feat(auth/oidc): wider key algorithm support

.env.example

@@ -26,13 +26,6 @@ DB_DATABASE=database_database
 DB_USERNAME=database_username
 DB_PASSWORD=database_user_password
 
-# Storage system to use
-# By default files are stored on the local filesystem, with images being placed in
-# public web space so they can be efficiently served directly by the web-server.
-# For other options with different security levels & considerations, refer to:
-# https://www.bookstackapp.com/docs/admin/upload-config/
-STORAGE_TYPE=local
-
 # Mail system to use
 # Can be 'smtp' or 'sendmail'
 MAIL_DRIVER=smtp

.env.example.complete

@@ -351,25 +351,10 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow JavaScript, and other potentiall dangerous content in page content.
-# This also removes CSP-level JavaScript control.
+# Allow <script> tags in page content
 # Note, if set to 'true' the page editor may still escape scripts.
-# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
-# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
-# Control the behaviour of content filtering, primarily used for page content.
-# This setting is a string of characters which represent different available filters:
-# - j - Filter out JavaScript and unknown binary data based content
-# - h - Filter out unexpected, and potentially dangerous, HTML elements
-# - f - Filter out unexpected form elements
-# - a - Run content through a more complex allowlist filter
-# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
-# to ensure you are always using the full range of filters.
-APP_CONTENT_FILTERING="jfha"
-
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

.github/translators.txt

@@ -511,22 +511,3 @@ MrCharlesIII :: Arabic
 David Olsen (dawin) :: Danish
 ltnzr :: French
 Frank Holler (holler.frank) :: German; German Informal
-Korab Arifi (korabidev) :: Albanian
-Petr Husák (petrhusak) :: Czech
-Bernardo Maia (bernardo.bmaia2) :: Portuguese, Brazilian
-Amr (amr3k) :: Arabic
-Tahsin Ahmed (tahsinahmed2012) :: Bengali
-bojan_che :: Serbian (Cyrillic)
-setiawan setiawan (culture.setiawan) :: Indonesian
-Donald Mac Kenzie (kiuman) :: Norwegian Bokmal
-Gabriel Silver (GabrielBSilver) :: Hebrew
-Tomas Darius Davainis (Tomasdd) :: Lithuanian
-CriedHero :: Chinese Simplified
-Henrik (henrik2105) :: Norwegian Bokmal
-FoW (fofwisdom) :: Korean
-serinf-lauza :: French
-Diyan Nikolaev (nikolaev.diyan) :: Bulgarian
-Shadluk Avan (quldosh) :: Uzbek
-Marci (MartonPoto) :: Hungarian
-Michał Sadurski (wheeskeey) :: Polish
-JanDziaslo :: Polish

.github/workflows/test-migrations.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        php: ['8.2', '8.3', '8.4', '8.5']
+        php: ['8.2', '8.3', '8.4']
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/test-php.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        php: ['8.2', '8.3', '8.4', '8.5']
+        php: ['8.2', '8.3', '8.4']
     steps:
     - uses: actions/checkout@v4
 

.gitignore

@@ -8,10 +8,10 @@ Homestead.yaml
 .idea
 npm-debug.log
 yarn-error.log
-/public/dist/*.map
+/public/dist
 /public/plugins
-/public/css/*.map
-/public/js/*.map
+/public/css
+/public/js
 /public/bower
 /public/build/
 /public/favicon.ico

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2026, Dan Brown and the BookStack project contributors.
+Copyright (c) 2015-2025, Dan Brown and the BookStack project contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

app/Access/Controllers/OidcController.php

@@ -9,9 +9,11 @@ use Illuminate\Http\Request;
 
 class OidcController extends Controller
 {
-    public function __construct(
-        protected OidcService $oidcService
-    ) {
+    protected OidcService $oidcService;
+
+    public function __construct(OidcService $oidcService)
+    {
+        $this->oidcService = $oidcService;
         $this->middleware('guard:oidc');
     }
 
@@ -28,7 +30,7 @@ class OidcController extends Controller
             return redirect('/login');
         }
 
