 'entity_type', 'chapter_id', 'book_id'];
+    protected $hidden = ['image_id', 'deleted_at', 'description_html', 'priority', 'default_template_id', 'sort_rule_id', 'entity_id', 'entity_type', 'chapter_id', 'book_id'];
     protected $fillable = ['name'];
 
     /**

app/Entities/Models/Entity.php

@@ -479,7 +479,6 @@ abstract class Entity extends Model implements
             'chapter' => new Chapter(),
             'book' => new Book(),
             'bookshelf' => new Bookshelf(),
-            default => throw new \InvalidArgumentException("Invalid entity type: {$type}"),
         };
     }
 }

app/Entities/Models/Page.php

@@ -23,7 +23,7 @@ use Illuminate\Database\Eloquent\Relations\HasOne;
  * @property bool         $draft
  * @property int          $revision_count
  * @property string       $editor
- * @property Chapter|null $chapter
+ * @property Chapter      $chapter
  * @property Collection   $attachments
  * @property Collection   $revisions
  * @property PageRevision $currentRevision

app/Entities/Repos/BaseRepo.php

@@ -16,7 +16,6 @@ use BookStack\References\ReferenceUpdater;
 use BookStack\Sorting\BookSorter;
 use BookStack\Uploads\ImageRepo;
 use BookStack\Util\HtmlDescriptionFilter;
-use BookStack\Util\HtmlToPlainText;
 use Illuminate\Http\UploadedFile;
 
 class BaseRepo
@@ -152,10 +151,9 @@ class BaseRepo
         }
 
         if (isset($input['description_html'])) {
-            $plainTextConverter = new HtmlToPlainText();
             $entity->descriptionInfo()->set(
                 HtmlDescriptionFilter::filterFromString($input['description_html']),
-                $plainTextConverter->convert($input['description_html']),
+                html_entity_decode(strip_tags($input['description_html']))
             );
         } else if (isset($input['description'])) {
             $entity->descriptionInfo()->set('', $input['description']);

app/Entities/Repos/PageRepo.php

@@ -60,7 +60,7 @@ class PageRepo
             $page->book_id = $parent->id;
         }
 
-        $defaultTemplate = $page->chapter?->defaultTemplate()->get() ?? $page->book->defaultTemplate()->get();
+        $defaultTemplate = $page->chapter?->defaultTemplate()->get() ?? $page->book?->defaultTemplate()->get();
         if ($defaultTemplate) {
             $page->forceFill([
                 'html'  => $defaultTemplate->html,

app/Entities/Tools/EntityHtmlDescription.php

@@ -6,7 +6,6 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class EntityHtmlDescription
 {
@@ -51,13 +50,7 @@ class EntityHtmlDescription
             return $html;
         }
 
-        $isEmpty = empty(trim(strip_tags($html)));
-        if ($isEmpty) {
-            return '<p></p>';
-        }
-
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($html);
+        return HtmlContentFilter::removeScriptsFromHtmlString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/PageContent.php

@@ -2,7 +2,6 @@
 
 namespace BookStack\Entities\Tools;
 
-use BookStack\App\AppVersion;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
@@ -14,9 +13,7 @@ use BookStack\Uploads\ImageRepo;
 use BookStack\Uploads\ImageService;
 use BookStack\Users\Models\User;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlDocument;
-use BookStack\Util\HtmlToPlainText;
 use BookStack\Util\WebSafeMimeSniffer;
 use Closure;
 use DOMElement;
@@ -40,14 +37,7 @@ class PageContent
     public function setNewHTML(string $html, User $updater): void
     {
         $html = $this->extractBase64ImagesFromHtml($html, $updater);
-        $html = $this->formatHtml($html);
-
-        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_PRE_STORE, $html, $this->page);
-        if (is_string($themeResult)) {
-            $html = $themeResult;
-        }
-
-        $this->page->html = $html;
+        $this->page->html = $this->formatHtml($html);
         $this->page->text = $this->toPlainText();
         $this->page->markdown = '';
     }
@@ -60,14 +50,7 @@ class PageContent
         $markdown = $this->extractBase64ImagesFromMarkdown($markdown, $updater);
         $this->page->markdown = $markdown;
         $html = (new MarkdownToHtml($markdown))->convert();
-        $html = $this->formatHtml($html);
-
-        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_PRE_STORE, $html, $this->page);
-        if (is_string($themeResult)) {
-            $html = $themeResult;
-        }
-
-        $this->page->html = $html;
+        $this->page->html = $this->formatHtml($html);
         $this->page->text = $this->toPlainText();
     }
 
@@ -96,7 +79,7 @@ class PageContent
 
     /**
      * Convert all inline base64 content to uploaded image files.
-     * Regex is used to locate the start of data-uri definitions, then
+     * Regex is used to locate the start of data-uri definitions then
      * manual looping over content is done to parse the whole data uri.
      * Attempting to capture the whole data uri using regex can cause PHP
      * PCRE limits to be hit with larger, multi-MB, files.
@@ -304,8 +287,8 @@ class PageContent
     public function toPlainText(): string
     {
         $html = $this->render(true);
-        $converter = new HtmlToPlainText();
-        return $converter->convert($html);
+
+        return html_entity_decode(strip_tags($html));
     }
 
     /**
@@ -316,7 +299,7 @@ class PageContent
         $html = $this->page->html ?? '';
 
         if (empty($html)) {
-            return $this->handlePostRender('');
+            return $html;
         }
 
