Updated version and assets for release v25.12.4

Also fixed test namespace

.env.example.complete

@@ -351,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow <script> tags in page content
+# Allow JavaScript, and other potentiall dangerous content in page content.
+# This also removes CSP-level JavaScript control.
 # Note, if set to 'true' the page editor may still escape scripts.
+# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
+# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
+# Control the behaviour of content filtering, primarily used for page content.
+# This setting is a string of characters which represent different available filters:
+# - j - Filter out JavaScript and unknown binary data based content
+# - h - Filter out unexpected, and potentially dangerous, HTML elements
+# - f - Filter out unexpected form elements
+# - a - Run content through a more complex allowlist filter
+# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
+# to ensure you are always using the full range of filters.
+APP_CONTENT_FILTERING="jfha"
+
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

.github/translators.txt

@@ -528,3 +528,5 @@ serinf-lauza :: French
 Diyan Nikolaev (nikolaev.diyan) :: Bulgarian
 Shadluk Avan (quldosh) :: Uzbek
 Marci (MartonPoto) :: Hungarian
+Michał Sadurski (wheeskeey) :: Polish
+JanDziaslo :: Polish

app/Activity/Models/Comment.php

@@ -8,6 +8,7 @@ use BookStack\Permissions\PermissionApplicator;
 use BookStack\Users\Models\HasCreatorAndUpdater;
 use BookStack\Users\Models\OwnableInterface;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
@@ -82,7 +83,8 @@ class Comment extends Model implements Loggable, OwnableInterface
 
     public function safeHtml(): string
     {
-        return HtmlContentFilter::removeScriptsFromHtmlString($this->html ?? '');
+        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
+        return $filter->filterString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/Config/app.php

@@ -37,10 +37,15 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Allow <script> tags to entered within page content.
-    // <script> tags are escaped by default.
-    // Even when overridden the WYSIWYG editor may still escape script content.
-    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
+    // Control the behaviour of content filtering, primarily used for page content.
+    // This setting is a string of characters which represent different available filters:
+    // - j - Filter out JavaScript and unknown binary data based content
+    // - h - Filter out unexpected, and potentially dangerous, HTML elements
+    // - f - Filter out unexpected form elements
+    // - a - Run content through a more complex allowlist filter
+    // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading
@@ -48,8 +53,8 @@ return [
     'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
 
     // Override the default behaviour for allowing crawlers to crawl the instance.
-    // May be ignored if view has be overridden or modified.
-    // Defaults to null since, if not set, 'app-public' status used instead.
+    // May be ignored if the underlying view has been overridden or modified.
+    // Defaults to null in which case the 'app-public' status is used instead.
     'allow_robots' => env('ALLOW_ROBOTS', null),
 
     // Application Base URL, Used by laravel in development commands

app/Entities/Controllers/PageController.php

@@ -21,6 +21,8 @@ use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\References\ReferenceFetcher;
+use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use Exception;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Http\Request;
@@ -173,7 +175,7 @@ class PageController extends Controller
     }
 
     /**
-     * Get page from an ajax request.
+     * Get a page from an ajax request.
      *
      * @throws NotFoundException
      */
@@ -183,6 +185,10 @@ class PageController extends Controller
         $page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
         $page->makeHidden(['book']);
 
+        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+        $filter = new HtmlContentFilter($filterConfig);
+        $page->html = $filter->filterString($page->html);
+
         return response()->json($page);
     }
 

app/Entities/Tools/EntityHtmlDescription.php

@@ -6,6 +6,7 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 
 class EntityHtmlDescription
 {
@@ -50,7 +51,8 @@ class EntityHtmlDescription
             return $html;
         }
 
-        return HtmlContentFilter::removeScriptsFromHtmlString($html);
+        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
+        return $filter->filterString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/PageContent.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Entities\Tools;
 
+use BookStack\App\AppVersion;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
@@ -13,6 +14,7 @@ use BookStack\Uploads\ImageRepo;
 use BookStack\Uploads\ImageService;
 use BookStack\Users\Models\User;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlDocument;
 use BookStack\Util\WebSafeMimeSniffer;
 use Closure;
@@ -317,11 +319,30 @@ class PageContent
             $this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
         }
 
-        if (!config('app.allow_content_scripts')) {
-            HtmlContentFilter::removeScriptsFromDocument($doc);
+        $cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
+        $cached = cache()->get($cacheKey, null);
+        if ($cached !== null) {
+            return $cached;
         }
 
-        return $doc->getBodyInnerHtml();
+        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+        $filter = new HtmlContentFilter($filterConfig);
+        $filtered = $filter->filterDocument($doc);
+
+        $cacheTime = 86400 * 7; // 1 week
+        cache()->put($cacheKey, $filtered, $cacheTime);
+
+        return $filtered;
+    }
+
+    protected function getContentCacheKey(string $html): string
+    {
+        $contentHash = md5($html);
+        $contentId = $this->page->id;
+        $contentTime = $this->page->updated_at?->timestamp ?? time();
+        $appVersion = AppVersion::get();
+        $filterConfig = config('app.content_filtering') ?? '';
+        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
     }
 
     /**

app/Entities/Tools/PageEditorData.php

@@ -8,6 +8,8 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
 use BookStack\Permissions\Permission;
+use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 
 class PageEditorData
 {
@@ -47,6 +49,7 @@ class PageEditorData
         $isDraftRevision = false;
         $this->warnings = [];
         $editActivity = new PageEditActivity($page);
+        $lastEditorId = $page->updated_by ?? user()->id;
 
         if ($editActivity->hasActiveEditing()) {
             $this->warnings[] = $editActivity->activeEditingMessage();
@@ -58,11 +61,20 @@ class PageEditorData
             $page->forceFill($userDraft->only(['name', 'html', 'markdown']));
             $isDraftRevision = true;
             $this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
+            $lastEditorId = $userDraft->created_by;
         }
 
+        // Get editor type and handle changes
         $editorType = $this->getEditorType($page);
         $this->updateContentForEditor($page, $editorType);
 
+        // Filter HTML content if required
+        if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
+            $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+            $filter = new HtmlContentFilter($filterConfig);
+            $page->html = $filter->filterString($page->html);
+        }
+
         return [
             'page'            => $page,
             'book'            => $page->book,

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken();
+        $this->ensureAuthorizedBySessionOrToken($request);
 
         return $next($request);
     }
@@ -28,22 +28,28 @@ class ApiAuthenticate
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(): void
+    protected function ensureAuthorizedBySessionOrToken(Request $request): void
     {
-        // Return if the user is already found to be signed in via session-based auth.
-        // This is to make it easy to browser the API via browser after just logging into the system.
-        if (!user()->isGuest() || session()->isStarted()) {
+        // Use the active user session already exists.
+        // This is to make it easy to explore API endpoints via the UI.
+        if (session()->isStarted()) {
+            // Ensure the user has API access permission
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
+            // Only allow GET requests for cookie-based API usage
+            if ($request->method() !== 'GET') {
+                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
+            }
+
             return;
         }
 
         // Set our api guard to be the default for this request lifecycle.
         auth()->shouldUse('api');
 
-        // Validate the token and it's users API access
+        // Validate the token and its users API access
         auth()->authenticate();
     }
 

app/Theming/CustomHtmlHeadContentProvider.php

@@ -4,25 +4,16 @@ namespace BookStack\Theming;
 
 use BookStack\Util\CspService;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlNonceApplicator;
 use Illuminate\Contracts\Cache\Repository as Cache;
 
 class CustomHtmlHeadContentProvider
 {
-    /**
-     * @var CspService
-     */
-    protected $cspService;
-
-    /**
-     * @var Cache
-     */
-    protected $cache;
-
-    public function __construct(CspService $cspService, Cache $cache)
-    {
-        $this->cspService = $cspService;
-        $this->cache = $cache;
+    public function __construct(
+        protected CspService $cspService,
+        protected Cache $cache
+    ) {
     }
 
     /**
@@ -50,7 +41,8 @@ class CustomHtmlHeadContentProvider
         $hash = md5($content);
 
         return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
-            return HtmlContentFilter::removeScriptsFromHtmlString($content);
+            $config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
+            return (new HtmlContentFilter($config))->filterString($content);
         });
     }
 

app/Util/ConfiguredHtmlPurifier.php

@@ -0,0 +1,131 @@
+<?php
+
+namespace BookStack\Util;
+
+use BookStack\App\AppVersion;
+use HTMLPurifier;
+use HTMLPurifier_Config;
+use HTMLPurifier_DefinitionCache_Serializer;
+use HTMLPurifier_HTML5Config;
+use HTMLPurifier_HTMLDefinition;
+
+/**
+ * Provides a configured HTML Purifier instance.
+ * https://github.com/ezyang/htmlpurifier
+ * Also uses this to extend support to HTML5 elements:
+ * https://github.com/xemlock/htmlpurifier-html5
+ */
+class ConfiguredHtmlPurifier
+{
+    protected HTMLPurifier $purifier;
+    protected static bool $cachedChecked = false;
+
+    public function __construct()
+    {
+        $config = HTMLPurifier_HTML5Config::createDefault();
+        $this->setConfig($config);
+        $this->resetCacheIfNeeded($config);
+
+        $htmlDef = $config->getDefinition('HTML', true, true);
+        if ($htmlDef instanceof HTMLPurifier_HTMLDefinition) {
+            $this->configureDefinition($htmlDef);
+        }
+
+        $this->purifier = new HTMLPurifier($config);
+    }
+
+    protected function resetCacheIfNeeded(HTMLPurifier_Config $config): void
+    {
+        if (self::$cachedChecked) {
+            return;
+        }
+
+        $cachedForVersion = cache('htmlpurifier::cache-version');
+        $appVersion = AppVersion::get();
+        if ($cachedForVersion !== $appVersion) {
+            foreach (['HTML', 'CSS', 'URI'] as $name) {
+                $cache = new HTMLPurifier_DefinitionCache_Serializer($name);
+                $cache->flush($config);
+            }
+            cache()->set('htmlpurifier::cache-version', $appVersion);
+        }
+
+        self::$cachedChecked = true;
+    }
+
+    protected function setConfig(HTMLPurifier_Config $config): void
+    {
+        $config->set('Cache.SerializerPath', storage_path('framework/purifier'));
+        $config->set('Core.AllowHostnameUnderscore', true);
+        $config->set('CSS.AllowTricky', true);
+        $config->set('HTML.SafeIframe', true);
+        $config->set('Attr.EnableID', true);
+        $config->set('Attr.ID.HTML5', true);
+        $config->set('Output.FixInnerHTML', false);
+        $config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
+        $config->set('URI.AllowedSchemes', [
+            'http' => true,
+            'https' => true,
+            'mailto' => true,
+            'ftp' => true,
+            'nntp' => true,
+            'news' => true,
+            'tel' => true,
+            'file' => true,
+        ]);
+
+         // $config->set('Cache.DefinitionImpl', null); // Disable cache during testing
+    }
+
+    public function configureDefinition(HTMLPurifier_HTMLDefinition $definition): void
+    {
+        // Allow the object element
+        $definition->addElement(
+            'object',
+            'Inline',
+            'Flow',
+            'Common',
+            [
+                'data'   => 'URI',
+                'type'   => 'Text',
+                'width'  => 'Length',
+                'height' => 'Length',
+            ]
+        );
+
+        // Allow the embed element
+        $definition->addElement(
+            'embed',
+            'Inline',
+            'Empty',
+            'Common',
+            [
+                'src'   => 'URI',
+                'type'   => 'Text',
+                'width'  => 'Length',
+                'height' => 'Length',
+            ]
+        );
+
+        // Allow checkbox inputs
+        $definition->addElement(
+            'input',
+            'Formctrl',
+            'Empty',
+            'Common',
+            [
+                'checked' => 'Bool#checked',
+                'disabled' => 'Bool#disabled',
+                'name' => 'Text',
+                'readonly' => 'Bool#readonly',
+                'type' => 'Enum#checkbox',
+                'value' => 'Text',
+            ]
+        );
+    }
+
+    public function purify(string $html): string
+    {
+        return $this->purifier->purify($html);
+    }
+}

app/Util/CspService.php

@@ -65,7 +65,7 @@ class CspService
      */
     protected function getScriptSrc(): string
     {
-        if (config('app.allow_content_scripts')) {
+        if ($this->scriptFilteringDisabled()) {
             return '';
         }
 
@@ -108,7 +108,7 @@ class CspService
      */
     protected function getObjectSrc(): string
     {
-        if (config('app.allow_content_scripts')) {
+        if ($this->scriptFilteringDisabled()) {
             return '';
         }
 
@@ -124,6 +124,11 @@ class CspService
         return "base-uri 'self'";
     }
 
+    protected function scriptFilteringDisabled(): bool
+    {
+        return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
+    }
+
     protected function getAllowedIframeHosts(): array
     {
         $hosts = config('app.iframe_hosts') ?? '';

app/Util/HtmlContentFilter.php

@@ -8,10 +8,46 @@ use DOMNodeList;
 
 class HtmlContentFilter
 {
-    /**
-     * Remove all the script elements from the given HTML document.
-     */
-    public static function removeScriptsFromDocument(HtmlDocument $doc)
+    public function __construct(
+        protected HtmlContentFilterConfig $config
+    ) {
+    }
+
+    public function filterDocument(HtmlDocument $doc): string
+    {
+        if ($this->config->filterOutJavaScript) {
+            $this->filterOutScriptsFromDocument($doc);
+        }
+        if ($this->config->filterOutFormElements) {
+            $this->filterOutFormElementsFromDocument($doc);
+        }
+        if ($this->config->filterOutBadHtmlElements) {
+            $this->filterOutBadHtmlElementsFromDocument($doc);
+        }
+        if ($this->config->filterOutNonContentElements) {
+            $this->filterOutNonContentElementsFromDocument($doc);
+        }
+
+        $filtered = $doc->getBodyInnerHtml();
+        if ($this->config->useAllowListFilter) {
+            $filtered = $this->applyAllowListFiltering($filtered);
+        }
+
+        return $filtered;
+    }
+
+    public function filterString(string $html): string
+    {
+        return $this->filterDocument(new HtmlDocument($html));
+    }
+
+    protected function applyAllowListFiltering(string $html): string
+    {
+        $purifier = new ConfiguredHtmlPurifier();
+        return $purifier->purify($html);
+    }
+
+    protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
     {
         // Remove standard script tags
         $scriptElems = $doc->queryXPath('//script');
@@ -21,21 +57,21 @@ class HtmlContentFilter
         $badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');
         static::removeNodes($badLinks);
 