-        session()->put('oidc_state', time() . ':' . $loginDetails['state']);
+        session()->flash('oidc_state', $loginDetails['state']);
 
         return redirect($loginDetails['url']);
     }
@@ -39,16 +41,10 @@ class OidcController extends Controller
      */
     public function callback(Request $request)
     {
+        $storedState = session()->pull('oidc_state');
         $responseState = $request->query('state');
-        $splitState =  explode(':', session()->pull('oidc_state', ':'), 2);
-        if (count($splitState) !== 2) {
-            $splitState = [null, null];
-        }
 
-        [$storedStateTime, $storedState] = $splitState;
-        $threeMinutesAgo = time() - 3 * 60;
-
-        if (!$storedState || $storedState !== $responseState || intval($storedStateTime) < $threeMinutesAgo) {
+        if ($storedState !== $responseState) {
             $this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));
 
             return redirect('/login');
@@ -66,7 +62,7 @@ class OidcController extends Controller
     }
 
     /**
-     * Log the user out, then start the OIDC RP-initiated logout process.
+     * Log the user out then start the OIDC RP-initiated logout process.
      */
     public function logout()
     {

app/Access/Mfa/TotpService.php

@@ -14,9 +14,10 @@ use PragmaRX\Google2FA\Support\Constants;
 
 class TotpService
 {
-    public function __construct(
-        protected Google2FA $google2fa
-    ) {
+    protected $google2fa;
+
+    public function __construct(Google2FA $google2fa)
+    {
         $this->google2fa = $google2fa;
         // Use SHA1 as a default, Personal testing of other options in 2021 found
         // many apps lack support for other algorithms yet still will scan
@@ -34,7 +35,7 @@ class TotpService
     }
 
     /**
-     * Generate a TOTP URL from a secret key.
+     * Generate a TOTP URL from secret key.
      */
     public function generateUrl(string $secret, User $user): string
     {

app/Access/Oidc/OidcJwtSigningKey.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Access\Oidc;
 
+use Illuminate\Support\Facades\Log;
 use phpseclib3\Crypt\Common\PublicKey;
 use phpseclib3\Crypt\PublicKeyLoader;
 use phpseclib3\Crypt\RSA;
@@ -63,8 +64,9 @@ class OidcJwtSigningKey
         // 'alg' is optional for a JWK, but we will still attempt to validate if
         // it exists otherwise presume it will be compatible.
         $alg = $jwk['alg'] ?? null;
-        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
+        $algorithm = OidcJwtSigningKeyAlgorithm::tryFrom($alg ?? OidcJwtSigningKeyAlgorithm::RS256->value);
+        if ($jwk['kty'] !== 'RSA' || $algorithm === null) {
+            throw new OidcInvalidKeyException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " keys are currently supported. Found key using {$alg}");
         }
 
         // 'use' is optional for a JWK but we assume 'sig' where no value exists since that's what
@@ -97,7 +99,16 @@ class OidcJwtSigningKey
             throw new OidcInvalidKeyException('Key loaded from file path is not an RSA key as expected');
         }
 
-        $this->key = $key->withPadding(RSA::SIGNATURE_PKCS1);
+        // apply key-algorithm depending hash
+        $key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256 => $key->withHash('sha256'),
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withHash('sha512'),
+        };
+        // apply key-algorithm depending padding
+        $this->key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256,
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withPadding(RSA::SIGNATURE_PKCS1),
+        };
     }
 
     /**

app/Access/Oidc/OidcJwtSigningKeyAlgorithm.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace BookStack\Access\Oidc;
+
+use UnitEnum;
+
+enum OidcJwtSigningKeyAlgorithm: string
+{
+    case RS256 = 'RS256';
+    case RS512 = 'RS512';
+
+    public static function getSupportedAlgorithms(): string
+    {
+        return join(',', array_map(static fn (UnitEnum $enum) => $enum->value, self::cases()));
+    }
+}

app/Access/Oidc/OidcJwtWithClaims.php

@@ -119,8 +119,8 @@ class OidcJwtWithClaims implements ProvidesClaims
      */
     protected function validateTokenSignature(): void
     {
-        if ($this->header['alg'] !== 'RS256') {
-            throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
+        if (OidcJwtSigningKeyAlgorithm::tryFrom($this->header['alg']) === null) {
+            throw new OidcInvalidTokenException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " signature validation is supported. Token reports using {$this->header['alg']}");
         }
 