         $doc = new HtmlDocument($html);
@@ -334,36 +317,11 @@ class PageContent
             $this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
         }
 
-        $cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
-        $cached = cache()->get($cacheKey, null);
-        if ($cached !== null) {
-            return $this->handlePostRender($cached);
+        if (!config('app.allow_content_scripts')) {
+            HtmlContentFilter::removeScriptsFromDocument($doc);
         }
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $filtered = $filter->filterDocument($doc);
-
-        $cacheTime = 86400 * 7; // 1 week
-        cache()->put($cacheKey, $filtered, $cacheTime);
-
-        return $this->handlePostRender($filtered);
-    }
-
-    protected function handlePostRender(string $html): string
-    {
-        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_POST_RENDER, $html, $this->page);
-        return is_string($themeResult) ? $themeResult : $html;
-    }
-
-    protected function getContentCacheKey(string $html): string
-    {
-        $contentHash = md5($html);
-        $contentId = $this->page->id;
-        $contentTime = $this->page->updated_at->timestamp ?? time();
-        $appVersion = AppVersion::get();
-        $filterConfig = config('app.content_filtering') ?? '';
-        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
+        return $doc->getBodyInnerHtml();
     }
 
     /**

app/Entities/Tools/PageEditorData.php

@@ -8,8 +8,6 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
 use BookStack\Permissions\Permission;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class PageEditorData
 {
@@ -49,7 +47,6 @@ class PageEditorData
         $isDraftRevision = false;
         $this->warnings = [];
         $editActivity = new PageEditActivity($page);
-        $lastEditorId = $page->updated_by ?? user()->id;
 
         if ($editActivity->hasActiveEditing()) {
             $this->warnings[] = $editActivity->activeEditingMessage();
@@ -61,20 +58,11 @@ class PageEditorData
             $page->forceFill($userDraft->only(['name', 'html', 'markdown']));
             $isDraftRevision = true;
             $this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
-            $lastEditorId = $userDraft->created_by;
         }
 
-        // Get editor type and handle changes
         $editorType = $this->getEditorType($page);
         $this->updateContentForEditor($page, $editorType);
 
-        // Filter HTML content if required
-        if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
-            $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-            $filter = new HtmlContentFilter($filterConfig);
-            $page->html = $filter->filterString($page->html);
-        }
-
         return [
             'page'            => $page,
             'book'            => $page->book,

app/Entities/Tools/PermissionsUpdater.php

@@ -20,8 +20,8 @@ class PermissionsUpdater
      */
     public function updateFromPermissionsForm(Entity $entity, Request $request): void
     {
-        $permissions = $request->input('permissions', null);
-        $ownerId = $request->input('owned_by', null);
+        $permissions = $request->get('permissions', null);
+        $ownerId = $request->get('owned_by', null);
 
         $entity->permissions()->delete();
 
@@ -47,7 +47,7 @@ class PermissionsUpdater
     {
         if (isset($data['role_permissions'])) {
             $entity->permissions()->where('role_id', '!=', 0)->delete();
-            $rolePermissionData = $this->formatPermissionsFromApiRequestToEntityPermissions($data['role_permissions'], false);
+            $rolePermissionData = $this->formatPermissionsFromApiRequestToEntityPermissions($data['role_permissions'] ?? [], false);
             $entity->permissions()->createMany($rolePermissionData);
         }
 

app/Exports/ExportFormatter.php

@@ -11,7 +11,6 @@ use BookStack\Entities\Tools\PageContent;
 use BookStack\Uploads\ImageService;
 use BookStack\Util\CspService;
 use BookStack\Util\HtmlDocument;
-use BookStack\Util\HtmlToPlainText;
 use DOMElement;
 use Exception;
 use Throwable;
@@ -209,7 +208,7 @@ class ExportFormatter
         preg_match_all("/\<img.*?src\=(\'|\")(.*?)(\'|\").*?\>/i", $htmlContent, $imageTagsOutput);
 
         // Replace image src with base64 encoded image strings
-        if (count($imageTagsOutput[0]) > 0) {
+        if (isset($imageTagsOutput[0]) && count($imageTagsOutput[0]) > 0) {
             foreach ($imageTagsOutput[0] as $index => $imgMatch) {
                 $oldImgTagString = $imgMatch;
                 $srcString = $imageTagsOutput[2][$index];
@@ -226,7 +225,7 @@ class ExportFormatter
         preg_match_all("/\<a.*href\=(\'|\")(.*?)(\'|\").*?\>/i", $htmlContent, $linksOutput);
 
         // Update relative links to be absolute, with instance url
-        if (count($linksOutput[0]) > 0) {
+        if (isset($linksOutput[0]) && count($linksOutput[0]) > 0) {
             foreach ($linksOutput[0] as $index => $linkMatch) {
                 $oldLinkString = $linkMatch;
                 $srcString = $linksOutput[2][$index];
@@ -243,13 +242,24 @@ class ExportFormatter
 