-        // Remove forms with calls to JavaScript URI
+        // Remove elements with form-like attributes with calls to JavaScript URI
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
-        // Remove meta tag to prevent external redirects
-        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
-        static::removeNodes($metaTags);
-
-        // Remove data or JavaScript iFrames
+        // Remove data or JavaScript iFrames & embeds
         $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
+        // Remove data or JavaScript objects
+        $badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
+        static::removeNodes($badObjects);
+
         // Remove attributes, within svg children, hiding JavaScript or data uris.
         // A bunch of svg element and attribute combinations expose xss possibilities.
-        // For example, SVG animate tag can exploit javascript in values.
+        // For example, SVG animate tag can exploit JavaScript in values.
         $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
         static::removeAttributes($badValuesAttrs);
 
@@ -49,23 +85,52 @@ class HtmlContentFilter
         static::removeAttributes($onAttributes);
     }
 
-    /**
-     * Remove scripts from the given HTML string.
-     */
-    public static function removeScriptsFromHtmlString(string $html): string
+    protected function filterOutFormElementsFromDocument(HtmlDocument $doc): void
     {
-        if (empty($html)) {
-            return $html;
+        // Remove form elements
+        $formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
+        foreach ($formElements as $formElement) {
+            $matchingFormElements = $doc->queryXPath('//' . $formElement);
+            static::removeNodes($matchingFormElements);
         }
 
-        $doc = new HtmlDocument($html);
-        static::removeScriptsFromDocument($doc);
+        // Remove non-checkbox inputs
+        $inputsToRemove = $doc->queryXPath('//input');
+        /** @var DOMElement $input */
+        foreach ($inputsToRemove as $input) {
+            $type = strtolower($input->getAttribute('type'));
+            if ($type !== 'checkbox') {
+                $input->parentNode->removeChild($input);
+            }
+        }
 
-        return $doc->getBodyInnerHtml();
+        // Remove form attributes
+        $formAttrs = ['form', 'formaction', 'formmethod', 'formtarget'];
+        foreach ($formAttrs as $formAttr) {
+            $matchingFormAttrs = $doc->queryXPath('//@' . $formAttr);
+            static::removeAttributes($matchingFormAttrs);
+        }
+    }
+
+    protected function filterOutBadHtmlElementsFromDocument(HtmlDocument $doc): void
+    {
+        // Remove meta tag to prevent external redirects
+        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
+        static::removeNodes($metaTags);
+    }
+
+    protected function filterOutNonContentElementsFromDocument(HtmlDocument $doc): void
+    {
+        // Remove non-content elements
+        $formElements = ['link', 'style', 'meta', 'title', 'template'];
+        foreach ($formElements as $formElement) {
+            $matchingFormElements = $doc->queryXPath('//' . $formElement);
+            static::removeNodes($matchingFormElements);
+        }
     }
 
     /**
-     * Create a xpath contains statement with a translation automatically built within
+     * Create an x-path 'contains' statement with a translation automatically built within
      * to affectively search in a cases-insensitive manner.
      */
     protected static function xpathContains(string $property, string $value): string
@@ -99,4 +164,34 @@ class HtmlContentFilter
             $parentNode->removeAttribute($attrName);
         }
     }
+
+    /**
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use filterDocument instead.
+     */
+    public static function removeScriptsFromDocument(HtmlDocument $doc): void
+    {
+        $config = new HtmlContentFilterConfig(
+            filterOutNonContentElements: false,
+            useAllowListFilter: false,
+        );
+        $filter = new self($config);
+        $filter->filterDocument($doc);
+    }
+
+    /**
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use filterString instead.
+     */
+    public static function removeScriptsFromHtmlString(string $html): string
+    {
+        $config = new HtmlContentFilterConfig(
+            filterOutNonContentElements: false,
+            useAllowListFilter: false,
+        );
+        $filter = new self($config);
+        return $filter->filterString($html);
+    }
 }

app/Util/HtmlContentFilterConfig.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace BookStack\Util;
+
+readonly class HtmlContentFilterConfig
+{
+    public function __construct(
+        public bool $filterOutJavaScript = true,
+        public bool $filterOutBadHtmlElements = true,
+        public bool $filterOutFormElements = true,
+        public bool $filterOutNonContentElements = true,
+        public bool $useAllowListFilter = true,
+    ) {
+    }
+
+    /**
+     * Create an instance from a config string, where the string
+     * is a combination of characters to enable filters.
+     */
+    public static function fromConfigString(string $config): self
+    {
+        $config = strtolower($config);
+        return new self(
+            filterOutJavaScript: str_contains($config, 'j'),
+            filterOutBadHtmlElements: str_contains($config, 'h'),
+            filterOutFormElements: str_contains($config, 'f'),
+            filterOutNonContentElements: str_contains($config, 'h'),
+            useAllowListFilter: str_contains($config, 'a'),
+        );
+    }
+}

composer.json

@@ -19,6 +19,7 @@
         "ext-zip": "*",
         "bacon/bacon-qr-code": "^3.0",
         "dompdf/dompdf": "^3.1",
+        "ezyang/htmlpurifier": "^4.19",
         "guzzlehttp/guzzle": "^7.4",
         "intervention/image": "^3.5",
         "knplabs/knp-snappy": "^1.5",
@@ -38,7 +39,8 @@
         "socialiteproviders/microsoft-azure": "^5.1",
         "socialiteproviders/okta": "^4.2",
         "socialiteproviders/twitch": "^5.3",
-        "ssddanbrown/htmldiff": "^2.0.0"
+        "ssddanbrown/htmldiff": "^2.0.0",
+        "xemlock/htmlpurifier-html5": "^0.1.12"
     },
     "require-dev": {
         "fakerphp/faker": "^1.21",

dev/checksums/vendor

@@ -1 +1 @@
-8c5c595184876ce12928f309aa3c9b571987c5e44c69c57c9cb17487f62bd709
+5732efe93a37a665ec9e526d713293b438e610dcf0c6e950fa7317907e480252

dev/licensing/php-library-licenses.txt

@@ -98,6 +98,13 @@ Copyright: Copyright (c) 2013-2023 Eduardo Gulias Davis
 Source: https://github.com/egulias/EmailValidator.git
 Link: https://github.com/egulias/EmailValidator
 -----------
+ezyang/htmlpurifier
+License: LGPL-2.1-or-later
+License File: vendor/ezyang/htmlpurifier/LICENSE
+Copyright: Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+Source: https://github.com/ezyang/htmlpurifier.git
+Link: http://htmlpurifier.org/
+-----------
 firebase/php-jwt
 License: BSD-3-Clause
 License File: vendor/firebase/php-jwt/LICENSE
@@ -237,21 +244,21 @@ Link: https://config.thephpleague.com
 league/flysystem
 License: MIT
 License File: vendor/league/flysystem/LICENSE
-Copyright: Copyright (c) 2013-2024 Frank de Jonge
+Copyright: Copyright (c) 2013-2026 Frank de Jonge
 Source: https://github.com/thephpleague/flysystem.git
 Link: https://github.com/thephpleague/flysystem.git
 -----------
 league/flysystem-aws-s3-v3
 License: MIT
 License File: vendor/league/flysystem-aws-s3-v3/LICENSE
-Copyright: Copyright (c) 2013-2024 Frank de Jonge
+Copyright: Copyright (c) 2013-2026 Frank de Jonge
 Source: https://github.com/thephpleague/flysystem-aws-s3-v3.git
 Link: https://github.com/thephpleague/flysystem-aws-s3-v3.git
 -----------
 league/flysystem-local
 License: MIT
 License File: vendor/league/flysystem-local/LICENSE
-Copyright: Copyright (c) 2013-2024 Frank de Jonge
+Copyright: Copyright (c) 2013-2026 Frank de Jonge
 Source: https://github.com/thephpleague/flysystem-local.git
 Link: https://github.com/thephpleague/flysystem-local.git
 -----------
@@ -323,7 +330,7 @@ License: MIT
 License File: vendor/nesbot/carbon/LICENSE
 Copyright: Copyright (C) Brian Nesbitt
 Source: https://github.com/CarbonPHP/carbon.git
-Link: https://carbon.nesbot.com
+Link: https://carbonphp.github.io/carbon/
 -----------
 nette/schema
 License: BSD-3-Clause GPL-2.0-only GPL-3.0-only
@@ -465,7 +472,7 @@ Link: https://github.com/php-fig/simple-cache.git
 psy/psysh
 License: MIT
 License File: vendor/psy/psysh/LICENSE
-Copyright: Copyright (c) 2012-2025 Justin Hileman
+Copyright: Copyright (c) 2012-2026 Justin Hileman
 Source: https://github.com/bobthecow/psysh.git
 Link: https://psysh.org
 -----------
@@ -787,3 +794,10 @@ License File: vendor/voku/portable-ascii/LICENSE.txt
 Copyright: Copyright (C) 2019 Lars Moelleken
 Source: https://github.com/voku/portable-ascii.git
 Link: https://github.com/voku/portable-ascii
+-----------
+xemlock/htmlpurifier-html5
+License: MIT
+License File: vendor/xemlock/htmlpurifier-html5/LICENSE
+Copyright: Copyright (c) 2015 Xemlock
+Source: https://github.com/xemlock/htmlpurifier-html5.git
+Link: https://github.com/xemlock/htmlpurifier-html5

lang/ar/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'الشفرة المُقدمة لرمز API المستخدم المحدد غير صحيحة',
     'api_user_no_api_permission' => 'مالك رمز API المستخدم ليس لديه الصلاحية لإجراء مكالمات API',
     'api_user_token_expired' => 'انتهت صلاحية رمز الترخيص المستخدم',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'حدث خطأ عند إرسال بريد إلكتروني تجريبي:',

lang/bg/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Секретния код, който беше предоставен за достъп до API-а е неправилен',
     'api_user_no_api_permission' => 'Собственика на АPI кода няма право да прави API заявки',
     'api_user_token_expired' => 'Кода за достъп, който беше използван, вече не е валиден',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Беше върната грешка, когато се изпрати тестовият емейл:',

lang/bn/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/bs/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Tajni ključ naveden za dati korišteni API token nije tačan',
     'api_user_no_api_permission' => 'Vlasnik korištenog API tokena nema dozvolu za upućivanje API poziva',
     'api_user_token_expired' => 'Autorizacijski token je istekao',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Došlo je do greške prilikom slanja testnog e-maila:',

lang/ca/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'El secret proporcionat per al testimoni d’API utilitzat no és correcte.',
     'api_user_no_api_permission' => 'El propietari del testimoni API utilitzat no té permís per a fer crides a l’API.',
     'api_user_token_expired' => 'El testimoni d’autorització utilitzat ha caducat.',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'S’ha produït un error en enviar el correu electrònic de prova:',

lang/cs/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Poskytnutý Token Secret neodpovídá použitému API tokenu',
     'api_user_no_api_permission' => 'Vlastník použitého API tokenu nemá oprávnění provádět API volání',
     'api_user_token_expired' => 'Platnost autorizačního tokenu vypršela',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Při posílání testovacího e-mailu nastala chyba:',

lang/cy/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Mae\'r gyfrinach a ddarparwyd ar gyfer y tocyn API defnyddiedig a roddwyd yn anghywir',
     'api_user_no_api_permission' => 'Nid oes gan berchennog y tocyn API a ddefnyddiwyd ganiatâd i wneud galwadau API',
     'api_user_token_expired' => 'Mae\'r tocyn awdurdodi a ddefnyddiwyd wedi dod i ben',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Gwall a daflwyd wrth anfon e-bost prawf:',

lang/da/editor.php

@@ -48,7 +48,7 @@ return [
     'superscript' => 'Hævet',
     'subscript' => 'Sænket',
     'text_color' => 'Tekstfarve',
-    'highlight_color' => 'Highlight color',
+    'highlight_color' => 'Fremhævelsesfarve',
     'custom_color' => 'Tilpasset farve',
     'remove_color' => 'Fjern farve',
     'background_color' => 'Baggrundsfarve',

lang/da/entities.php

@@ -252,7 +252,7 @@ return [
     'pages_edit_switch_to_markdown_stable' => '(Stabilt indhold)',
     'pages_edit_switch_to_wysiwyg' => 'Skift til WYSIWYG redigering',
     'pages_edit_switch_to_new_wysiwyg' => 'Skift til ny WYSIWYG (Hvad man ser, er hvad man får)',
-    'pages_edit_switch_to_new_wysiwyg_desc' => '(In Beta Testing)',
+    'pages_edit_switch_to_new_wysiwyg_desc' => '(I Beta Test)',
     'pages_edit_set_changelog' => 'Sæt ændringsoversigt',
     'pages_edit_enter_changelog_desc' => 'Indtast en kort beskrivelse af ændringer du har lavet',
     'pages_edit_enter_changelog' => 'Indtast ændringsoversigt',
@@ -397,11 +397,11 @@ return [
     'comment' => 'Kommentar',
     'comments' => 'Kommentarer',
     'comment_add' => 'Tilføj kommentar',
-    'comment_none' => 'No comments to display',
+    'comment_none' => 'Ingen kommentarer at vise',
     'comment_placeholder' => 'Skriv en kommentar her',
-    'comment_thread_count' => ':count Comment Thread|:count Comment Threads',
+    'comment_thread_count' => ':count Kommentar Tråde:count Kommentar Tråde',
     'comment_archived_count' => ':count Arkiveret',
-    'comment_archived_threads' => 'Archived Threads',
+    'comment_archived_threads' => 'Arkiverede Tråde',
     'comment_save' => 'Gem kommentar',
     'comment_new' => 'Ny kommentar',
     'comment_created' => 'kommenteret :createDiff',
@@ -410,8 +410,8 @@ return [
     'comment_deleted_success' => 'Kommentar slettet',
     'comment_created_success' => 'Kommentaren er tilføjet',
     'comment_updated_success' => 'Kommentaren er opdateret',
-    'comment_archive_success' => 'Comment archived',
-    'comment_unarchive_success' => 'Comment un-archived',
+    'comment_archive_success' => 'Kommentar arkiveret',
+    'comment_unarchive_success' => 'Kommentaren er ikke længere arkiveret',
     'comment_view' => 'Se kommentar',
     'comment_jump_to_thread' => 'Hop til tråd',
     'comment_delete_confirm' => 'Er du sikker på, at du vil slette denne kommentar?',