         $parsedKeys = array_map(function ($key) {

app/Access/Oidc/OidcProviderSettings.php

@@ -158,10 +158,10 @@ class OidcProviderSettings
     protected function filterKeys(array $keys): array
     {
         return array_filter($keys, function (array $key) {
-            $alg = $key['alg'] ?? 'RS256';
+            $alg = $key['alg'] ?? OidcJwtSigningKeyAlgorithm::RS256->value;
             $use = $key['use'] ?? 'sig';
 
-            return $key['kty'] === 'RSA' && $use === 'sig' && $alg === 'RS256';
+            return $key['kty'] === 'RSA' && $use === 'sig' && OidcJwtSigningKeyAlgorithm::tryFrom($alg) !== null;
         });
     }
 

app/Activity/Models/Comment.php

@@ -8,7 +8,6 @@ use BookStack\Permissions\PermissionApplicator;
 use BookStack\Users\Models\HasCreatorAndUpdater;
 use BookStack\Users\Models\OwnableInterface;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
@@ -42,19 +41,7 @@ class Comment extends Model implements Loggable, OwnableInterface
      */
     public function entity(): MorphTo
     {
-        // We specifically define null here to avoid the different name (commentable)
-        // being used by Laravel eager loading instead of the method name, which it was doing
-        // in some scenarios like when deserialized when going through the queue system.
-        // So we instead specify the type and id column names to use.
-        // Related to:
-        // https://github.com/laravel/framework/pull/24815
-        // https://github.com/laravel/framework/issues/27342
-        // https://github.com/laravel/framework/issues/47953
-        // (and probably more)
-
-        // Ultimately, we could just align the method name to 'commentable' but that would be a potential
-        // breaking change and not really worthwhile in a patch due to the risk of creating extra problems.
-        return $this->morphTo(null, 'commentable_type', 'commentable_id');
+        return $this->morphTo('commentable');
     }
 
     /**
@@ -83,8 +70,7 @@ class Comment extends Model implements Loggable, OwnableInterface
 
     public function safeHtml(): string
     {
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($this->html ?? '');
+        return HtmlContentFilter::removeScriptsFromHtmlString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/Activity/Models/MentionHistory.php

@@ -1,20 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Models;
-
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Support\Carbon;
-
-/**
- * @property int $id
- * @property string $mentionable_type
- * @property int $mentionable_id
- * @property int $from_user_id
- * @property int $to_user_id
- * @property Carbon $created_at
- * @property Carbon $updated_at
- */
-class MentionHistory extends Model
-{
-    protected $table = 'mention_history';
-}

app/Activity/Notifications/Handlers/BaseNotificationHandler.php

@@ -20,7 +20,6 @@ abstract class BaseNotificationHandler implements NotificationHandler
     {
         $users = User::query()->whereIn('id', array_unique($userIds))->get();
 
-        /** @var User $user */
         foreach ($users as $user) {
             // Prevent sending to the user that initiated the activity
             if ($user->id === $initiator->id) {