     /**
      * Converts the page contents into simple plain text.
-     * We re-generate the plain text from HTML at this point, post-page-content rendering.
+     * This method filters any bad looking content to provide a nice final output.
      */
     public function pageToPlainText(Page $page, bool $pageRendered = false, bool $fromParent = false): string
     {
         $html = $pageRendered ? $page->html : (new PageContent($page))->render();
-        $contentText = (new HtmlToPlainText())->convert($html);
-        return $page->name . ($fromParent ? "\n" : "\n\n") . $contentText;
+        // Add proceeding spaces before tags so spaces remain between
+        // text within elements after stripping tags.
+        $html = str_replace('<', " <", $html);
+        $text = trim(strip_tags($html));
+        // Replace multiple spaces with single spaces
+        $text = preg_replace('/ {2,}/', ' ', $text);
+        // Reduce multiple horrid whitespace characters.
+        $text = preg_replace('/(\x0A|\xA0|\x0A|\r|\n){2,}/su', "\n\n", $text);
+        $text = html_entity_decode($text);
+        // Add title
+        $text = $page->name . ($fromParent ? "\n" : "\n\n") . $text;
+
+        return $text;
     }
 
     /**
@@ -257,7 +267,7 @@ class ExportFormatter
      */
     public function chapterToPlainText(Chapter $chapter): string
     {
-        $text = $chapter->name . "\n" . $chapter->descriptionInfo()->getPlain();
+        $text = $chapter->name . "\n" . $chapter->description;
         $text = trim($text) . "\n\n";
 
         $parts = [];
@@ -313,7 +323,7 @@ class ExportFormatter
             $text .= $description . "\n\n";
         }
 
-        foreach ($chapter->getVisiblePages() as $page) {
+        foreach ($chapter->pages as $page) {
             $text .= $this->pageToMarkdown($page) . "\n\n";
         }
 

app/Exports/PdfGenerator.php

@@ -4,8 +4,6 @@ namespace BookStack\Exports;
 
 use BookStack\Exceptions\PdfExportException;
 use Dompdf\Dompdf;
-use FontLib\Font;
-use Illuminate\Support\Str;
 use Knp\Snappy\Pdf as SnappyPdf;
 use Symfony\Component\Process\Exception\ProcessTimedOutException;
 use Symfony\Component\Process\Process;
@@ -62,65 +60,12 @@ class PdfGenerator
         $domPdf = new Dompdf($options);
         $domPdf->setBasePath(base_path('public'));
 
-        $fontMetrics = $domPdf->getFontMetrics();
-        $userFontfamilies = $this->getUserDomPdfFontFamilies();
-        foreach ($userFontfamilies as $fontFamily => $fonts) {
-            try {
-                $fontMetrics->setFontFamily($fontFamily, $fonts);
-            } catch (\Exception $exception) {
-                $expectedPath = storage_path('fonts/dompdf');
-                throw new PdfExportException("Failed to create required font data in {$expectedPath}, Ensure all content in this location is writable by the web server");
-            }
-        }
-
         $domPdf->loadHTML($this->convertEntities($html));
         $domPdf->render();
 
         return (string) $domPdf->output();
     }
 
-    /**
-     * @return array<string, array<string, string>>
-     */
-    protected function getUserDomPdfFontFamilies(): array
-    {
-        $fontStore = storage_path('fonts/dompdf');
-        if (!is_dir($fontStore)) {
-            return [];
-        }
-
-        $fontFamilies = [];
-        $fontFiles = glob($fontStore . DIRECTORY_SEPARATOR . '*.ttf');
-        foreach ($fontFiles as $fontFile) {
-            $fontFileName = basename($fontFile, '.ttf');
-            $expectedUfm = $fontStore . DIRECTORY_SEPARATOR . $fontFileName . '.ufm';
-            if (!file_exists($expectedUfm)) {
-                $font = Font::load($fontFile);
-                $font->parse();
-                try {
-                    $font->saveAdobeFontMetrics($expectedUfm);
-                } catch (\Exception $exception) {
-                    throw new PdfExportException("Failed to create required font data at $expectedUfm, Ensure this location is writable by the web server");
-                }
-            }
-
-            $nameParts = explode('-', $fontFileName);
-            if (count($nameParts) === 1 || $nameParts[1] === 'Regular') {
-                $nameParts[1] = 'Normal';
-            }
-
-            $family = trim(strtolower(preg_replace('/([A-Z])/', ' $1', $nameParts[0])));
-            $variation = Str::snake($nameParts[1]);
-            if (!isset($fontFamilies[$family])) {
-                $fontFamilies[$family] = [];
-            }
-
-            $fontFamilies[$family][$variation] = $fontStore . DIRECTORY_SEPARATOR . $fontFileName;
-        }
-
-        return $fontFamilies;
-    }
-
     /**
      * @throws PdfExportException
      */

app/Exports/ZipExports/Models/ZipExportAttachment.php

@@ -45,7 +45,7 @@ final class ZipExportAttachment extends ZipExportModel
         $rules = [
             'id'    => ['nullable', 'int', $context->uniqueIdRule('attachment')],
             'name'  => ['required', 'string', 'min:1'],
-            'link'  => ['required_without:file', 'nullable', 'string', 'max:2000', 'safe_url'],
+            'link'  => ['required_without:file', 'nullable', 'string'],
             'file'  => ['required_without:link', 'nullable', 'string', $context->fileReferenceRule()],
         ];
 

app/Exports/ZipExports/ZipImportRunner.php

@@ -82,8 +82,10 @@ class ZipImportRunner
             $entity = $this->importBook($exportModel, $reader);
         } else if ($exportModel instanceof ZipExportChapter) {
             $entity = $this->importChapter($exportModel, $parent, $reader);
-        } else {
+        } else if ($exportModel instanceof ZipExportPage) {
             $entity = $this->importPage($exportModel, $parent, $reader);
+        } else {
+            throw new ZipImportException(['No importable data found in import data.']);
         }
 