lang/da/errors.php

@@ -109,7 +109,7 @@ return [
     'import_zip_cant_read' => 'Kunne ikke læse ZIP-filen.',
     'import_zip_cant_decode_data' => 'Kunne ikke finde og afkode ZIP data.json-indhold.',
     'import_zip_no_data' => 'ZIP-filens data har ikke noget forventet bog-, kapitel- eller sideindhold.',
-    'import_zip_data_too_large' => 'ZIP data.json content exceeds the configured application maximum upload size.',
+    'import_zip_data_too_large' => 'Indholdet af ZIP data.json overstiger den konfigurerede maksimale uploadstørrelse for applikationen.',
     'import_validation_failed' => 'Import ZIP kunne ikke valideres med fejl:',
     'import_zip_failed_notification' => 'Kunne ikke importere ZIP-fil.',
     'import_perms_books' => 'Du mangler de nødvendige tilladelser til at oprette bøger.',
@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Hemmeligheden leveret til det givne anvendte API-token er forkert',
     'api_user_no_api_permission' => 'Ejeren af den brugte API token har ikke adgang til at foretage API-kald',
     'api_user_token_expired' => 'Den brugte godkendelsestoken er udløbet',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Følgende fejl opstod under afsendelse af testemail:',

lang/da/notifications.php

@@ -11,8 +11,8 @@ return [
     'updated_page_subject' => 'Opdateret side: :pageName',
     'updated_page_intro' => 'En side er blevet opdateret i :appName:',
     'updated_page_debounce' => 'For at forhindre en masse af notifikationer, i et stykke tid vil du ikke blive sendt notifikationer for yderligere redigeringer til denne side af den samme editor.',
-    'comment_mention_subject' => 'You have been mentioned in a comment on page: :pageName',
-    'comment_mention_intro' => 'You were mentioned in a comment on :appName:',
+    'comment_mention_subject' => 'Du er blevet nævnt i en kommentar på siden: :pageName',
+    'comment_mention_intro' => 'Du blev nævnt i en kommentar på :appName:',
 
     'detail_page_name' => 'Sidens navn:',
     'detail_page_path' => 'Sidesti:',

lang/da/preferences.php

@@ -23,7 +23,7 @@ return [
     'notifications_desc' => 'Administrer de e-mail-notifikationer, du modtager, når visse aktiviteter udføres i systemet.',
     'notifications_opt_own_page_changes' => 'Adviser ved ændringer af sider, jeg ejer',
     'notifications_opt_own_page_comments' => 'Adviser ved kommentarer på sider, jeg ejer',
-    'notifications_opt_comment_mentions' => 'Notify when I\'m mentioned in a comment',
+    'notifications_opt_comment_mentions' => 'Giv besked, når jeg er nævnt i en kommentar',
     'notifications_opt_comment_replies' => 'Adviser ved svar på mine kommentarer',
     'notifications_save' => 'Gem indstillinger',
     'notifications_update_success' => 'Indstillinger for notifikationer er blevet opdateret!',

lang/da/settings.php

@@ -75,8 +75,8 @@ return [
     'reg_confirm_restrict_domain_placeholder' => 'Ingen restriktion opsat',
 
     // Sorting Settings
-    'sorting' => 'Lists & Sorting',
-    'sorting_book_default' => 'Default Book Sort Rule',
+    'sorting' => 'Lister & Sortering',
+    'sorting_book_default' => 'Standardregel for sortering af bog',
     'sorting_book_default_desc' => 'Vælg den standardsorteringsregel, der skal gælde for nye bøger. Dette påvirker ikke eksisterende bøger og kan tilsidesættes for hver enkelt bog.',
     'sorting_rules' => 'Regler for sortering',
     'sorting_rules_desc' => 'Det er foruddefinerede sorteringsoperationer, som kan anvendes på indhold i systemet.',
@@ -103,8 +103,8 @@ return [
     'sort_rule_op_updated_date' => 'Opdateret dato',
     'sort_rule_op_chapters_first' => 'Kapitler først',
     'sort_rule_op_chapters_last' => 'De sidste kapitler',
-    'sorting_page_limits' => 'Per-Page Display Limits',
-    'sorting_page_limits_desc' => 'Set how many items to show per-page in various lists within the system. Typically a lower amount will be more performant, while a higher amount avoids the need to click through multiple pages. Using an even multiple of 3 (18, 24, 30, etc...) is recommended.',
+    'sorting_page_limits' => 'Visningsgrænser pr. side',
+    'sorting_page_limits_desc' => 'Angiv, hvor mange elementer der skal vises pr. side i forskellige lister i systemet. Typisk vil et lavere beløb være mere effektivt, mens et højere beløb undgår behovet for at klikke sig igennem flere sider. Det anbefales at bruge et lige multiplum af 3 (18, 24, 30 osv.).',
 
     // Maintenance settings
     'maint' => 'Vedligeholdelse',
@@ -197,13 +197,13 @@ return [
     'role_import_content' => 'Importer indhold',
     'role_editor_change' => 'Skift side editor',
     'role_notifications' => 'Modtag og administrer notifikationer',
-    'role_permission_note_users_and_roles' => 'These permissions will technically also provide visibility & searching of users & roles in the system.',
+    'role_permission_note_users_and_roles' => 'Disse tilladelser vil teknisk set også give synlighed og søgning efter brugere og roller i systemet.',
     'role_asset' => 'Tilladelser for medier og "assets"',
     'roles_system_warning' => 'Vær opmærksom på, at adgang til alle af de ovennævnte tre tilladelser, kan give en bruger mulighed for at ændre deres egne brugerrettigheder eller brugerrettigheder for andre i systemet. Tildel kun roller med disse tilladelser til betroede brugere.',
     'role_asset_desc' => 'Disse tilladelser kontrollerer standardadgang til medier og "assets" i systemet. Tilladelser til bøger, kapitler og sider tilsidesætter disse tilladelser.',
     'role_asset_admins' => 'Administratorer får automatisk adgang til alt indhold, men disse indstillinger kan vise eller skjule UI-indstillinger.',
     'role_asset_image_view_note' => 'Dette vedrører synlighed i billedhåndteringen. Den faktiske adgang til uploadede billedfiler vil afhænge af systemets billedlagringsindstilling.',
-    'role_asset_users_note' => 'These permissions will technically also provide visibility & searching of users in the system.',
+    'role_asset_users_note' => 'Disse tilladelser vil teknisk set også give synlighed og søgning efter brugere i systemet.',
     'role_all' => 'Alle',
     'role_own' => 'Eget',
     'role_controlled_by_asset' => 'Styres af det medie/"asset", de uploades til',

lang/da/validation.php

@@ -106,7 +106,7 @@ return [
     'uploaded'             => 'Filen kunne ikke oploades. Serveren accepterer muligvis ikke filer af denne størrelse.',
 
     'zip_file' => 'Attributten skal henvise til en fil i ZIP.',
-    'zip_file_size' => 'The file :attribute must not exceed :size MB.',
+    'zip_file_size' => 'Filen :attribute må ikke overstige: størrelse MB.',
     'zip_file_mime' => 'Attributten skal henvise til en fil af typen: validTypes, fundet:foundType.',
     'zip_model_expected' => 'Data objekt forventet men ":type" fundet.',
     'zip_unique' => 'Attributten skal være unik for objekttypen i ZIP.',

lang/de/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Das Kennwort für das angegebene API-Token ist falsch',
     'api_user_no_api_permission' => 'Der Besitzer des verwendeten API-Tokens hat keine Berechtigung für API-Aufrufe',
     'api_user_token_expired' => 'Das verwendete Autorisierungstoken ist abgelaufen',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Fehler beim Versenden einer Test E-Mail:',

lang/de_informal/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Das für den API-Token angegebene geheime Token ist falsch',
     'api_user_no_api_permission' => 'Der Besitzer des verwendeten API-Token hat keine Berechtigung für API-Aufrufe',
     'api_user_token_expired' => 'Das verwendete Autorisierungs-Token ist abgelaufen',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Fehler beim Senden einer Test E-Mail:',

lang/el/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Το μυστικό που παρέχεται για το δεδομένο χρησιμοποιημένο διακριτικό API είναι εσφαλμένο',
     'api_user_no_api_permission' => 'Ο ιδιοκτήτης του χρησιμοποιημένου διακριτικού API δεν έχει άδεια για να κάνει κλήσεις API',
     'api_user_token_expired' => 'Το διακριτικό εξουσιοδότησης που χρησιμοποιείται έχει λήξει',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Σφάλμα κατά την αποστολή δοκιμαστικού email:',

lang/en/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/es/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'El secreto proporcionado para el token API usado es incorrecto',
     'api_user_no_api_permission' => 'El propietario del token API usado no tiene permiso para hacer llamadas API',
     'api_user_token_expired' => 'El token de autorización usado ha caducado',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error al enviar un email de prueba:',

lang/es_AR/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'El secreto proporcionado para el token API usado es incorrecto',
     'api_user_no_api_permission' => 'El propietario del token API usado no tiene permiso para hacer llamadas API',
     'api_user_token_expired' => 'El token de autorización usado ha caducado',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error al enviar un email de prueba:',

lang/et/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'API tunnusele lisatud salajane võti ei ole korrektne',
     'api_user_no_api_permission' => 'Selle API tunnuse omanikul ei ole õigust API päringuid teha',
     'api_user_token_expired' => 'Volitustunnus on aegunud',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Test e-kirja saatmisel tekkis viga:',

lang/eu/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/fa/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'راز ارائه شده برای کد API استفاده شده نادرست است',
     'api_user_no_api_permission' => 'مالک نشانه API استفاده شده اجازه برقراری تماس های API را ندارد',
     'api_user_token_expired' => 'رمز مجوز استفاده شده منقضی شده است',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'خطا در هنگام ارسال ایمیل آزمایشی:',

lang/fi/errors.php

@@ -126,6 +126,7 @@ Sovellus ei tunnista ulkoisen todennuspalvelun pyyntöä. Ongelman voi aiheuttaa
     'api_incorrect_token_secret' => 'API-tunnisteelle annettu salainen avain on virheellinen',
     'api_user_no_api_permission' => 'Käytetyn API-tunnisteen omistajalla ei ole oikeutta tehdä API-kutsuja',
     'api_user_token_expired' => 'Käytetty valtuutuskoodi on vanhentunut',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Virhe testisähköpostia lähetettäessä:',

lang/fr/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Le secret fourni pour le jeton d\'API utilisé est incorrect',
     'api_user_no_api_permission' => 'Le propriétaire du jeton API utilisé n\'a pas la permission de passer des requêtes API',
     'api_user_token_expired' => 'Le jeton d\'autorisation utilisé a expiré',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Erreur émise lors de l\'envoi d\'un e-mail de test :',

lang/he/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/hr/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Netočan API token',
     'api_user_no_api_permission' => 'Vlasnik API tokena nema potrebna dopuštenja',
     'api_user_token_expired' => 'Autorizacija je istekla',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Pogreška prilikom slanja testnog email:',

lang/hu/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Az API tokenhez használt secret helytelen',
     'api_user_no_api_permission' => 'A használt API vezérjel tulajdonosának nincs jogosultsága API hívások végrehajtásához',
     'api_user_token_expired' => 'A használt hitelesítési vezérjel lejárt',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Hiba történt egy teszt email küldésekor:',

lang/id/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Rahasia yang diberikan untuk token API bekas yang diberikan salah',
     'api_user_no_api_permission' => 'Pemilik token API yang digunakan tidak memiliki izin untuk melakukan panggilan API',
     'api_user_token_expired' => 'Token otorisasi yang digunakan telah kedaluwarsa',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Kesalahan dilempar saat mengirim email uji:',

lang/is/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Leyndarmálið sem gefið var upp fyrir API tókann er rangt',
     'api_user_no_api_permission' => 'Eigandi API tókans hefur ekki heimild til að gera API köll',
     'api_user_token_expired' => 'Auðkenningar tókin er útrunninn',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Villa kom upp viðað reyna senda prufu tölvupóst:',

lang/it/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Il token segreto fornito per il token API utilizzato non è corretto',
     'api_user_no_api_permission' => 'Il proprietario del token API utilizzato non ha il permesso di effettuare chiamate API',
     'api_user_token_expired' => 'Il token di autorizzazione utilizzato è scaduto',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Si è verificato un errore durante l\'invio di una e-mail di prova:',

lang/ja/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => '利用されたAPIトークンに対して提供されたシークレットが正しくありません',
     'api_user_no_api_permission' => '使用されているAPIトークンの所有者には、API呼び出しを行う権限がありません',
     'api_user_token_expired' => '認証トークンが期限切れです。',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'テストメール送信時にエラーが発生しました:',

lang/ka/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/ko/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'API 토큰이 제공한 암호에 문제가 있습니다.',
     'api_user_no_api_permission' => 'API 토큰의 소유자가 API를 호출할 권한이 없습니다.',
     'api_user_token_expired' => '인증 토큰이 만료되었습니다.',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => '메일을 발송하는 도중 문제가 생겼습니다:',

lang/ku/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/lt/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Pateiktas panaudoto API žetono slėpinys yra neteisingas',
     'api_user_no_api_permission' => 'API prieigos rakto savininkas neturi leidimo daryti API skambučius',
     'api_user_token_expired' => 'Prieigos rakto naudojimas baigė galioti',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Siunčiant bandymo email: įvyko klaida',