app/Activity/Notifications/Handlers/CommentMentionNotificationHandler.php

@@ -1,85 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Notifications\Handlers;
-
-use BookStack\Activity\ActivityType;
-use BookStack\Activity\Models\Activity;
-use BookStack\Activity\Models\Comment;
-use BookStack\Activity\Models\Loggable;
-use BookStack\Activity\Models\MentionHistory;
-use BookStack\Activity\Notifications\Messages\CommentMentionNotification;
-use BookStack\Activity\Tools\MentionParser;
-use BookStack\Entities\Models\Page;
-use BookStack\Settings\UserNotificationPreferences;
-use BookStack\Users\Models\User;
-use Illuminate\Database\Eloquent\Collection;
-use Illuminate\Support\Carbon;
-
-class CommentMentionNotificationHandler extends BaseNotificationHandler
-{
-    public function handle(Activity $activity, Loggable|string $detail, User $user): void
-    {
-        if (!($detail instanceof Comment) || !($detail->entity instanceof Page)) {
-            throw new \InvalidArgumentException("Detail for comment mention notifications must be a comment on a page");
-        }
-
-        /** @var Page $page */
-        $page = $detail->entity;
-
-        $parser = new MentionParser();
-        $mentionedUserIds = $parser->parseUserIdsFromHtml($detail->html);
-        $realMentionedUsers = User::whereIn('id', $mentionedUserIds)->get();
-
-        $receivingNotifications = $realMentionedUsers->filter(function (User $user) {
-            $prefs = new UserNotificationPreferences($user);
-            return $prefs->notifyOnCommentMentions();
-        });
-        $receivingNotificationsUserIds = $receivingNotifications->pluck('id')->toArray();
-
-        $userMentionsToLog = $realMentionedUsers;
-
-        // When an edit, we check our history to see if we've already notified the user about this comment before
-        // so that we can filter them out to avoid double notifications.
-        if ($activity->type === ActivityType::COMMENT_UPDATE) {
-            $previouslyNotifiedUserIds = $this->getPreviouslyNotifiedUserIds($detail);
-            $receivingNotificationsUserIds = array_values(array_diff($receivingNotificationsUserIds, $previouslyNotifiedUserIds));
-            $userMentionsToLog = $userMentionsToLog->filter(function (User $user) use ($previouslyNotifiedUserIds) {
-                return !in_array($user->id, $previouslyNotifiedUserIds);
-            });
-        }
-
-        $this->logMentions($userMentionsToLog, $detail, $user);
-        $this->sendNotificationToUserIds(CommentMentionNotification::class, $receivingNotificationsUserIds, $user, $detail, $page);
-    }
-
-    /**
-     * @param Collection<User> $mentionedUsers
-     */
-    protected function logMentions(Collection $mentionedUsers, Comment $comment, User $fromUser): void
-    {
-        $mentions = [];
-        $now = Carbon::now();
-
-        foreach ($mentionedUsers as $mentionedUser) {
-            $mentions[] = [
-                'mentionable_type' => $comment->getMorphClass(),
-                'mentionable_id' => $comment->id,
-                'from_user_id' => $fromUser->id,
-                'to_user_id' => $mentionedUser->id,
-                'created_at' => $now,
-                'updated_at' => $now,
-            ];
-        }
-
-        MentionHistory::query()->insert($mentions);
-    }
-
-    protected function getPreviouslyNotifiedUserIds(Comment $comment): array
-    {
-        return MentionHistory::query()
-            ->where('mentionable_id', $comment->id)
-            ->where('mentionable_type', $comment->getMorphClass())
-            ->pluck('to_user_id')
-            ->toArray();
-    }
-}

app/Activity/Notifications/Messages/CommentMentionNotification.php

@@ -1,37 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Notifications\Messages;
-
-use BookStack\Activity\Models\Comment;
-use BookStack\Activity\Notifications\MessageParts\EntityLinkMessageLine;
-use BookStack\Activity\Notifications\MessageParts\ListMessageLine;
-use BookStack\Entities\Models\Page;
-use BookStack\Users\Models\User;
-use Illuminate\Notifications\Messages\MailMessage;
-
-class CommentMentionNotification extends BaseActivityNotification
-{
-    public function toMail(User $notifiable): MailMessage
-    {
-        /** @var Comment $comment */
-        $comment = $this->detail;
-        /** @var Page $page */
-        $page = $comment->entity;
-
-        $locale = $notifiable->getLocale();
-
-        $listLines = array_filter([
-            $locale->trans('notifications.detail_page_name') => new EntityLinkMessageLine($page),
-            $locale->trans('notifications.detail_page_path') => $this->buildPagePathLine($page, $notifiable),
-            $locale->trans('notifications.detail_commenter') => $this->user->name,
-            $locale->trans('notifications.detail_comment') => strip_tags($comment->html),
-        ]);
-
-        return $this->newMailMessage($locale)
-            ->subject($locale->trans('notifications.comment_mention_subject', ['pageName' => $page->getShortName()]))
-            ->line($locale->trans('notifications.comment_mention_intro', ['appName' => setting('app-name')]))
-            ->line(new ListMessageLine($listLines))
-            ->action($locale->trans('notifications.action_view_comment'), $page->getUrl('#comment' . $comment->local_id))
-            ->line($this->buildReasonFooterLine($locale));
-    }
-}