         $this->references->replaceReferences();
@@ -130,7 +132,7 @@ class ZipImportRunner
             'name' => $exportBook->name,
             'description_html' => $exportBook->description_html ?? '',
             'image' => $exportBook->cover ? $this->zipFileToUploadedFile($exportBook->cover, $reader) : null,
-            'tags' => $this->exportTagsToInputArray($exportBook->tags),
+            'tags' => $this->exportTagsToInputArray($exportBook->tags ?? []),
         ]);
 
         if ($book->coverInfo()->getImage()) {
@@ -149,7 +151,7 @@ class ZipImportRunner
         foreach ($children as $child) {
             if ($child instanceof ZipExportChapter) {
                 $this->importChapter($child, $book, $reader);
-            } else {
+            } else if ($child instanceof ZipExportPage) {
                 $this->importPage($child, $book, $reader);
             }
         }
@@ -164,7 +166,7 @@ class ZipImportRunner
         $chapter = $this->chapterRepo->create([
             'name' => $exportChapter->name,
             'description_html' => $exportChapter->description_html ?? '',
-            'tags' => $this->exportTagsToInputArray($exportChapter->tags),
+            'tags' => $this->exportTagsToInputArray($exportChapter->tags ?? []),
         ], $parent);
 
         $exportPages = $exportChapter->pages;
@@ -197,7 +199,7 @@ class ZipImportRunner
             'name' => $exportPage->name,
             'markdown' => $exportPage->markdown ?? '',
             'html' => $exportPage->html ?? '',
-            'tags' => $this->exportTagsToInputArray($exportPage->tags),
+            'tags' => $this->exportTagsToInputArray($exportPage->tags ?? []),
         ]);
 
         $this->references->addPage($page, $exportPage);
@@ -300,7 +302,7 @@ class ZipImportRunner
             array_push($chapters, ...$exportModel->chapters);
         } else if ($exportModel instanceof ZipExportChapter) {
             $chapters[] = $exportModel;
-        } else {
+        } else if ($exportModel instanceof ZipExportPage) {
             $pages[] = $exportModel;
         }
 

app/Exports/ZipExports/ZipReferenceParser.php

@@ -68,6 +68,10 @@ class ZipReferenceParser
         $matches = [];
         preg_match_all($referenceRegex, $content, $matches);
 
+        if (count($matches) < 3) {
+            return $content;
+        }
+
         for ($i = 0; $i < count($matches[0]); $i++) {
             $referenceText = $matches[0][$i];
             $type = strtolower($matches[1][$i]);

app/Http/ApiController.php

@@ -20,14 +20,10 @@ abstract class ApiController extends Controller
      * Provide a paginated listing JSON response in a standard format
      * taking into account any pagination parameters passed by the user.
      */
-    protected function apiListingResponse(Builder $query, array $fields, array $modifiers = [], array $filterableFields = []): JsonResponse
+    protected function apiListingResponse(Builder $query, array $fields, array $modifiers = []): JsonResponse
     {
         $listing = new ListingResponseBuilder($query, request(), $fields);
 
-        if (count($filterableFields) > 0) {
-            $listing->setFilterableFields($filterableFields);
-        }
-
         foreach ($modifiers as $modifier) {
             $listing->modifyResults($modifier);
         }

app/Http/Controller.php

@@ -62,7 +62,7 @@ abstract class Controller extends BaseController
      */
     protected function checkPermission(string|Permission $permission): void
     {
-        if (!user()->can($permission)) {
+        if (!user() || !user()->can($permission)) {
             $this->showPermissionError();
         }
     }
@@ -167,26 +167,14 @@ abstract class Controller extends BaseController
 
     /**
      * Redirect to the URL provided in the request as a '_return' parameter.
-     * Will check that the parameter leads to a URL under the same origin as the application.
+     * Will check that the parameter leads to a URL under the root path of the system.
      */
     protected function redirectToRequest(Request $request): RedirectResponse
     {
         $basePath = url('/');
         $returnUrl = $request->input('_return') ?? $basePath;
 
-        // Only allow use of _return on requests where we expect CSRF to be active
-        // to prevent it potentially being used as an open redirect
-        $allowedMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
-        if (!in_array($request->getMethod(), $allowedMethods)) {
-            return redirect($basePath);
-        }
-
-        $intendedUrl = parse_url($returnUrl);
-        $baseUrl = parse_url($basePath);
-        $isSameOrigin = ($intendedUrl['host'] ?? '') === ($baseUrl['host'] ?? '')
-            && ($intendedUrl['scheme'] ?? '') === ($baseUrl['scheme'] ?? '')
-            && ($intendedUrl['port'] ?? 0) === ($baseUrl['port'] ?? 0);
-        if (!$isSameOrigin) {
+        if (!str_starts_with($returnUrl, $basePath)) {
             return redirect($basePath);
         }
 

app/Http/DownloadResponseFactory.php

@@ -102,15 +102,12 @@ class DownloadResponseFactory
     protected function getHeaders(string $fileName, int $fileSize, string $mime = 'application/octet-stream'): array
     {
         $disposition = ($mime === 'application/octet-stream') ? 'attachment' : 'inline';
-
-        $downloadName = str_replace(['"', '/', '\\', '$'], '', $fileName);
-        $downloadName = preg_replace('/[\x00-\x1F\x7F]/', '', $downloadName);
-        $encodedDownloadName = rawurlencode($downloadName);
+        $downloadName = str_replace('"', '', $fileName);
 
         return [
             'Content-Type'           => $mime,
             'Content-Length'         => $fileSize,
-            'Content-Disposition'    => "{$disposition}; filename*=UTF-8''{$encodedDownloadName}",
+            'Content-Disposition'    => "{$disposition}; filename=\"{$downloadName}\"",
             'X-Content-Type-Options' => 'nosniff',
         ];
     }