lang/lv/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Norādītā slepenā atslēga izmantotajam API žetonam nav pareiza',
     'api_user_no_api_permission' => 'Izmantotā API žetona īpašniekam nav tiesības veikt API izsaukumus',
     'api_user_token_expired' => 'Autorizācijas žetona derīguma termiņš ir izbeidzies',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Radusies kļūda sūtot testa epastu:',

lang/nb/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Hemmeligheten som er gitt for det gitte brukte API-tokenet er feil',
     'api_user_no_api_permission' => 'Eieren av det brukte API-tokenet har ikke tillatelse til å ringe API-samtaler',
     'api_user_token_expired' => 'Autorisasjonstokenet som er brukt, har utløpt',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Feil kastet når du sendte en test-e-post:',

lang/ne/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'दिइएको API टोकनको लागि प्रदान गरिएको गोप्य सही छैन।',
     'api_user_no_api_permission' => 'API टोकनको मालिकसँग API कल गर्ने अनुमति छैन।',
     'api_user_token_expired' => 'प्रमाणीकरण टोकन समाप्त भइसकेको छ।',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'टेस्ट इमेल पठाउँदा त्रुटि:',

lang/nl/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Het opgegeven geheim voor de API-token is onjuist',
     'api_user_no_api_permission' => 'De eigenaar van de gebruikte API-token heeft geen machtiging om API calls te maken',
     'api_user_token_expired' => 'De gebruikte autorisatie token is verlopen',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Fout opgetreden bij het verzenden van een test email:',

lang/nn/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Hemmeligheten som er gitt for det gitte brukte API-tokenet er feil',
     'api_user_no_api_permission' => 'Eieren av det brukte API-tokenet har ikke tillatelse til å ringe API-samtaler',
     'api_user_token_expired' => 'Autorisasjonstokenet som er brukt, har utløpt',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Feil kastet når du sendte en test-e-post:',

lang/pl/activities.php

@@ -6,52 +6,52 @@
 return [
 
     // Pages
-    'page_create'                 => 'utworzył stronę',
+    'page_create'                 => 'utworzono stronę',
     'page_create_notification'    => 'Strona została utworzona',
-    'page_update'                 => 'zaktualizował stronę',
+    'page_update'                 => 'zaktualizowano stronę',
     'page_update_notification'    => 'Strona zaktualizowana pomyślnie',
-    'page_delete'                 => 'usunął stronę',
+    'page_delete'                 => 'usunięto stronę',
     'page_delete_notification'    => 'Strona została usunięta',
-    'page_restore'                => 'przywrócił stronę',
+    'page_restore'                => 'przywrócono stronę',
     'page_restore_notification'   => 'Strona przywrócona pomyślnie',
-    'page_move'                   => 'przeniósł stronę',
+    'page_move'                   => 'przeniesiono stronę',
     'page_move_notification'      => 'Strona przeniesiona pomyślnie',
 
     // Chapters
-    'chapter_create'              => 'utworzył rozdział',
+    'chapter_create'              => 'utworzono rozdział',
     'chapter_create_notification' => 'Rozdział utworzony pomyślnie',
-    'chapter_update'              => 'zaktualizował rozdział',
+    'chapter_update'              => 'zaktualizowano rozdział',
     'chapter_update_notification' => 'Rozdział zaktualizowany pomyślnie',
-    'chapter_delete'              => 'usunął rozdział',
+    'chapter_delete'              => 'usunięto rozdział',
     'chapter_delete_notification' => 'Rozdział usunięty pomyślnie',
-    'chapter_move'                => 'przeniósł rozdział',
+    'chapter_move'                => 'przeniesiono rozdział',
     'chapter_move_notification' => 'Rozdział przeniesiony pomyślnie',
 
     // Books
-    'book_create'                 => 'utworzył książkę',
+    'book_create'                 => 'utworzono książkę',
     'book_create_notification'    => 'Książka utworzona pomyślnie',
-    'book_create_from_chapter'              => 'skonwertował rozdział na książkę',
+    'book_create_from_chapter'              => 'przekonwertowano rozdział na książkę',
     'book_create_from_chapter_notification' => 'Rozdział został pomyślnie skonwertowany do książki',
-    'book_update'                 => 'zaktualizował książkę',
+    'book_update'                 => 'zaktualizowano książkę',
     'book_update_notification'    => 'Książka zaktualizowana pomyślnie',
-    'book_delete'                 => 'usunął książkę',
+    'book_delete'                 => 'usunięto książkę',
     'book_delete_notification'    => 'Książka usunięta pomyślnie',
-    'book_sort'                   => 'posortował książkę',
+    'book_sort'                   => 'posortowano książkę',
     'book_sort_notification'      => 'Książka posortowana pomyślnie',
 
     // Bookshelves
-    'bookshelf_create'            => 'utworzył półkę',
+    'bookshelf_create'            => 'utworzyono półkę',
     'bookshelf_create_notification'    => 'Półka utworzona pomyślnie',
-    'bookshelf_create_from_book'    => 'skonwertował książkę na półkę',
+    'bookshelf_create_from_book'    => 'przekonwertowano książkę na półkę',
     'bookshelf_create_from_book_notification'    => 'Książka została pomyślnie skonwertowana na półkę',
-    'bookshelf_update'                 => 'zaktualizował półkę',
+    'bookshelf_update'                 => 'zaktualizowano półkę',
     'bookshelf_update_notification'    => 'Półka zaktualizowana pomyślnie',
-    'bookshelf_delete'                 => 'usunął półkę',
+    'bookshelf_delete'                 => 'usunięto półkę',
     'bookshelf_delete_notification'    => 'Półka usunięta pomyślnie',
 
     // Revisions
-    'revision_restore' => 'przywrócił wersję',
-    'revision_delete' => 'usunął wersję',
+    'revision_restore' => 'przywrócono wersję',
+    'revision_delete' => 'usunięto wersję',
     'revision_delete_notification' => 'Wersja usunięta pomyślnie',
 
     // Favourites
@@ -72,54 +72,54 @@ return [
     'mfa_remove_method_notification' => 'Metoda wieloskładnikowa pomyślnie usunięta',
 
     // Settings
-    'settings_update' => 'zaktualizował ustawienia',
+    'settings_update' => 'zaktualizowano ustawienia',
     'settings_update_notification' => 'Ustawienia zaktualizowane pomyślnie',
-    'maintenance_action_run' => 'uruchomił akcję konserwacji',
+    'maintenance_action_run' => 'uruchomiono akcję konserwacji',
 
     // Webhooks
-    'webhook_create' => 'utworzył webhook',
+    'webhook_create' => 'utworzono webhook',
     'webhook_create_notification' => 'Webhook utworzony pomyślnie',
-    'webhook_update' => 'zaktualizował webhook',
+    'webhook_update' => 'zaktualizowano webhook',
     'webhook_update_notification' => 'Webhook zaktualizowany pomyślnie',
-    'webhook_delete' => 'usunął webhook',
+    'webhook_delete' => 'usunięto webhook',
     'webhook_delete_notification' => 'Webhook usunięty pomyślnie',
 
     // Imports
     'import_create' => 'utworzono import',
-    'import_create_notification' => 'Import successfully uploaded',
-    'import_run' => 'updated import',
-    'import_run_notification' => 'Content successfully imported',
-    'import_delete' => 'deleted import',
-    'import_delete_notification' => 'Import successfully deleted',
+    'import_create_notification' => 'Import zakończony sukcesem',
+    'import_run' => 'zaktualizowano import',
+    'import_run_notification' => 'Zawartość pomyślnie zaimportowana',
+    'import_delete' => 'usunięto import',
+    'import_delete_notification' => 'Import usunięty',
 
     // Users
-    'user_create' => 'utworzył użytkownika',
+    'user_create' => 'utworzono użytkownika',
     'user_create_notification' => 'Użytkownik utworzony pomyślnie',
-    'user_update' => 'zaktualizował użytkownika',
+    'user_update' => 'zaktualizowano użytkownika',
     'user_update_notification' => 'Użytkownik zaktualizowany pomyślnie',
-    'user_delete' => 'usunął użytkownika',
+    'user_delete' => 'usunięto użytkownika',
     'user_delete_notification' => 'Użytkownik pomyślnie usunięty',
 
     // API Tokens
-    'api_token_create' => 'utworzył token API',
+    'api_token_create' => 'utworzono token API',
     'api_token_create_notification' => 'Token API został poprawnie utworzony',
-    'api_token_update' => 'zaktualizował token API',
+    'api_token_update' => 'zaktualizowano token API',
     'api_token_update_notification' => 'Token API został pomyślnie zaktualizowany',
-    'api_token_delete' => 'usunął token API',
+    'api_token_delete' => 'usunięto token API',
     'api_token_delete_notification' => 'Token API został pomyślnie usunięty',
 
     // Roles
-    'role_create' => 'utworzył rolę',
+    'role_create' => 'utworzono rolę',
     'role_create_notification' => 'Rola utworzona pomyślnie',
-    'role_update' => 'zaktualizował rolę',
+    'role_update' => 'zaktualizowano rolę',
     'role_update_notification' => 'Rola zaktualizowana pomyślnie',
-    'role_delete' => 'usunął rolę',
+    'role_delete' => 'usunięto rolę',
     'role_delete_notification' => 'Rola usunięta pomyślnie',
 
     // Recycle Bin
-    'recycle_bin_empty' => 'opróżnił kosz',
-    'recycle_bin_restore' => 'przywrócił z kosza',
-    'recycle_bin_destroy' => 'usunął z kosza',
+    'recycle_bin_empty' => 'opróżniono kosz',
+    'recycle_bin_restore' => 'przywrócono z kosza',
+    'recycle_bin_destroy' => 'usunięto z kosza',
 
     // Comments
     'commented_on'                => 'skomentował',
@@ -128,12 +128,12 @@ return [
     'comment_delete'              => 'usunął komentarz',
 
     // Sort Rules
-    'sort_rule_create' => 'created sort rule',
-    'sort_rule_create_notification' => 'Sort rule successfully created',
-    'sort_rule_update' => 'updated sort rule',
-    'sort_rule_update_notification' => 'Sort rule successfully updated',
-    'sort_rule_delete' => 'deleted sort rule',
-    'sort_rule_delete_notification' => 'Sort rule successfully deleted',
+    'sort_rule_create' => 'utworzono regułę sortowania',
+    'sort_rule_create_notification' => 'Reguła sortowania została pomyślnie stworzona',
+    'sort_rule_update' => 'zaktualizowano regułę sortowania',
+    'sort_rule_update_notification' => 'Reguła sortowania została pomyślnie zaktualizowana',
+    'sort_rule_delete' => 'usunięto regułę sortowania',
+    'sort_rule_delete_notification' => 'Reguła sortowania została pomyślnie usunięta',
 
     // Other
     'permissions_update'          => 'zaktualizował uprawnienia',

lang/pl/common.php

@@ -30,8 +30,8 @@ return [
     'create' => 'Utwórz',
     'update' => 'Zaktualizuj',
     'edit' => 'Edytuj',
-    'archive' => 'Archive',
-    'unarchive' => 'Un-Archive',
+    'archive' => 'Archiwizuj',
+    'unarchive' => 'Wypakuj z archiwum',
     'sort' => 'Sortuj',
     'move' => 'Przenieś',
     'copy' => 'Skopiuj',

lang/pl/editor.php

@@ -13,7 +13,7 @@ return [
     'cancel' => 'Anuluj',
     'save' => 'Zapisz',
     'close' => 'Zamknij',
-    'apply' => 'Apply',
+    'apply' => 'Zatwierdź',
     'undo' => 'Cofnij',
     'redo' => 'Ponów',
     'left' => 'Lewa strona',
@@ -48,7 +48,7 @@ return [
     'superscript' => 'Indeks górny',
     'subscript' => 'Indeks dolny',
     'text_color' => 'Kolor tekstu',
-    'highlight_color' => 'Highlight color',
+    'highlight_color' => 'Kolor podkreślenia',
     'custom_color' => 'Kolor niestandardowy',
     'remove_color' => 'Usuń kolor',
     'background_color' => 'Kolor tła',
@@ -149,7 +149,7 @@ return [
     'url' => 'Adres URL',
     'text_to_display' => 'Tekst do wyświetlenia',
     'title' => 'Tytuł',
-    'browse_links' => 'Browse links',
+    'browse_links' => 'Przeglądaj linki',
     'open_link' => 'Otwórz link',
     'open_link_in' => 'Otwórz link w...',
     'open_link_current' => 'Bieżące okno',
@@ -166,8 +166,8 @@ return [
     'about' => 'O edytorze',
     'about_title' => 'O edytorze WYSIWYG',
     'editor_license' => 'Licencja edytora i prawa autorskie',
-    'editor_lexical_license' => 'This editor is built as a fork of :lexicalLink which is distributed under the MIT license.',
-    'editor_lexical_license_link' => 'Full license details can be found here.',
+    'editor_lexical_license' => 'Ten edytor został zbudowany na podstawie :lexicalLink, który jest dystrybuowany na licencji MIT.',
+    'editor_lexical_license_link' => 'Pełne szczegóły licencji znajdziesz tutaj.',
     'editor_tiny_license' => 'Ten edytor jest zbudowany przy użyciu :tinyLink, który jest udostępniany na licencji MIT.',
     'editor_tiny_license_link' => 'Szczegóły dotyczące praw autorskich i licencji TinyMCE można znaleźć tutaj.',
     'save_continue' => 'Zapisz stronę i kontynuuj',