app/Activity/Notifications/NotificationManager.php

@@ -6,7 +6,6 @@ use BookStack\Activity\ActivityType;
 use BookStack\Activity\Models\Activity;
 use BookStack\Activity\Models\Loggable;
 use BookStack\Activity\Notifications\Handlers\CommentCreationNotificationHandler;
-use BookStack\Activity\Notifications\Handlers\CommentMentionNotificationHandler;
 use BookStack\Activity\Notifications\Handlers\NotificationHandler;
 use BookStack\Activity\Notifications\Handlers\PageCreationNotificationHandler;
 use BookStack\Activity\Notifications\Handlers\PageUpdateNotificationHandler;
@@ -49,7 +48,5 @@ class NotificationManager
         $this->registerHandler(ActivityType::PAGE_CREATE, PageCreationNotificationHandler::class);
         $this->registerHandler(ActivityType::PAGE_UPDATE, PageUpdateNotificationHandler::class);
         $this->registerHandler(ActivityType::COMMENT_CREATE, CommentCreationNotificationHandler::class);
-        $this->registerHandler(ActivityType::COMMENT_CREATE, CommentMentionNotificationHandler::class);
-        $this->registerHandler(ActivityType::COMMENT_UPDATE, CommentMentionNotificationHandler::class);
     }
 }

app/Activity/Tools/MentionParser.php

@@ -1,28 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Tools;
-
-use BookStack\Util\HtmlDocument;
-use DOMElement;
-
-class MentionParser
-{
-    public function parseUserIdsFromHtml(string $html): array
-    {
-        $doc = new HtmlDocument($html);
-
-        $ids = [];
-        $mentionLinks = $doc->queryXPath('//a[@data-mention-user-id]');
-
-        foreach ($mentionLinks as $link) {
-            if ($link instanceof DOMElement) {
-                $id = intval($link->getAttribute('data-mention-user-id'));
-                if ($id > 0) {
-                    $ids[] = $id;
-                }
-            }
-        }
-
-        return array_values(array_unique($ids));
-    }
-}

app/App/HomeController.php

@@ -83,7 +83,7 @@ class HomeController extends Controller
         if ($homepageOption === 'bookshelves') {
             $shelves = $this->queries->shelves->visibleForListWithCover()
                 ->orderBy($commonData['listOptions']->getSort(), $commonData['listOptions']->getOrder())
-                ->paginate(setting()->getInteger('lists-page-count-shelves', 18, 1, 1000));
+                ->paginate(18);
             $data = array_merge($commonData, ['shelves' => $shelves]);
 
             return view('home.shelves', $data);
@@ -92,7 +92,7 @@ class HomeController extends Controller
         if ($homepageOption === 'books') {
             $books = $this->queries->books->visibleForListWithCover()
                 ->orderBy($commonData['listOptions']->getSort(), $commonData['listOptions']->getOrder())
-                ->paginate(setting()->getInteger('lists-page-count-books', 18, 1, 1000));
+                ->paginate(18);
             $data = array_merge($commonData, ['books' => $books]);
 
             return view('home.books', $data);

app/App/Providers/AppServiceProvider.php

@@ -3,7 +3,6 @@
 namespace BookStack\App\Providers;
 
 use BookStack\Access\SocialDriverManager;
-use BookStack\Activity\Models\Comment;
 use BookStack\Activity\Tools\ActivityLogger;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
@@ -74,7 +73,6 @@ class AppServiceProvider extends ServiceProvider
             'book'      => Book::class,
             'chapter'   => Chapter::class,
             'page'      => Page::class,
-            'comment'   => Comment::class,
         ]);
     }
 }