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken($request);
+        $this->ensureAuthorizedBySessionOrToken();
 
         return $next($request);
     }
@@ -28,28 +28,22 @@ class ApiAuthenticate
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(Request $request): void
+    protected function ensureAuthorizedBySessionOrToken(): void
     {
-        // Use the active user session already exists.
-        // This is to make it easy to explore API endpoints via the UI.
-        if (session()->isStarted()) {
-            // Ensure the user has API access permission
+        // Return if the user is already found to be signed in via session-based auth.
+        // This is to make it easy to browser the API via browser after just logging into the system.
+        if (!user()->isGuest() || session()->isStarted()) {
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
-            // Only allow GET requests for cookie-based API usage
-            if ($request->method() !== 'GET') {
-                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
-            }
-
             return;
         }
 
         // Set our api guard to be the default for this request lifecycle.
         auth()->shouldUse('api');
 
-        // Validate the token and its users API access
+        // Validate the token and it's users API access
         auth()->authenticate();
     }
 

app/Permissions/JointPermissionBuilder.php

@@ -61,7 +61,8 @@ class JointPermissionBuilder
             return;
         }
 
-        if ($entity instanceof BookChild) {
+        /** @var BookChild $entity */
+        if ($entity->book) {
             $entities[] = $entity->book;
         }
 

app/Permissions/Permission.php

@@ -118,8 +118,6 @@ enum Permission: string
     case PageViewAll = 'page-view-all';
     case PageViewOwn = 'page-view-own';
 
-    case RevisionViewAll = 'revision-view-all';
-
     /**
      * Get the generic permissions which may be queried for entities.
      */

app/Search/Queries/EntityVectorGenerator.php

@@ -0,0 +1,89 @@
+<?php
+
+declare(strict_types=1);
+
+namespace BookStack\Search\Queries;
+
+use BookStack\Activity\Models\Tag;
+use BookStack\Entities\Models\Entity;
+use BookStack\Search\Queries\Services\LlmQueryService;
+use Illuminate\Support\Facades\DB;
+
+class EntityVectorGenerator
+{
+    public function __construct(
+        protected LlmQueryServiceProvider $vectorQueryServiceProvider
+    ) {
+    }
+
+    public function generateAndStore(Entity $entity): void
+    {
+        $vectorService = $this->vectorQueryServiceProvider->get();
+
+        $text = $this->entityToPlainText($entity);
+        $chunks = $this->chunkText($text);
+        $embeddings = $this->chunksToEmbeddings($chunks, $vectorService);
+
+        $this->deleteExistingEmbeddingsForEntity($entity);
+        $this->storeEmbeddings($embeddings, $chunks, $entity);
+    }
+
+    protected function deleteExistingEmbeddingsForEntity(Entity $entity): void
+    {
+        SearchVector::query()
+            ->where('entity_type', '=', $entity->getMorphClass())
+            ->where('entity_id', '=', $entity->id)
+            ->delete();
+    }
+
+    protected function storeEmbeddings(array $embeddings, array $textChunks, Entity $entity): void
+    {
+        $toInsert = [];
+
+        foreach ($embeddings as $index => $embedding) {
+            $text = $textChunks[$index];
+            $toInsert[] = [
+                'entity_id' => $entity->id,
+                'entity_type' => $entity->getMorphClass(),
+                'embedding' => DB::raw('VEC_FROMTEXT("[' . implode(',', $embedding) . ']")'),
+                'text' => $text,
+            ];
+        }
+
+        $chunks = array_chunk($toInsert, 500);
+        foreach ($chunks as $chunk) {
+            SearchVector::query()->insert($chunk);
+        }
+    }
+
+    /**
+     * @param string[] $chunks
+     * @return float[] array
+     */
+    protected function chunksToEmbeddings(array $chunks, LlmQueryService $vectorQueryService): array
+    {
+        $embeddings = [];
+        foreach ($chunks as $index => $chunk) {
+            $embeddings[$index] = $vectorQueryService->generateEmbeddings($chunk);
+        }
+        return $embeddings;
+    }
+
+    /**
+     * @return string[]
+     */
+    protected function chunkText(string $text): array
+    {
+        return (new TextChunker(500, ["\n", '.', ' ', '']))->chunk($text);
+    }
+
+    protected function entityToPlainText(Entity $entity): string
+    {
+        $tags = $entity->tags()->get();
+        $tagText = $tags->map(function (Tag $tag) {
+            return $tag->name . ': ' . $tag->value;
+        })->join('\n');
+
+        return $entity->name . "\n{$tagText}\n" . $entity->{$entity->textField};
+    }
+}