lang/pl/entities.php

@@ -39,30 +39,30 @@ return [
     'export_pdf' => 'Plik PDF',
     'export_text' => 'Plik tekstowy',
     'export_md' => 'Pliki Markdown',
-    'export_zip' => 'Portable ZIP',
+    'export_zip' => 'Archiwum ZIP',
     'default_template' => 'Domyślny szablon strony',
     'default_template_explain' => 'Przypisz szablon strony, który będzie używany jako domyślna zawartość dla wszystkich stron utworzonych w tym elemencie. Pamiętaj, że będzie to używane tylko wtedy, gdy twórca strony ma dostęp do wybranej strony szablonu.',
     'default_template_select' => 'Wybierz stronę szablonu',
-    'import' => 'Import',
-    'import_validate' => 'Validate Import',
-    'import_desc' => 'Import books, chapters & pages using a portable zip export from the same, or a different, instance. Select a ZIP file to proceed. After the file has been uploaded and validated you\'ll be able to configure & confirm the import in the next view.',
-    'import_zip_select' => 'Select ZIP file to upload',
-    'import_zip_validation_errors' => 'Errors were detected while validating the provided ZIP file:',
-    'import_pending' => 'Pending Imports',
-    'import_pending_none' => 'No imports have been started.',
-    'import_continue' => 'Continue Import',
-    'import_continue_desc' => 'Review the content due to be imported from the uploaded ZIP file. When ready, run the import to add its contents to this system. The uploaded ZIP import file will be automatically removed on successful import.',
-    'import_details' => 'Import Details',
-    'import_run' => 'Run Import',
-    'import_size' => ':size Import ZIP Size',
-    'import_uploaded_at' => 'Uploaded :relativeTime',
-    'import_uploaded_by' => 'Uploaded by',
-    'import_location' => 'Import Location',
-    'import_location_desc' => 'Select a target location for your imported content. You\'ll need the relevant permissions to create within the location you choose.',
-    'import_delete_confirm' => 'Are you sure you want to delete this import?',
-    'import_delete_desc' => 'This will delete the uploaded import ZIP file, and cannot be undone.',
-    'import_errors' => 'Import Errors',
-    'import_errors_desc' => 'The follow errors occurred during the import attempt:',
+    'import' => 'Importuj',
+    'import_validate' => 'Zweryfikuj import',
+    'import_desc' => 'Importuj książki, rozdziały i strony za pomocą eksportu archiwum ZIP z tej samej lub innej instancji. Wybierz plik ZIP, aby kontynuować. Po przesłaniu i potwierdzeniu pliku będziesz mógł skonfigurować i potwierdzić import w następnym kroku.',
+    'import_zip_select' => 'Wybierz archiwum ZIP do wgrania',
+    'import_zip_validation_errors' => 'Podczas sprawdzania poprawności dostarczonego pliku ZIP wykryto błędy:',
+    'import_pending' => 'Oczekujące importy',
+    'import_pending_none' => 'Żaden import nie został uruchomiony.',
+    'import_continue' => 'Kontynuuj import',
+    'import_continue_desc' => 'Przejrzyj zawartość, która ma być zaimportowana z przesłanego pliku ZIP. Kiedy będziesz gotowy, uruchom import, aby dodać jego zawartość do systemu. Przesłane archiwum ZIP zostanie automatycznie usunięte po udanym importowaniu.',
+    'import_details' => 'Szczegóły importu',
+    'import_run' => 'Wykonaj import',
+    'import_size' => ':size wielkość importu ZIP',
+    'import_uploaded_at' => 'Przesłano :relativeTime',
+    'import_uploaded_by' => 'Przesłane przez',
+    'import_location' => 'Lokalizacja importu',
+    'import_location_desc' => 'Wybierz docelową lokalizację dla importowanej zawartości. Będziesz potrzebować odpowiednich uprawnień do tworzenia w wybranej lokalizacji.',
+    'import_delete_confirm' => 'Czy na pewno chcesz usunąć ten import?',
+    'import_delete_desc' => 'Spowoduje to usunięcie zaimportowanego archiwum ZIP. Tej operacji nie da się cofnąć.',
+    'import_errors' => 'Błędy importu',
+    'import_errors_desc' => 'Podczas próby importu wystąpiły następujące błędy:',
     'breadcrumb_siblings_for_page' => 'Navigate siblings for page',
     'breadcrumb_siblings_for_chapter' => 'Navigate siblings for chapter',
     'breadcrumb_siblings_for_book' => 'Navigate siblings for book',
@@ -171,8 +171,8 @@ return [
     'books_navigation' => 'Nawigacja po książce',
     'books_sort' => 'Sortuj zawartość książki',
     'books_sort_desc' => 'Move chapters and pages within a book to reorganise its contents. Other books can be added which allows easy moving of chapters and pages between books. Optionally an auto sort rule can be set to automatically sort this book\'s contents upon changes.',
-    'books_sort_auto_sort' => 'Auto Sort Option',
-    'books_sort_auto_sort_active' => 'Auto Sort Active: :sortName',
+    'books_sort_auto_sort' => 'Opcja automatycznego sortowania',
+    'books_sort_auto_sort_active' => 'Automatyczne sortowanie aktywne: :sortName',
     'books_sort_named' => 'Sortuj książkę :bookName',
     'books_sort_name' => 'Sortuj według nazwy',
     'books_sort_created' => 'Sortuj według daty utworzenia',
@@ -252,7 +252,7 @@ return [
     'pages_edit_switch_to_markdown_stable' => '(Statyczna zawartość)',
     'pages_edit_switch_to_wysiwyg' => 'Przełącz na edytor WYSIWYG',
     'pages_edit_switch_to_new_wysiwyg' => 'Przełącz na nowy WYSIWYG',
-    'pages_edit_switch_to_new_wysiwyg_desc' => '(In Beta Testing)',
+    'pages_edit_switch_to_new_wysiwyg_desc' => '(W testach beta)',
     'pages_edit_set_changelog' => 'Ustaw dziennik zmian',
     'pages_edit_enter_changelog_desc' => 'Opisz zmiany, które zostały wprowadzone',
     'pages_edit_enter_changelog' => 'Wyświetl dziennik zmian',
@@ -272,7 +272,7 @@ return [
     'pages_md_insert_drawing' => 'Wstaw rysunek',
     'pages_md_show_preview' => 'Pokaż podgląd',
     'pages_md_sync_scroll' => 'Synchronizuj przewijanie podglądu',
-    'pages_md_plain_editor' => 'Plaintext editor',
+    'pages_md_plain_editor' => 'Zwykły edytor',
     'pages_drawing_unsaved' => 'Znaleziono niezapisany rysunek',
     'pages_drawing_unsaved_confirm' => 'Znaleziono niezapisane dane rysowania z poprzedniej nieudanej próby zapisu. Czy chcesz przywrócić i kontynuować edycję tego niezapisanego rysunku?',
     'pages_not_in_chapter' => 'Strona nie została umieszczona w rozdziale',
@@ -397,11 +397,11 @@ return [
     'comment' => 'Komentarz',
     'comments' => 'Komentarze',
     'comment_add' => 'Dodaj komentarz',
-    'comment_none' => 'No comments to display',
+    'comment_none' => 'Brak komentarzy do wyświetlenia',
     'comment_placeholder' => 'Napisz swój komentarz tutaj',
-    'comment_thread_count' => ':count Comment Thread|:count Comment Threads',
-    'comment_archived_count' => ':count Archived',
-    'comment_archived_threads' => 'Archived Threads',
+    'comment_thread_count' => ':count wątek komentarza|:count wątków komentarzy',
+    'comment_archived_count' => ':count zarchiwizowanych',
+    'comment_archived_threads' => 'Zarchiwizowane wątki',
     'comment_save' => 'Zapisz komentarz',
     'comment_new' => 'Nowy komentarz',
     'comment_created' => 'Skomentowano :createDiff',
@@ -410,14 +410,14 @@ return [
     'comment_deleted_success' => 'Komentarz usunięty',
     'comment_created_success' => 'Komentarz dodany',
     'comment_updated_success' => 'Komentarz zaktualizowany',
-    'comment_archive_success' => 'Comment archived',
-    'comment_unarchive_success' => 'Comment un-archived',
-    'comment_view' => 'View comment',
-    'comment_jump_to_thread' => 'Jump to thread',
+    'comment_archive_success' => 'Komentarz zarchiwizowany',
+    'comment_unarchive_success' => 'Komentarz usunięty z archiwum',
+    'comment_view' => 'Zobacz komentarz',
+    'comment_jump_to_thread' => 'Przejdź do wątku',
     'comment_delete_confirm' => 'Czy na pewno chcesz usunąc ten komentarz?',
     'comment_in_reply_to' => 'W odpowiedzi na :commentId',
-    'comment_reference' => 'Reference',
-    'comment_reference_outdated' => '(Outdated)',
+    'comment_reference' => 'Odwołania',
+    'comment_reference_outdated' => '(Przestarzałe)',
     'comment_editor_explain' => 'Oto komentarze pozostawione na tej stronie. Komentarze mogą być dodawane i zarządzane podczas przeglądania zapisanej strony.',
 
     // Revision

lang/pl/errors.php

@@ -106,17 +106,17 @@ return [
     'back_soon' => 'Niedługo zostanie uruchomiona ponownie.',
 
     // Import
-    'import_zip_cant_read' => 'Could not read ZIP file.',
-    'import_zip_cant_decode_data' => 'Could not find and decode ZIP data.json content.',
-    'import_zip_no_data' => 'ZIP file data has no expected book, chapter or page content.',
-    'import_zip_data_too_large' => 'ZIP data.json content exceeds the configured application maximum upload size.',
-    'import_validation_failed' => 'Import ZIP failed to validate with errors:',
-    'import_zip_failed_notification' => 'Failed to import ZIP file.',
-    'import_perms_books' => 'You are lacking the required permissions to create books.',
-    'import_perms_chapters' => 'You are lacking the required permissions to create chapters.',
-    'import_perms_pages' => 'You are lacking the required permissions to create pages.',
-    'import_perms_images' => 'You are lacking the required permissions to create images.',
-    'import_perms_attachments' => 'You are lacking the required permission to create attachments.',
+    'import_zip_cant_read' => 'Nie można odczytać archiwum ZIP.',
+    'import_zip_cant_decode_data' => 'Nie udało się odnaleźć i dekodować pliku data.json w zawartości archiwum ZIP.',
+    'import_zip_no_data' => 'Dane archiwum ZIP nie zawierają oczekiwanej zawartości książki, rozdziału lub strony.',
+    'import_zip_data_too_large' => 'Zawartość pliku data.json w archiwum ZIP przekracza maksymalny dopuszczalny rozmiar narzucony przez aktualną konfigurację aplikacji.',
+    'import_validation_failed' => 'Walidacja importu archiwum ZIP nie powiodła się z błędami:',
+    'import_zip_failed_notification' => 'Nie udało się zaimportować archiwum ZIP.',
+    'import_perms_books' => 'Brakuje Ci wymaganych uprawnień do tworzenia książek.',
+    'import_perms_chapters' => 'Brakuje Ci wymaganych uprawnień do tworzenia rozdziałów.',
+    'import_perms_pages' => 'Brakuje Ci wymaganych uprawnień do tworzenia stron.',
+    'import_perms_images' => 'Brakuje Ci wymaganych uprawnień do tworzenia zdjęć.',
+    'import_perms_attachments' => 'Brakuje Ci wymaganych uprawnień do tworzenia załączników.',
 
     // API errors
     'api_no_authorization_found' => 'Nie znaleziono tokenu autoryzacji dla żądania',
@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Podany sekret dla tego API jest nieprawidłowy',
     'api_user_no_api_permission' => 'Właściciel używanego tokenu API nie ma uprawnień do wykonywania zapytań do API',
     'api_user_token_expired' => 'Token uwierzytelniania wygasł',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Błąd podczas wysyłania testowej wiadomości e-mail:',

lang/pl/notifications.php

@@ -11,8 +11,8 @@ return [
     'updated_page_subject' => 'Zaktualizowano stronę: :pageName',
     'updated_page_intro' => 'Strona została zaktualizowana w :appName:',
     'updated_page_debounce' => 'Aby zapobiec nadmiarowi powiadomień, przez jakiś czas nie będziesz otrzymywać powiadomień o dalszych edycjach tej strony przez tego samego edytora.',
-    'comment_mention_subject' => 'You have been mentioned in a comment on page: :pageName',
-    'comment_mention_intro' => 'You were mentioned in a comment on :appName:',
+    'comment_mention_subject' => 'Zostałeś oznaczony w komentarzu na stronie: :pageName',
+    'comment_mention_intro' => 'Zostałeś oznaczony w komentarzu w :appName:',
 