app/App/SluggableInterface.php

@@ -5,9 +5,11 @@ namespace BookStack\App;
 /**
  * Assigned to models that can have slugs.
  * Must have the below properties.
- *
- * @property string $slug
  */
 interface SluggableInterface
 {
+    /**
+     * Regenerate the slug for this model.
+     */
+    public function refreshSlug(): string;
 }

app/Config/app.php

@@ -37,15 +37,10 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Control the behaviour of content filtering, primarily used for page content.
-    // This setting is a string of characters which represent different available filters:
-    // - j - Filter out JavaScript and unknown binary data based content
-    // - h - Filter out unexpected, and potentially dangerous, HTML elements
-    // - f - Filter out unexpected form elements
-    // - a - Run content through a more complex allowlist filter
-    // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
+    // Allow <script> tags to entered within page content.
+    // <script> tags are escaped by default.
+    // Even when overridden the WYSIWYG editor may still escape script content.
+    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading
@@ -53,8 +48,8 @@ return [
     'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
 
     // Override the default behaviour for allowing crawlers to crawl the instance.
-    // May be ignored if the underlying view has been overridden or modified.
-    // Defaults to null in which case the 'app-public' status is used instead.
+    // May be ignored if view has be overridden or modified.
+    // Defaults to null since, if not set, 'app-public' status used instead.
     'allow_robots' => env('ALLOW_ROBOTS', null),
 
     // Application Base URL, Used by laravel in development commands

app/Config/database.php

@@ -81,8 +81,7 @@ return [
             'strict'         => false,
             'engine'         => null,
             'options'        => extension_loaded('pdo_mysql') ? array_filter([
-                // @phpstan-ignore class.notFound
-                (PHP_VERSION_ID >= 80500 ? \Pdo\Mysql::ATTR_SSL_CA : \PDO::MYSQL_ATTR_SSL_CA) => env('MYSQL_ATTR_SSL_CA'),
+                PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
             ]) : [],
         ],
 

app/Config/setting-defaults.php

@@ -41,7 +41,6 @@ return [
         'bookshelves_view_type' => env('APP_VIEWS_BOOKSHELVES', 'grid'),
         'bookshelf_view_type'   => env('APP_VIEWS_BOOKSHELF', 'grid'),
         'books_view_type'       => env('APP_VIEWS_BOOKS', 'grid'),
-        'notifications#comment-mentions' => true,
     ],
 
 ];

app/Entities/Controllers/BookController.php

@@ -8,7 +8,6 @@ use BookStack\Activity\Models\View;
 use BookStack\Activity\Tools\UserEntityWatchOptions;
 use BookStack\Entities\Queries\BookQueries;
 use BookStack\Entities\Queries\BookshelfQueries;
-use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Entities\Tools\Cloner;
@@ -32,7 +31,6 @@ class BookController extends Controller
         protected ShelfContext $shelfContext,
         protected BookRepo $bookRepo,
         protected BookQueries $queries,
-        protected EntityQueries $entityQueries,
         protected BookshelfQueries $shelfQueries,
         protected ReferenceFetcher $referenceFetcher,
     ) {
@@ -52,7 +50,7 @@ class BookController extends Controller
 
         $books = $this->queries->visibleForListWithCover()
             ->orderBy($listOptions->getSort(), $listOptions->getOrder())
-            ->paginate(setting()->getInteger('lists-page-count-books', 18, 1, 1000));
+            ->paginate(18);
         $recents = $this->isSignedIn() ? $this->queries->recentlyViewedForCurrentUser()->take(4)->get() : false;
         $popular = $this->queries->popularForList()->take(4)->get();
         $new = $this->queries->visibleForList()->orderBy('created_at', 'desc')->take(4)->get();
@@ -129,16 +127,7 @@ class BookController extends Controller
      */
     public function show(Request $request, ActivityQueries $activities, string $slug)
     {
-        try {
-            $book = $this->queries->findVisibleBySlugOrFail($slug);
-        } catch (NotFoundException $exception) {
-            $book = $this->entityQueries->findVisibleByOldSlugs('book', $slug);
-            if (is_null($book)) {
-                throw $exception;
-            }
-            return redirect($book->getUrl());
-        }
-
+        $book = $this->queries->findVisibleBySlugOrFail($slug);
         $bookChildren = (new BookContents($book))->getTree(true);
         $bookParentShelves = $book->shelves()->scopes('visible')->get();
 