app/Search/Queries/LlmQueryRunner.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace BookStack\Search\Queries;
+
+use BookStack\Entities\Models\Entity;
+use BookStack\Search\SearchRunner;
+use Exception;
+
+class LlmQueryRunner
+{
+    public function __construct(
+        protected LlmQueryServiceProvider $vectorQueryServiceProvider,
+        protected SearchRunner $searchRunner,
+    ) {
+    }
+
+    /**
+     * Transform the given query into an array of terms which can be used
+     * to search for documents to help answer that query.
+     * @return string[]
+     * @throws Exception
+     */
+    public function queryToSearchTerms(string $query): array
+    {
+        $queryService = $this->vectorQueryServiceProvider->get();
+
+        return $queryService->queryToSearchTerms($query);
+    }
+
+    /**
+     * Run a query against the configured LLM to produce a text response.
+     * @param Entity[] $searchResults
+     * @throws Exception
+     */
+    public function run(string $query, array $searchResults): string
+    {
+        $queryService = $this->vectorQueryServiceProvider->get();
+        return $queryService->query($query, $searchResults);
+    }
+}

app/Search/Queries/LlmQueryServiceProvider.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace BookStack\Search\Queries;
+
+use BookStack\Http\HttpRequestService;
+use BookStack\Search\Queries\Services\OpenAiLlmQueryService;
+use BookStack\Search\Queries\Services\LlmQueryService;
+
+class LlmQueryServiceProvider
+{
+    public function __construct(
+        protected HttpRequestService $http,
+    ) {
+    }
+
+    public function get(): LlmQueryService
+    {
+        $service = $this->getServiceName();
+
+        if ($service === 'openai') {
+            return new OpenAiLlmQueryService(config('services.openai'), $this->http);
+        }
+
+        throw new \Exception("No '{$service}' LLM service found");
+    }
+
+    protected static function getServiceName(): string
+    {
+        return strtolower(config('services.llm'));
+    }
+
+    public static function isEnabled(): bool
+    {
+        return !empty(static::getServiceName());
+    }
+}

app/Search/Queries/QueryController.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace BookStack\Search\Queries;
+
+use BookStack\Http\Controller;
+use BookStack\Search\SearchOptions;
+use BookStack\Search\SearchRunner;
+use Illuminate\Http\Request;
+
+class QueryController extends Controller
+{
+    public function __construct(
+        protected SearchRunner $searchRunner,
+    ) {
+        // TODO - Check via testing
+        $this->middleware(function ($request, $next) {
+            if (!LlmQueryServiceProvider::isEnabled()) {
+                $this->showPermissionError('/');
+            }
+            return $next($request);
+        });
+    }
+
+    /**
+     * Show the view to start a vector/LLM-based query search.
+     */
+    public function show(Request $request)
+    {
+        $query = $request->get('ask', '');
+
+        // TODO - Set page title
+
+        return view('search.query', [
+            'query' => $query,
+        ]);
+    }
+
+    /**
+     * Perform an LLM-based query search.
+     */
+    public function run(Request $request, LlmQueryRunner $llmRunner)
+    {
+        // TODO - Rate limiting
+        $query = $request->get('query', '');
+
+        return response()->eventStream(function () use ($query, $llmRunner) {
+
+            $searchTerms = $llmRunner->queryToSearchTerms($query);
+            $searchOptions = SearchOptions::fromTermArray($searchTerms);
+            $searchResults = $this->searchRunner->searchEntities($searchOptions, count: 10)['results'];
+
+            $entities = [];
+            foreach ($searchResults as $entity) {
+                $entityKey = $entity->getMorphClass() . ':' . $entity->id;
+                if (!isset($entities[$entityKey])) {
+                    $entities[$entityKey] = $entity;
+                }
+            }
+
+            yield ['view' => view('entities.list', ['entities' => $entities])->render()];
+
+            yield ['result' => $llmRunner->run($query, array_values($entities))];
+        });
+    }
+}

app/Search/Queries/Services/LlmQueryService.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace BookStack\Search\Queries\Services;
+
+use BookStack\Entities\Models\Entity;
+
+interface LlmQueryService
+{
+    /**
+     * Generate embedding vectors from the given chunk of text.
+     * @return float[]
+     */
+    public function generateEmbeddings(string $text): array;
+
+    public function queryToSearchTerms(string $text): array;
+
+    /**
+     * Query the LLM service using the given user input, and
+     * relevant entity content retrieved locally via a search.
+     * Returns the response output text from the LLM.
+     *
+     * @param Entity[] $context
+     */
+    public function query(string $input, array $context): string;
+}