     'detail_page_name' => 'Nazwa strony:',
     'detail_page_path' => 'Ścieżka strony:',

lang/pl/preferences.php

@@ -23,7 +23,7 @@ return [
     'notifications_desc' => 'Kontroluj otrzymywane powiadomienia e-mail, gdy określona aktywność jest wykonywana w systemie.',
     'notifications_opt_own_page_changes' => 'Powiadom o zmianach na stronach, których jestem właścicielem',
     'notifications_opt_own_page_comments' => 'Powiadom o komentarzach na stronach, których jestem właścicielem',
-    'notifications_opt_comment_mentions' => 'Notify when I\'m mentioned in a comment',
+    'notifications_opt_comment_mentions' => 'Powiadom, kiedy zostanę oznaczony w komentarzu',
     'notifications_opt_comment_replies' => 'Powiadom o odpowiedziach na moje komentarze',
     'notifications_save' => 'Zapisz preferencje',
     'notifications_update_success' => 'Preferencje powiadomień zostały zaktualizowane!',

lang/pl/settings.php

@@ -20,12 +20,12 @@ return [
     'app_name_header' => 'Pokaż nazwę aplikacji w nagłówku',
     'app_public_access' => 'Dostęp publiczny',
     'app_public_access_desc' => 'Włączenie tej opcji umożliwi niezalogowanym odwiedzającym dostęp do treści w Twojej instancji BookStack.',
-    'app_public_access_desc_guest' => 'Dostęp dla niezalogowanych odwiedzających jest dostępny poprzez użytkownika "Guest".',
+    'app_public_access_desc_guest' => 'Dostęp dla niezalogowanych odwiedzających jest kontrolowany poprzez użytkownika "Guest".',
     'app_public_access_toggle' => 'Zezwalaj na dostęp publiczny',
     'app_public_viewing' => 'Zezwolić na publiczne przeglądanie?',
-    'app_secure_images' => 'Włączyć przesyłanie obrazów o wyższym poziomie bezpieczeństwa?',
+    'app_secure_images' => 'Bezpieczniejsze przesyłanie obrazów',
     'app_secure_images_toggle' => 'Włącz wyższy poziom bezpieczeństwa dla obrazów',
-    'app_secure_images_desc' => 'Ze względów wydajnościowych wszystkie obrazki są publiczne. Ta opcja dodaje dodatkowy, trudny do odgadnięcia losowy ciąg na początku nazwy obrazka. Upewnij się że indeksowanie katalogów jest zablokowane, aby uniemożliwić łatwy dostęp do obrazków.',
+    'app_secure_images_desc' => 'Ze względu na wydajność systemu wszystkie obrazki są publiczne. Ta opcja dodaje trudny do odgadnięcia losowy ciąg znaków na początku nazwy obrazka. Upewnij się, że indeksowanie katalogów jest wyłączone, aby uniemożliwić łatwy dostęp do obrazków.',
     'app_default_editor' => 'Domyślny edytor stron',
     'app_default_editor_desc' => 'Wybierz, który edytor będzie domyślnie używany podczas edycji nowych stron. Może to być nadpisane na poziomie strony, na którym pozwalają na to uprawnienia.',
     'app_custom_html' => 'Własna zawartość w tagu <head>',
@@ -64,47 +64,47 @@ return [
     'reg_settings' => 'Ustawienia rejestracji',
     'reg_enable' => 'Włącz rejestrację',
     'reg_enable_toggle' => 'Włącz rejestrację',
-    'reg_enable_desc' => 'Po włączeniu rejestracji użytkownicy ci będą mogli się samodzielnie zarejestrować i otrzymają domyślną rolę.',
+    'reg_enable_desc' => 'Przy włączonej rejestracji użytkownicy będą w stanie samodzielnie założyć sobie konto w systemie. Po rejestracji automatycznie otrzymają domyślną rolę.',
     'reg_default_role' => 'Domyślna rola użytkownika po rejestracji',
     'reg_enable_external_warning' => 'Powyższa opcja jest ignorowana, gdy zewnętrzne uwierzytelnianie LDAP lub SAML jest aktywne. Konta użytkowników dla nieistniejących użytkowników zostaną automatycznie utworzone, jeśli uwierzytelnianie za pomocą systemu zewnętrznego zakończy się sukcesem.',
     'reg_email_confirmation' => 'Potwierdzenie adresu email',
     'reg_email_confirmation_toggle' => 'Wymagaj potwierdzenia adresu email',
-    'reg_confirm_email_desc' => 'Jeśli restrykcje domenowe zostały ustawione, potwierdzenie adresu stanie się konieczne, a poniższa wartośc zostanie zignorowana.',
-    'reg_confirm_restrict_domain' => 'Restrykcje domenowe dot. adresu e-mail',
-    'reg_confirm_restrict_domain_desc' => 'Wprowadź listę domen adresów e-mail, rozdzieloną przecinkami, którym chciałbyś zezwolić na rejestrację. Wymusi to konieczność potwierdzenia adresu e-mail przez użytkownika przed uzyskaniem dostępu do aplikacji. <br> Pamiętaj, że użytkownicy będą mogli zmienić adres e-mail po rejestracji.',
+    'reg_confirm_email_desc' => 'Jeśli restrykcje domenowe zostały ustawione, potwierdzenie adresu email stanie się konieczne i ta opcja zostanie zignorowana.',
+    'reg_confirm_restrict_domain' => 'Restrykcje domenowe',
+    'reg_confirm_restrict_domain_desc' => 'Wprowadź listę domen adresów email, rozdzieloną przecinkami, którym chciałbyś zezwolić na rejestrację. Wymusi to konieczność potwierdzenia adresu e-mail przez użytkownika przed uzyskaniem dostępu do aplikacji. <br> Pamiętaj, że użytkownicy będą mogli zmienić adres e-mail po rejestracji.',
     'reg_confirm_restrict_domain_placeholder' => 'Brak restrykcji',
 
     // Sorting Settings
-    'sorting' => 'Lists & Sorting',
-    'sorting_book_default' => 'Default Book Sort Rule',
-    'sorting_book_default_desc' => 'Select the default sort rule to apply to new books. This won\'t affect existing books, and can be overridden per-book.',
-    'sorting_rules' => 'Sort Rules',
-    'sorting_rules_desc' => 'These are predefined sorting operations which can be applied to content in the system.',
-    'sort_rule_assigned_to_x_books' => 'Assigned to :count Book|Assigned to :count Books',
-    'sort_rule_create' => 'Create Sort Rule',
-    'sort_rule_edit' => 'Edit Sort Rule',
-    'sort_rule_delete' => 'Delete Sort Rule',
-    'sort_rule_delete_desc' => 'Remove this sort rule from the system. Books using this sort will revert to manual sorting.',
-    'sort_rule_delete_warn_books' => 'This sort rule is currently used on :count book(s). Are you sure you want to delete this?',
-    'sort_rule_delete_warn_default' => 'This sort rule is currently used as the default for books. Are you sure you want to delete this?',
-    'sort_rule_details' => 'Sort Rule Details',
-    'sort_rule_details_desc' => 'Set a name for this sort rule, which will appear in lists when users are selecting a sort.',
-    'sort_rule_operations' => 'Sort Operations',
-    'sort_rule_operations_desc' => 'Configure the sort actions to be performed by moving them from the list of available operations. Upon use, the operations will be applied in order, from top to bottom. Any changes made here will be applied to all assigned books upon save.',
-    'sort_rule_available_operations' => 'Available Operations',
-    'sort_rule_available_operations_empty' => 'No operations remaining',
-    'sort_rule_configured_operations' => 'Configured Operations',
-    'sort_rule_configured_operations_empty' => 'Drag/add operations from the "Available Operations" list',
-    'sort_rule_op_asc' => '(Asc)',
-    'sort_rule_op_desc' => '(Desc)',
-    'sort_rule_op_name' => 'Name - Alphabetical',
-    'sort_rule_op_name_numeric' => 'Name - Numeric',
-    'sort_rule_op_created_date' => 'Created Date',
-    'sort_rule_op_updated_date' => 'Updated Date',
-    'sort_rule_op_chapters_first' => 'Chapters First',
-    'sort_rule_op_chapters_last' => 'Chapters Last',
-    'sorting_page_limits' => 'Per-Page Display Limits',
-    'sorting_page_limits_desc' => 'Set how many items to show per-page in various lists within the system. Typically a lower amount will be more performant, while a higher amount avoids the need to click through multiple pages. Using an even multiple of 3 (18, 24, 30, etc...) is recommended.',
+    'sorting' => 'Listy i sortowanie',
+    'sorting_book_default' => 'Domyślna reguła sortowania książek',
+    'sorting_book_default_desc' => 'Wybierz domyślną regułę sortowania dla nowych książek. To nie wpłynie na istniejące książki i może być nadpisane per książka.',
+    'sorting_rules' => 'Reguły sortowania',
+    'sorting_rules_desc' => 'Są to wstępnie zdefiniowane operacje sortowania, które mogą być stosowane do treści w systemie.',
+    'sort_rule_assigned_to_x_books' => 'Przypisane do :count książki|Przypisane do :count książek',
+    'sort_rule_create' => 'Utwórz regułę sortowania',
+    'sort_rule_edit' => 'Edytuj regułę sortowania',
+    'sort_rule_delete' => 'Usuń regułę sortowania',
+    'sort_rule_delete_desc' => 'Usuń tę regułę sortowania z systemu. Książki używające tej reguły powrócą do ręcznego sortowania.',
+    'sort_rule_delete_warn_books' => 'Ta reguła sortowania jest obecnie używana na :count książkach. Czy na pewno chcesz ją usunąć?',
+    'sort_rule_delete_warn_default' => 'Ta reguła sortowania jest obecnie używana jako domyślna dla książek. Czy na pewno chcesz ją usunąć?',
+    'sort_rule_details' => 'Szczegóły reguły sortowania',
+    'sort_rule_details_desc' => 'Ustaw nazwę dla tej reguły sortowania, która pojawi się na listach, gdy użytkownicy skorzystają z sortowania.',
+    'sort_rule_operations' => 'Operacje sortowania',
+    'sort_rule_operations_desc' => 'Skonfiguruj akcje sortowanie do wykonania, przenosząc je z listy dostępnych operacji. Po użyciu operacje zostaną zastosowane w kolejności od góry do dołu. Wszelkie zmiany wprowadzone tutaj zostaną zastosowane do wszystkich przypisanych książek po zapisaniu.',
+    'sort_rule_available_operations' => 'Dostępne operacje',
+    'sort_rule_available_operations_empty' => 'Brak pozostałych operacji',
+    'sort_rule_configured_operations' => 'Skonfigurowane operacje',
+    'sort_rule_configured_operations_empty' => 'Przeciągnij/dodaj operacje z listy "Dostępne Operacje"',
+    'sort_rule_op_asc' => '(rosnąco)',
+    'sort_rule_op_desc' => '(malejąco)',
+    'sort_rule_op_name' => 'Nazwa — alfabetycznie',
+    'sort_rule_op_name_numeric' => 'Nazwa — numerycznie',
+    'sort_rule_op_created_date' => 'Data utworzenia',
+    'sort_rule_op_updated_date' => 'Data aktualizacji',
+    'sort_rule_op_chapters_first' => 'Rozdziały na początku',
+    'sort_rule_op_chapters_last' => 'Rozdziały na końcu',
+    'sorting_page_limits' => 'Limity wyświetlania per strona',
+    'sorting_page_limits_desc' => 'Ustaw ile elementów pokazywać per strona w różnych listach w systemie. Zazwyczaj mniejsza ilość będzie bardziej wydajna, podczas gdy większa ilość unika konieczności przeglądania wielu stron. Zaleca się stosowanie parzystej wielokrotności 3 (18, 24, 30 itp...).',
 
     // Maintenance settings
     'maint' => 'Konserwacja',
@@ -194,16 +194,16 @@ return [
     'role_access_api' => 'Dostęp do systemowego API',
     'role_manage_settings' => 'Zarządzanie ustawieniami aplikacji',
     'role_export_content' => 'Eksportuj zawartość',
-    'role_import_content' => 'Import content',
+    'role_import_content' => 'Importuj zawartość',
     'role_editor_change' => 'Zmień edytor strony',
     'role_notifications' => 'Odbieranie i zarządzanie powiadomieniami',
-    'role_permission_note_users_and_roles' => 'These permissions will technically also provide visibility & searching of users & roles in the system.',
+    'role_permission_note_users_and_roles' => 'Uprawnienia te mogą zapewnić również widoczność i wyszukiwanie użytkowników i ról w systemie.',
     'role_asset' => 'Zarządzanie zasobami',
     'roles_system_warning' => 'Pamiętaj, że dostęp do trzech powyższych uprawnień może pozwolić użytkownikowi na zmianę własnych uprawnień lub uprawnień innych osób w systemie. Przypisz tylko role z tymi uprawnieniami do zaufanych użytkowników.',
     'role_asset_desc' => 'Te ustawienia kontrolują zarządzanie zasobami systemu. Uprawnienia książek, rozdziałów i stron nadpisują te ustawienia.',
     'role_asset_admins' => 'Administratorzy mają automatycznie dostęp do wszystkich treści, ale te opcję mogą być pokazywać lub ukrywać opcje interfejsu użytkownika.',
     'role_asset_image_view_note' => 'To odnosi się do widoczności w ramach menedżera obrazów. Rzeczywista możliwość dostępu do przesłanych plików obrazów będzie zależeć od systemowej opcji przechowywania obrazów.',
-    'role_asset_users_note' => 'These permissions will technically also provide visibility & searching of users in the system.',
+    'role_asset_users_note' => 'Uprawnienia te mogą zapewnić również widoczność i wyszukiwanie użytkowników w systemie.',
     'role_all' => 'Wszyscy',
     'role_own' => 'Własne',
     'role_controlled_by_asset' => 'Kontrolowane przez zasób, do którego zostały udostępnione',

lang/pl/validation.php

@@ -105,11 +105,11 @@ return [
     'url'                  => 'Format :attribute jest nieprawidłowy.',
     'uploaded'             => 'Plik nie może zostać wysłany. Serwer nie akceptuje plików o takim rozmiarze.',
 
-    'zip_file' => 'The :attribute needs to reference a file within the ZIP.',
-    'zip_file_size' => 'The file :attribute must not exceed :size MB.',
-    'zip_file_mime' => 'The :attribute needs to reference a file of type :validTypes, found :foundType.',
-    'zip_model_expected' => 'Data object expected but ":type" found.',
-    'zip_unique' => 'The :attribute must be unique for the object type within the ZIP.',
+    'zip_file' => ':attribute musi odnosić się do pliku w archiwum ZIP.',
+    'zip_file_size' => 'Plik :attribute nie może przekraczać :size MB.',
+    'zip_file_mime' => ':attribute musi odnosić się do pliku typu :validTypes. Znaleziono :foundType.',
+    'zip_model_expected' => 'Oczekiwano obiektu danych, ale znaleziono ":type".',
+    'zip_unique' => ':attribute musi być unikalny dla typu obiektu w archiwum ZIP.',
 
     // Custom validation lines
     'custom' => [

lang/pt/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'O segredo fornecido para o token de API usado está incorreto',
     'api_user_no_api_permission' => 'O proprietário do token de API utilizado não tem permissão para fazer requisições de API',
     'api_user_token_expired' => 'O token de autenticação expirou',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Erro lançado ao enviar um e-mail de teste:',

lang/pt_BR/errors.php

@@ -126,6 +126,7 @@ return [
     'api_incorrect_token_secret' => 'O segredo fornecido para o código de API usado está incorreto',
     'api_user_no_api_permission' => 'O proprietário do código de API utilizado não tem permissão para fazer requisições de API',
     'api_user_token_expired' => 'O código de autenticação expirou',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Erro encontrado ao enviar uma mensagem eletrônica de teste:',

lang/ro/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Secretul furnizat pentru token-ul API folosit este incorect',
     'api_user_no_api_permission' => 'Proprietarul token-ului API folosit nu are permisiunea de a efectua apeluri API',
     'api_user_token_expired' => 'Token-ul de autorizare utilizat a expirat',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Eroare la trimiterea unui e-mail de test:',

lang/ru/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Секрет, предоставленный для данного использованного API токена неверен',
     'api_user_no_api_permission' => 'Владелец используемого API токена не имеет прав на выполнение вызовов API',
     'api_user_token_expired' => 'Срок действия используемого токена авторизации истек',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Ошибка при отправке тестового письма:',

lang/sk/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Secret poskytnutý pre daný token API je nesprávny',
     'api_user_no_api_permission' => 'Vlastník použitého tokenu API nemá povolenie na uskutočňovanie volaní rozhrania API',
     'api_user_token_expired' => 'Platnosť použitého autorizačného tokenu vypršala',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Chyba pri odosielaní testovacieho e-mailu:',

lang/sl/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Skrivnost, ki je bila dana za uporabljeni žeton API, je napačna',
     'api_user_no_api_permission' => 'Lastnik API nima pravic za klicanje API',
     'api_user_token_expired' => 'Avtorizacijski žeton je pretečen',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Napaka se je pojavila pri pošiljanju testne e-pošte:',

lang/sq/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/sr/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/sv/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Hemligheten för den angivna API-token är felaktig',
     'api_user_no_api_permission' => 'Ägaren av den använda API-token har inte behörighet att göra API-anrop',
     'api_user_token_expired' => 'Den använda auktoriseringstoken har löpt ut',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Ett fel uppstod när ett test mail skulle skickas:',

lang/tk/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

lang/tr/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Kullanılan API için sağlanan gizli anahtar doğru değil',
     'api_user_no_api_permission' => 'Kullanılan API anahtarının sahibi API çağrısı yapmak için izne sahip değil',
     'api_user_token_expired' => 'Kullanılan yetkilendirme anahtarının süresi doldu',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Test e-postası gönderilirken bir hata meydana geldi:',

lang/uk/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Секрет, наданий для даного використовуваного токена API є неправильним',
     'api_user_no_api_permission' => 'Власник використовуваного токена API не має дозволу здійснювати виклики API',
     'api_user_token_expired' => 'Термін дії токена авторизації закінчився',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Помилка під час надсилання тестового електронного листа:',

lang/uz/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Foydalanilgan API tokeni uchun berilgan sir notoʻgʻri',
     'api_user_no_api_permission' => 'Foydalanilgan API tokeni egasi API qoʻngʻiroqlarini amalga oshirishga ruxsatga ega emas',
     'api_user_token_expired' => 'Amaldagi avtorizatsiya tokeni muddati tugagan',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Sinov xatini yuborishda xatolik yuz berdi:',

lang/vi/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => 'Mã bí mật được cung cấp cho token API đang được sử dụng không hợp lệ',
     'api_user_no_api_permission' => 'Chủ của token API đang sử dụng không có quyền gọi API',
     'api_user_token_expired' => 'Token sử dụng cho việc ủy quyền đã hết hạn',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Lỗi khi gửi email thử:',

lang/zh_CN/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => '给已给出的API所提供的密钥不正确',
     'api_user_no_api_permission' => '使用过的 API 令牌的所有者没有进行API 调用的权限',
     'api_user_token_expired' => '所使用的身份令牌已过期',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => '发送测试电子邮件时出现错误：',

lang/zh_TW/errors.php

@@ -125,6 +125,7 @@ return [
     'api_incorrect_token_secret' => '給定使用的 API 權杖的密碼錯誤',
     'api_user_no_api_permission' => '使用的 API 權杖擁有者無權呼叫 API',
     'api_user_token_expired' => '使用的授權權杖已過期',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => '寄送測試電子郵件時發生錯誤:',

phpunit.xml

@@ -34,6 +34,7 @@
     <server name="AUTH_AUTO_INITIATE" value="false"/>
     <server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
     <server name="ALLOW_UNTRUSTED_SERVER_FETCHING" value="false"/>
+    <server name="CONTENT_FILTERING" value="jhfa"/>
     <server name="ALLOW_CONTENT_SCRIPTS" value="false"/>
     <server name="AVATAR_URL" value=""/>
     <server name="LDAP_START_TLS" value="false"/>

readme.md

@@ -155,7 +155,7 @@ The website which contains the project docs & blog can be found in the [BookStac
 The BookStack source is provided under the [MIT License](https://github.com/BookStackApp/BookStack/blob/development/LICENSE). 
 
 The libraries used by, and included with, BookStack are provided under their own licenses and copyright.
-The licenses for many of our core dependencies can be found in the attribution list below but this is not an exhaustive list of all projects used within BookStack. 
+The licenses for many of our core dependencies can be found in the attribution list below, but this is not an exhaustive list of all projects used within BookStack. 
 
 ## 👪 Attribution
 
@@ -187,5 +187,6 @@ Note: This is not an exhaustive list of all libraries and projects that would be
 * [PHPStan](https://phpstan.org/) & [Larastan](https://github.com/nunomaduro/larastan) - _[MIT](https://github.com/phpstan/phpstan/blob/master/LICENSE) and [MIT](https://github.com/nunomaduro/larastan/blob/master/LICENSE.md)_
 * [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) - _[BSD 3-Clause](https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt)_
 * [JakeArchibald/IDB-Keyval](https://github.com/jakearchibald/idb-keyval) - _[Apache-2.0](https://github.com/jakearchibald/idb-keyval/blob/main/LICENCE)_
+* [HTML Purifier](https://github.com/ezyang/htmlpurifier) and [htmlpurifier-html5](https://github.com/xemlock/htmlpurifier-html5) - _[LGPL-2.1](https://github.com/ezyang/htmlpurifier/blob/master/LICENSE) and [MIT](https://github.com/xemlock/htmlpurifier-html5/blob/master/LICENSE)_
 
-For a detailed breakdown of the JavaScript & PHP projects imported & used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 
+For a detailed breakdown of the JavaScript & PHP projects imported and used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 

storage/framework/purifier/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

tests/Api/ApiAuthTest.php

@@ -24,7 +24,8 @@ class ApiAuthTest extends TestCase
 
         $this->actingAs($viewer, 'standard');
 
-        $resp = $this->get($this->endpoint);
+        $this->startSession();
+        $resp = $this->withCredentials()->get($this->endpoint);
         $resp->assertStatus(200);
     }
 
@@ -75,6 +76,7 @@ class ApiAuthTest extends TestCase
     {
         $editor = $this->users->editor();
         $this->actingAs($editor, 'standard');
+        $this->startSession();
 
         $resp = $this->get($this->endpoint);
         $resp->assertStatus(200);
@@ -112,6 +114,28 @@ class ApiAuthTest extends TestCase
         $resp->assertStatus(200);
     }
 
+    public function test_only_get_requests_are_supported_with_session_auth()
+    {
+        $user = $this->users->admin();
+        $this->actingAs($user, 'standard');
+        $this->startSession();
+
+        $uriByMethods = [
+            'POST' => '/books',
+            'PUT' => '/books/1',
+            'DELETE' => '/books/1',
+            'HEAD' => '/books',
+        ];
+
+        foreach ($uriByMethods as $method => $uri) {
+            $resp = $this->withCredentials()->json($method, "/api{$uri}");
+            $resp->assertStatus(403);
+            if ($method !== 'HEAD') {
+                $resp->assertJson($this->errorResponse('Only GET requests are allowed when using the API with cookie-based authentication', 403));
+            }
+        }
+    }
+
     public function test_token_expiry_checked()
     {
         $editor = $this->users->editor();

tests/Api/ChaptersApiTest.php

@@ -252,7 +252,7 @@ class ChaptersApiTest extends TestCase
     {
         $editor = $this->users->editor();
         $this->permissions->removeUserRolePermissions($editor, ['chapter-delete-all', 'chapter-delete-own']);
-        $this->actingAs($editor);
+        $this->actingAsForApi($editor);
         $chapter = $this->entities->chapterHasPages();
         $newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
 

tests/Api/RecycleBinApiTest.php

@@ -23,7 +23,7 @@ class RecycleBinApiTest extends TestCase
     {
         $editor = $this->users->editor();
         $this->permissions->grantUserRolePermissions($editor, ['settings-manage']);
-        $this->actingAs($editor);
+        $this->actingAsForApi($editor);
 
         foreach ($this->endpointMap as [$method, $uri]) {
             $resp = $this->json($method, $uri);
@@ -36,7 +36,7 @@ class RecycleBinApiTest extends TestCase
     {
         $editor = $this->users->editor();
         $this->permissions->grantUserRolePermissions($editor, ['restrictions-manage-all']);
-        $this->actingAs($editor);
+        $this->actingAsForApi($editor);
 
         foreach ($this->endpointMap as [$method, $uri]) {
             $resp = $this->json($method, $uri);
@@ -53,6 +53,7 @@ class RecycleBinApiTest extends TestCase
         $book = $this->entities->book();
         $this->actingAs($admin)->delete($page->getUrl());
         $this->delete($book->getUrl());
+        $this->actingAsForApi($admin);
 
         $deletions = Deletion::query()->orderBy('id')->get();
 
@@ -89,7 +90,7 @@ class RecycleBinApiTest extends TestCase
 
         $deletion = Deletion::query()->orderBy('id')->first();
 
-        $resp = $this->getJson($this->baseEndpoint);
+        $resp = $this->actingAsForApi($admin)->getJson($this->baseEndpoint);
 
         $expectedData = [
             [
@@ -115,6 +116,7 @@ class RecycleBinApiTest extends TestCase
         $this->actingAs($admin)->delete($page->getUrl());
         $deletion = Deletion::query()->orderBy('id')->first();
 
+        $this->actingAsForApi($admin);
         $resp = $this->getJson($this->baseEndpoint);
 
         $expectedData = [
@@ -141,6 +143,7 @@ class RecycleBinApiTest extends TestCase
         $page = $this->entities->page();
         $this->asAdmin()->delete($page->getUrl());
         $page->refresh();
+        $this->actingAsApiAdmin();
 
         $deletion = Deletion::query()->orderBy('id')->first();
 
@@ -165,6 +168,7 @@ class RecycleBinApiTest extends TestCase
         $page = $this->entities->page();
         $this->asAdmin()->delete($page->getUrl());
         $page->refresh();
+        $this->actingAsApiAdmin();
 
         $deletion = Deletion::query()->orderBy('id')->first();
 

tests/Api/UsersApiTest.php

@@ -80,7 +80,7 @@ class UsersApiTest extends TestCase
         /** @var ActivityModel $activity */
         $activity = ActivityModel::query()->where('user_id', '=', $user->id)->latest()->first();
 
-        $resp = $this->asAdmin()->getJson($this->baseEndpoint . '?filter[id]=3');
+        $resp = $this->actingAsApiAdmin()->getJson($this->baseEndpoint . '?filter[id]=3');
         $resp->assertJson(['data' => [
             [
                 'id'          => $user->id,