app/Search/Queries/Services/OpenAiLlmQueryService.php

@@ -0,0 +1,97 @@
+<?php
+
+namespace BookStack\Search\Queries\Services;
+
+use BookStack\Http\HttpRequestService;
+
+class OpenAiLlmQueryService implements LlmQueryService
+{
+    protected string $key;
+    protected string $endpoint;
+    protected string $embeddingModel;
+    protected string $queryModel;
+
+    public function __construct(
+        protected array $options,
+        protected HttpRequestService $http,
+    ) {
+        // TODO - Some kind of validation of options
+        $this->key = $this->options['key'] ?? '';
+        $this->endpoint = $this->options['endpoint'] ?? '';
+        $this->embeddingModel = $this->options['embedding_model'] ?? '';
+        $this->queryModel = $this->options['query_model'] ?? '';
+    }
+
+    protected function jsonRequest(string $method, string $uri, array $data): array
+    {
+        $fullUrl = rtrim($this->endpoint, '/') . '/' . ltrim($uri, '/');
+        $client = $this->http->buildClient(60);
+        $request = $this->http->jsonRequest($method, $fullUrl, $data)
+            ->withHeader('Authorization', 'Bearer ' . $this->key);
+
+        $response = $client->sendRequest($request);
+        return json_decode($response->getBody()->getContents(), true);
+    }
+
+    public function generateEmbeddings(string $text): array
+    {
+        $response = $this->jsonRequest('POST', 'v1/embeddings', [
+            'input' => $text,
+            'model' => $this->embeddingModel,
+        ]);
+
+        return $response['data'][0]['embedding'];
+    }
+
+    public function queryToSearchTerms(string $text): array
+    {
+        $response = $this->jsonRequest('POST', 'v1/chat/completions', [
+            'model' => $this->queryModel,
+            'messages' => [
+                [
+                    'role' => 'user',
+                    'content' => 'You will be provided a user search query. Extract key words from just the query, suitable for searching. Add word variations where it may help for searching. Remove pluralisation where it may help for searching. Provide up to 5 results, each must be just one word. Do not try to guess answers to the query. Do not provide extra information or context. Return the results in the specified JSON format under a \'words\' object key. ' . "\nQUERY: {$text}"
+                ],
+            ],
+            'temperature' => 0,
+            'response_format' => [
+                'type' => 'json_object',
+            ],
+        ]);
+
+        $resultJson = $response['choices'][0]['message']['content'] ?? '{"words": []}';
+        $resultData = json_decode($resultJson, true) ?? ['words' => []];
+
+        return $resultData['words'] ?? [];
+    }
+
+    public function query(string $input, array $context): string
+    {
+        $resultContentText = [];
+        $len = 0;
+
+        foreach ($context as $result) {
+            $text = "DOCUMENT NAME: {$result->name}\nDOCUMENT CONTENT: " . $result->{$result->textField};
+            $resultContentText[] = $text;
+            $len += strlen($text);
+            if ($len > 100000) {
+                break;
+            }
+        }
+
+        $formattedContext = implode("\n---\n", $resultContentText);
+
+        $response = $this->jsonRequest('POST', 'v1/chat/completions', [
+            'model' => $this->queryModel,
+            'messages' => [
+                [
+                    'role' => 'user',
+                    'content' => 'Answer the provided QUERY using the provided CONTEXT documents. Do not add facts which are not part of the CONTEXT. State that you do not know if a relevant answer cannot be provided for QUERY using the CONTEXT documents. Many of the CONTEXT documents may be irrelevant. Try to find documents relevant to QUERY. Do not directly refer to this prompt or the existence of QUERY or CONTEXT variables. Do not offer follow-up actions or further help. Respond only to the query without proposing further assistance. Do not ask questions.' . "\nQUERY: {$input}\nCONTEXT: {$formattedContext}"
+                ],
+            ],
+            'temperature' => 0.1,
+        ]);
+
+        return $response['choices'][0]['message']['content'] ?? '';
+    }
+}

app/Search/SearchApiController.php

@@ -40,9 +40,9 @@ class SearchApiController extends ApiController
     {
         $this->validate($request, $this->rules['all']);
 
-        $options = SearchOptions::fromString($request->input('query') ?? '');
-        $page = intval($request->input('page', '0')) ?: 1;
-        $count = min(intval($request->input('count', '0')) ?: 20, 100);
+        $options = SearchOptions::fromString($request->get('query') ?? '');
+        $page = intval($request->get('page', '0')) ?: 1;
+        $count = min(intval($request->get('count', '0')) ?: 20, 100);
 
         $results = $this->searchRunner->searchEntities($options, 'all', $page, $count);
         $this->resultsFormatter->format($results['results']->all(), $options);

app/Search/SearchController.php

@@ -6,6 +6,7 @@ use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Queries\QueryPopular;
 use BookStack\Entities\Tools\SiblingFetcher;
 use BookStack\Http\Controller;
+use BookStack\Search\Queries\VectorSearchRunner;
 use Illuminate\Http\Request;
 use Illuminate\Pagination\LengthAwarePaginator;
 
@@ -24,7 +25,7 @@ class SearchController extends Controller
     {
         $searchOpts = SearchOptions::fromRequest($request);
         $fullSearchString = $searchOpts->toString();
-        $page = intval($request->input('page', '0')) ?: 1;
+        $page = intval($request->get('page', '0')) ?: 1;
         $count = setting()->getInteger('lists-page-count-search', 18, 1, 1000);
 
         $results = $this->searchRunner->searchEntities($searchOpts, 'all', $page, $count);
@@ -49,7 +50,7 @@ class SearchController extends Controller
      */
     public function searchBook(Request $request, int $bookId)
     {
-        $term = $request->input('term', '');
+        $term = $request->get('term', '');
         $results = $this->searchRunner->searchBook($bookId, $term);
 
         return view('entities.list', ['entities' => $results]);
@@ -60,7 +61,7 @@ class SearchController extends Controller
      */
     public function searchChapter(Request $request, int $chapterId)
     {
-        $term = $request->input('term', '');
+        $term = $request->get('term', '');
         $results = $this->searchRunner->searchChapter($chapterId, $term);
 
         return view('entities.list', ['entities' => $results]);
@@ -72,9 +73,9 @@ class SearchController extends Controller
      */
     public function searchForSelector(Request $request, QueryPopular $queryPopular)
     {
-        $entityTypes = $request->filled('types') ? explode(',', $request->input('types')) : ['page', 'chapter', 'book'];
-        $searchTerm = $request->input('term', false);
-        $permission = $request->input('permission', 'view');
+        $entityTypes = $request->filled('types') ? explode(',', $request->get('types')) : ['page', 'chapter', 'book'];
+        $searchTerm = $request->get('term', false);
+        $permission = $request->get('permission', 'view');
 