tests/Entity/PageContentFilteringTest.php

@@ -0,0 +1,480 @@
+<?php
+
+namespace Tests\Entity;
+
+use Tests\TestCase;
+
+class PageContentFilteringTest extends TestCase
+{
+    public function test_page_content_scripts_removed_by_default()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        $script = 'abc123<script>console.log("hello-test")</script>abc123';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $pageView->assertDontSee($script, false);
+        $pageView->assertSee('abc123abc123');
+    }
+
+    public function test_more_complex_content_script_escaping_scenarios()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            "<p>Some script</p><script>alert('cat')</script>",
+            "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
+            "<p>Some script<script>alert('cat')</script></p>",
+            "<p>Some script <div><script>alert('cat')</script></div></p>",
+            "<p>Some script <script><div>alert('cat')</script></div></p>",
+            "<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
+        }
+    }
+
+    public function test_js_and_base64_src_urls_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<iframe src="javascript:alert(document.cookie)"></iframe>',
+            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
+            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
+            '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
+            '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<img src="javascript:alert(document.cookie)"/>',
+            '<img src="JavAScRipT:alert(document.cookie)"/>',
+            '<img src="JavAScRipT:alert(document.cookie)"/>',
+            '<img SRC=" javascript: alert(document.cookie)"/>',
+            '<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
+            '<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
+            '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
+            '<object data="javascript:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object SRC=" javascript: alert(document.cookie)"></object>',
+            '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<embed src="javascript:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed SRC=" javascript: alert(document.cookie)"/>',
+            '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $html = $this->withHtml($pageView);
+            $html->assertElementNotContains('.page-content', '<object');
+            $html->assertElementNotContains('.page-content', 'data=');
+            $html->assertElementNotContains('.page-content', '<iframe>');
+            $html->assertElementNotContains('.page-content', '<img');
+            $html->assertElementNotContains('.page-content', '</iframe>');
+            $html->assertElementNotContains('.page-content', 'src=');
+            $html->assertElementNotContains('.page-content', 'javascript:');
+            $html->assertElementNotContains('.page-content', 'data:');
+            $html->assertElementNotContains('.page-content', 'base64');
+        }
+    }
+
+    public function test_javascript_uri_links_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
+            '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
+            '<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
+            '<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
+        }
+    }
+
+    public function test_form_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<form><input type="text" id="dont-see-this" value="test"></form>';
+        $page->save();
+
+        $this->asEditor()->get($page->getUrl())->assertSee('dont-see-this', false);
+
+        config()->set('app.content_filtering', 'f');
+        $this->get($page->getUrl())->assertDontSee('dont-see-this', false);
+    }
+
+    public function test_form_actions_with_javascript_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
+            '<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
+            '<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
+            '<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
+            '<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertDontSee('id="xss"', false);
+            $pageView->assertDontSee('action=javascript:', false);
+            $pageView->assertDontSee('action=JaVaScRiPt:', false);
+            $pageView->assertDontSee('formaction=javascript:', false);
+            $pageView->assertDontSee('formaction=JaVaScRiPt:', false);
+        }
+    }
+
+    public function test_form_elements_are_removed()
+    {
+        config()->set('app.content_filtering', 'f');
+
+        $checks = [
+            '<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
+            '<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
+            '<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
+            '<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
+            '<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
+            '<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
+            '<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
+            <<<'TESTCASE'
+<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
+  <foreignObject width="100%" height="100%">
+    
+    <body xmlns="http://www.w3.org/1999/xhtml">
+    <p>thisisacattofind</p>
+      <form>
+        <p>thisdogshouldnotbefound</p>
+      </form>
+      <input type="text" placeholder="thisdogshouldnotbefound" />
+      <button type="submit">thisdogshouldnotbefound</button>
+    </body>
+
+  </foreignObject>
+</svg>
+TESTCASE
+
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertSee('thisisacattofind');
+            $pageView->assertDontSee('thisdogshouldnotbefound');
+        }
+    }
+
+    public function test_form_attributes_are_removed()
+    {
+        config()->set('app.content_filtering', 'f');
+
+        $withinSvgSample = <<<'TESTCASE'
+<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
+  <foreignObject width="100%" height="100%">
+    
+    <body xmlns="http://www.w3.org/1999/xhtml">
+    <p formaction="a">thisisacattofind</p>
+    <p formaction="a">thisisacattofind</p>
+    </body>
+
+  </foreignObject>
+</svg>
+TESTCASE;
+
+        $checks = [
+            'formaction' => '<p formaction="a">thisisacattofind</p>',
+            'form' => '<p form="a">thisisacattofind</p>',
+            'formmethod' => '<p formmethod="a">thisisacattofind</p>',
+            'formtarget' => '<p formtarget="a">thisisacattofind</p>',
+            'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $attribute => $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertSee('thisisacattofind');
+            $this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
+        }
+
+        $page->html = $withinSvgSample;
+        $page->save();
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $html = $this->withHtml($pageView);
+        foreach ($checks as $attribute => $check) {
+            $pageView->assertSee('thisisacattofind');
+            $html->assertElementNotExists(".page-content [{$attribute}]");
+        }
+    }
+
+    public function test_metadata_redirects_are_removed()
+    {
+        config()->set('app.content_filtering', 'h');
+
+        $checks = [
+            '<meta http-equiv="refresh" content="0; url=//external_url">',
+            '<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
+            '<meta http-equiv="refresh" content="0; UrL=//external_url">',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
+        }
+    }
+
+    public function test_page_inline_on_attributes_removed_by_default()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $this->asEditor();
+        $page = $this->entities->page();
+        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $pageView->assertDontSee($script, false);
+        $pageView->assertSee('<p>Hello</p>', false);
+    }
+
+    public function test_more_complex_inline_on_attributes_escaping_scenarios()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<p onclick="console.log(\'test\')">Hello</p>',
+            '<p OnCliCk="console.log(\'test\')">Hello</p>',
+            '<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
+            '<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
+            '<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
+            '<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
+            '<a a="<img src=1 onerror=\'alert(1)\'> ',
+            '\<a onclick="alert(document.cookie)"\>xss link\</a\>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
+        }
+    }
+
+    public function test_page_content_scripts_show_with_filters_disabled()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        config()->set('app.content_filtering', '');
+
+        $script = 'abc123<script>console.log("hello-test")</script>abc123';
+        $page->html = "no escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertSee($script, false);
+        $pageView->assertDontSee('abc123abc123');
+    }
+
+    public function test_svg_script_usage_is_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
+            '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
+            '<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
+            '<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
+            '<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
+            '<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
+            '<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
+            '<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $html = $this->withHtml($pageView);
+            $html->assertElementNotContains('.page-content', 'alert');
+            $html->assertElementNotContains('.page-content', 'xlink:href');
+            $html->assertElementNotContains('.page-content', 'application/xml');
+            $html->assertElementNotContains('.page-content', 'javascript');
+        }
+    }
+
+    public function test_page_inline_on_attributes_show_with_filters_disabled()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        config()->set('app.content_filtering', '');
+
+        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertSee($script, false);
+        $pageView->assertDontSee('<p>Hello</p>', false);
+    }
+
+    public function test_non_content_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $html = <<<'HTML'
+<style>superbeans!</style>
+<template id="template">superbeans!</template>
+HTML;
+        $page->html = $html;
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('superbeans', false);
+
+        config()->set('app.content_filtering', 'h');
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertDontSee('superbeans', false);
+    }
+
+    public function test_non_content_filtering()
+    {
+        config()->set('app.content_filtering', 'h');
+        $page = $this->entities->page();
+        $html = <<<'HTML'
+<style>superbeans!</style>
+<p>inbetweenpsection</p>
+<link rel="stylesheet" href="https://example.com/superbeans.css">
+<meta name="description" content="superbeans!">
+<title>superbeans!</title>
+<template id="template">superbeans!</template>
+HTML;
+
+        $page->html = $html;
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertDontSee('superbeans', false);
+        $resp->assertSee('inbetweenpsection', false);
+    }
+
+    public function test_allow_list_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<div style="position: absolute; left: 0;color:#00FFEE;">Hello!</div>';
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+
+        config()->set('app.content_filtering', 'a');
+        $resp = $this->get($page->getUrl());
+        $resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+        $resp->assertSee('style="color:#00FFEE;"', false);
+    }
+
+    public function test_allow_list_style_filtering()
+    {
+        $testCasesExpectedByInput = [
+            '<div style="position:absolute;left:0;color:#00FFEE;">Hello!</div>' => '<div style="color:#00FFEE;">Hello!</div>',
+            '<div style="background:#FF0000;left:0;color:#00FFEE;">Hello!</div>' => '<div style="background:#FF0000;color:#00FFEE;">Hello!</div>',
+            '<div style="color:#00FFEE;">Hello!<style>testinghello!</style></div>' => '<div style="color:#00FFEE;">Hello!</div>',
+        ];
+
+        config()->set('app.content_filtering', 'a');
+        $page = $this->entities->page();
+        $this->asEditor();
+
+        foreach ($testCasesExpectedByInput as $input => $expected) {
+            $page->html = $input;
+            $page->save();
+            $resp = $this->get($page->getUrl());
+
+            $resp->assertSee($expected, false);
+        }
+    }
+}

tests/Entity/PageContentTest.php

@@ -101,261 +101,6 @@ class PageContentTest extends TestCase
         $pageResp->assertSee('Hello Barry');
     }
 
-    public function test_page_content_scripts_removed_by_default()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        $script = 'abc123<script>console.log("hello-test")</script>abc123';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertStatus(200);
-        $pageView->assertDontSee($script, false);
-        $pageView->assertSee('abc123abc123');
-    }
-
-    public function test_more_complex_content_script_escaping_scenarios()
-    {
-        $checks = [
-            "<p>Some script</p><script>alert('cat')</script>",
-            "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
-            "<p>Some script<script>alert('cat')</script></p>",
-            "<p>Some script <div><script>alert('cat')</script></div></p>",
-            "<p>Some script <script><div>alert('cat')</script></div></p>",
-            "<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
-        }
-    }
-
-    public function test_js_and_base64_src_urls_are_removed()
-    {
-        $checks = [
-            '<iframe src="javascript:alert(document.cookie)"></iframe>',
-            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
-            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
-            '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
-            '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<img src="javascript:alert(document.cookie)"/>',
-            '<img src="JavAScRipT:alert(document.cookie)"/>',
-            '<img src="JavAScRipT:alert(document.cookie)"/>',
-            '<img SRC=" javascript: alert(document.cookie)"/>',
-            '<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
-            '<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
-            '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $html = $this->withHtml($pageView);
-            $html->assertElementNotContains('.page-content', '<iframe>');
-            $html->assertElementNotContains('.page-content', '<img');
-            $html->assertElementNotContains('.page-content', '</iframe>');
-            $html->assertElementNotContains('.page-content', 'src=');
-            $html->assertElementNotContains('.page-content', 'javascript:');
-            $html->assertElementNotContains('.page-content', 'data:');
-            $html->assertElementNotContains('.page-content', 'base64');
-        }
-    }
-
-    public function test_javascript_uri_links_are_removed()
-    {
-        $checks = [
-            '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
-            '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
-            '<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
-            '<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
-        }
-    }
-
-    public function test_form_actions_with_javascript_are_removed()
-    {
-        $checks = [
-            '<form><input id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><input></form>',
-            '<form ><button id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</button></form>',
-            '<form ><button id="xss" formaction=javascript:alert(document.domain)>Click me</button></form>',
-            '<form id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></form>',
-            '<form id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></form>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<button id="xss"');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<input id="xss"');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<form id="xss"');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'action=javascript:');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'formaction=javascript:');
-        }
-    }
-
-    public function test_metadata_redirects_are_removed()
-    {
-        $checks = [
-            '<meta http-equiv="refresh" content="0; url=//external_url">',
-            '<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
-            '<meta http-equiv="refresh" content="0; UrL=//external_url">',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
-        }
-    }
-
-    public function test_page_inline_on_attributes_removed_by_default()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertStatus(200);
-        $pageView->assertDontSee($script, false);
-        $pageView->assertSee('<p>Hello</p>', false);
-    }
-
-    public function test_more_complex_inline_on_attributes_escaping_scenarios()
-    {
-        $checks = [
-            '<p onclick="console.log(\'test\')">Hello</p>',
-            '<p OnCliCk="console.log(\'test\')">Hello</p>',
-            '<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
-            '<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
-            '<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
-            '<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
-            '<a a="<img src=1 onerror=\'alert(1)\'> ',
-            '\<a onclick="alert(document.cookie)"\>xss link\</a\>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
-        }
-    }
-
-    public function test_page_content_scripts_show_when_configured()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        config()->set('app.allow_content_scripts', 'true');
-
-        $script = 'abc123<script>console.log("hello-test")</script>abc123';
-        $page->html = "no escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertSee($script, false);
-        $pageView->assertDontSee('abc123abc123');
-    }
-
-    public function test_svg_script_usage_is_removed()
-    {
-        $checks = [
-            '<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
-            '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
-            '<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
-            '<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
-            '<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
-            '<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
-            '<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
-            '<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $html = $this->withHtml($pageView);
-            $html->assertElementNotContains('.page-content', 'alert');
-            $html->assertElementNotContains('.page-content', 'xlink:href');
-            $html->assertElementNotContains('.page-content', 'application/xml');
-            $html->assertElementNotContains('.page-content', 'javascript');
-        }
-    }
-
-    public function test_page_inline_on_attributes_show_if_configured()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        config()->set('app.allow_content_scripts', 'true');
-
-        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertSee($script, false);
-        $pageView->assertDontSee('<p>Hello</p>', false);
-    }
-
     public function test_duplicate_ids_does_not_break_page_render()
     {
         $this->asEditor();
@@ -559,6 +304,7 @@ class PageContentTest extends TestCase
 
     public function test_page_markdown_single_html_comment_saving()
     {
+        config()->set('app.content_filtering', 'jfh');
         $this->asEditor();
         $page = $this->entities->page();
 
@@ -566,7 +312,7 @@ class PageContentTest extends TestCase
         $this->put($page->getUrl(), [
             'name' => $page->name,  'markdown' => $content,
             'html' => '', 'summary' => '',
-        ]);
+        ])->assertRedirect();
 
         $page->refresh();
         $this->assertStringMatchesFormat($content, $page->html);

tests/Entity/PageDraftTest.php

@@ -160,9 +160,11 @@ class PageDraftTest extends TestCase
     {
         $this->asAdmin();
         $page = $this->entities->page();
+        $page->html = '<p>test content<script>hellotherekitty</script></p>';
+        $page->save();
 
         $this->getJson('/ajax/page/' . $page->id)->assertJson([
-            'html' => $page->html,
+            'html' => '<p>test content</p>',
         ]);
     }
 

tests/Entity/PageEditorTest.php

@@ -265,4 +265,21 @@ class PageEditorTest extends TestCase
             $this->assertEquals($test['expected'], $page->refresh()->editor, "Failed asserting global editor {$test['setting']} with request editor {$test['request']} results in {$test['expected']} set for the page");
         }
     }
+
+    public function test_editor_html_content_is_filtered_if_loaded_by_a_different_user()
+    {
+        $editor = $this->users->editor();
+        $page = $this->entities->page();
+        $page->html = '<style>hellotherethisisaturtlemonster</style>';
+        $page->updated_by = $editor->id;
+        $page->save();
+
+        $resp = $this->asAdmin()->get($page->getUrl('edit'));
+        $resp->assertOk();
+        $resp->assertDontSee('hellotherethisisaturtlemonster', false);
+
+        $resp = $this->asAdmin()->get("/ajax/page/{$page->id}");
+        $resp->assertOk();
+        $resp->assertDontSee('hellotherethisisaturtlemonster', false);
+    }
 }

tests/SecurityHeaderTest.php

@@ -93,14 +93,14 @@ class SecurityHeaderTest extends TestCase
         $this->assertNotEquals($firstHeader, $secondHeader);
     }
 
-    public function test_allow_content_scripts_settings_controls_csp_script_headers()
+    public function test_content_filtering_config_controls_csp_script_headers()
     {
-        config()->set('app.allow_content_scripts', true);
+        config()->set('app.content_filtering', '');
         $resp = $this->get('/');
         $scriptHeader = $this->getCspHeader($resp, 'script-src');
         $this->assertEmpty($scriptHeader);
 
-        config()->set('app.allow_content_scripts', false);
+        config()->set('app.content_filtering', 'j');
         $resp = $this->get('/');
         $scriptHeader = $this->getCspHeader($resp, 'script-src');
         $this->assertNotEmpty($scriptHeader);

tests/Unit/ConfigTest.php

@@ -170,6 +170,27 @@ class ConfigTest extends TestCase
         }
     }
 
+    public function test_content_filtering_defaults_to_enabled()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => null], function () {
+            $this->assertEquals('jhfa', config('app.content_filtering'));
+        });
+    }
+
+    public function test_content_filtering_can_be_disabled()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => "", 'ALLOW_CONTENT_SCRIPTS' => null], function () {
+            $this->assertEquals('', config('app.content_filtering'));
+        });
+    }
+
+    public function test_allow_content_scripts_disables_content_filtering()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {
+            $this->assertEquals('', config('app.content_filtering'));
+        });
+    }
+
     /**
      * Set an environment variable of the given name and value
      * then check the given config key to see if it matches the given result.

version

@@ -1 +1 @@
-v25.12.2
+v25.12.4