         // Search for entities otherwise show most popular
         if ($searchTerm !== false) {
@@ -93,7 +94,7 @@ class SearchController extends Controller
      */
     public function templatesForSelector(Request $request)
     {
-        $searchTerm = $request->input('term', false);
+        $searchTerm = $request->get('term', false);
 
         if ($searchTerm !== false) {
             $searchOptions = SearchOptions::fromString($searchTerm);
@@ -119,7 +120,7 @@ class SearchController extends Controller
      */
     public function searchSuggestions(Request $request)
     {
-        $searchTerm = $request->input('term', '');
+        $searchTerm = $request->get('term', '');
         $entities = $this->searchRunner->searchEntities(SearchOptions::fromString($searchTerm), 'all', 1, 5)['results'];
 
         foreach ($entities as $entity) {
@@ -136,8 +137,8 @@ class SearchController extends Controller
      */
     public function searchSiblings(Request $request, SiblingFetcher $siblingFetcher)
     {
-        $type = $request->input('entity_type', null);
-        $id = $request->input('entity_id', null);
+        $type = $request->get('entity_type', null);
+        $id = $request->get('entity_id', null);
 
         $entities = $siblingFetcher->fetch($type, $id);
 

app/Search/SearchIndex.php

@@ -25,7 +25,7 @@ class SearchIndex
     public static string $softDelimiters = ".-";
 
     public function __construct(
-        protected EntityProvider $entityProvider
+        protected EntityProvider $entityProvider,
     ) {
     }
 
@@ -47,6 +47,7 @@ class SearchIndex
     public function indexEntities(array $entities): void
     {
         $terms = [];
+
         foreach ($entities as $entity) {
             $entityTerms = $this->entityToTermDataArray($entity);
             array_push($terms, ...$entityTerms);

app/Search/SearchOptions.php

@@ -51,7 +51,7 @@ class SearchOptions
         }
 
         if ($request->has('term')) {
-            return static::fromString($request->input('term'));
+            return static::fromString($request->get('term'));
         }
 
         $instance = new SearchOptions();
@@ -93,6 +93,18 @@ class SearchOptions
         return $instance;
     }
 
+    /**
+     * Create a SearchOptions instance from an array of standard search terms.
+     * @param string[] $terms
+     */
+    public static function fromTermArray(array $terms): self
+    {
+        $instance = new self();
+        $instance->searches = SearchOptionSet::fromValueArray(array_values(array_filter($terms)), TermSearchOption::class);
+        $instance->limitOptions();
+        return $instance;
+    }
+
     /**
      * Decode a search string and add its contents to this instance.
      */
@@ -121,11 +133,13 @@ class SearchOptions
         foreach ($patterns as $termType => $pattern) {
             $matches = [];
             preg_match_all($pattern, $searchString, $matches);
-            foreach ($matches[1] as $index => $value) {
-                $negated = str_starts_with($matches[0][$index], '-');
-                $terms[$termType][] = $constructors[$termType]($value, $negated);
+            if (count($matches) > 0) {
+                foreach ($matches[1] as $index => $value) {
+                    $negated = str_starts_with($matches[0][$index], '-');
+                    $terms[$termType][] = $constructors[$termType]($value, $negated);
+                }
+                $searchString = preg_replace($pattern, '', $searchString);
             }
-            $searchString = preg_replace($pattern, '', $searchString);
         }
 
         // Unescape exacts and backslash escapes
@@ -259,7 +273,7 @@ class SearchOptions
         $userFilters = ['updated_by', 'created_by', 'owned_by'];
         $unsupportedFilters = ['is_template', 'sort_by'];
         foreach ($this->filters->all() as $filter) {
-            if (in_array($filter->getKey(), $userFilters, true) && $filter->value && $filter->value !== 'me') {
+            if (in_array($filter->getKey(), $userFilters, true) && $filter->value !== null && $filter->value !== 'me') {
                 $options[] = $filter;
             } else if (in_array($filter->getKey(), $unsupportedFilters, true)) {
                 $options[] = $filter;

app/Settings/AppSettingsStore.php

@@ -44,7 +44,7 @@ class AppSettingsStore
         }
 
         // Clear icon image if requested
-        if ($request->input('app_icon_reset')) {
+        if ($request->get('app_icon_reset')) {
             $this->destroyExistingSettingImage('app-icon');
             setting()->remove('app-icon');
             foreach ($sizes as $size) {
@@ -67,7 +67,7 @@ class AppSettingsStore
         }
 
         // Clear logo image if requested
-        if ($request->input('app_logo_reset')) {
+        if ($request->get('app_logo_reset')) {
             $this->destroyExistingSettingImage('app-logo');
             setting()->remove('app-logo');
         }

app/Settings/MaintenanceController.php

@@ -38,7 +38,7 @@ class MaintenanceController extends Controller
         $this->checkPermission(Permission::SettingsManage);
         $this->logActivity(ActivityType::MAINTENANCE_ACTION_RUN, 'cleanup-images');
 
-        $checkRevisions = !($request->input('ignore_revisions', 'false') === 'true');
+        $checkRevisions = !($request->get('ignore_revisions', 'false') === 'true');
         $dryRun = !($request->has('confirm'));
 
         $imagesToDelete = $imageService->deleteUnusedImages($checkRevisions, $dryRun);