app/Entities/Controllers/BookshelfController.php

@@ -6,7 +6,6 @@ use BookStack\Activity\ActivityQueries;
 use BookStack\Activity\Models\View;
 use BookStack\Entities\Queries\BookQueries;
 use BookStack\Entities\Queries\BookshelfQueries;
-use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Repos\BookshelfRepo;
 use BookStack\Entities\Tools\ShelfContext;
 use BookStack\Exceptions\ImageUploadException;
@@ -24,7 +23,6 @@ class BookshelfController extends Controller
     public function __construct(
         protected BookshelfRepo $shelfRepo,
         protected BookshelfQueries $queries,
-        protected EntityQueries $entityQueries,
         protected BookQueries $bookQueries,
         protected ShelfContext $shelfContext,
         protected ReferenceFetcher $referenceFetcher,
@@ -45,7 +43,7 @@ class BookshelfController extends Controller
 
         $shelves = $this->queries->visibleForListWithCover()
             ->orderBy($listOptions->getSort(), $listOptions->getOrder())
-            ->paginate(setting()->getInteger('lists-page-count-shelves', 18, 1, 1000));
+            ->paginate(18);
         $recents = $this->isSignedIn() ? $this->queries->recentlyViewedForCurrentUser()->get() : false;
         $popular = $this->queries->popularForList()->get();
         $new = $this->queries->visibleForList()
@@ -107,16 +105,7 @@ class BookshelfController extends Controller
      */
     public function show(Request $request, ActivityQueries $activities, string $slug)
     {
-        try {
-            $shelf = $this->queries->findVisibleBySlugOrFail($slug);
-        } catch (NotFoundException $exception) {
-            $shelf = $this->entityQueries->findVisibleByOldSlugs('bookshelf', $slug);
-            if (is_null($shelf)) {
-                throw $exception;
-            }
-            return redirect($shelf->getUrl());
-        }
-
+        $shelf = $this->queries->findVisibleBySlugOrFail($slug);
         $this->checkOwnablePermission(Permission::BookshelfView, $shelf);
 
         $listOptions = SimpleListOptions::fromRequest($request, 'shelf_books')->withSortOptions([

app/Entities/Controllers/ChapterController.php

@@ -77,15 +77,7 @@ class ChapterController extends Controller
      */
     public function show(string $bookSlug, string $chapterSlug)
     {
-        try {
-            $chapter = $this->queries->findVisibleBySlugsOrFail($bookSlug, $chapterSlug);
-        } catch (NotFoundException $exception) {
-            $chapter = $this->entityQueries->findVisibleByOldSlugs('chapter', $chapterSlug, $bookSlug);
-            if (is_null($chapter)) {
-                throw $exception;
-            }
-            return redirect($chapter->getUrl());
-        }
+        $chapter = $this->queries->findVisibleBySlugsOrFail($bookSlug, $chapterSlug);
 
         $sidebarTree = (new BookContents($chapter->book))->getTree();
         $pages = $this->entityQueries->pages->visibleForChapterList($chapter->id)->get();

app/Entities/Controllers/PageController.php

@@ -17,12 +17,11 @@ use BookStack\Entities\Tools\PageContent;
 use BookStack\Entities\Tools\PageEditActivity;
 use BookStack\Entities\Tools\PageEditorData;
 use BookStack\Exceptions\NotFoundException;
+use BookStack\Exceptions\NotifyException;
 use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\References\ReferenceFetcher;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use Exception;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Http\Request;
@@ -141,7 +140,9 @@ class PageController extends Controller
         try {
             $page = $this->queries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         } catch (NotFoundException $e) {
-            $page = $this->entityQueries->findVisibleByOldSlugs('page', $pageSlug, $bookSlug);
+            $revision = $this->entityQueries->revisions->findLatestVersionBySlugs($bookSlug, $pageSlug);
+            $page = $revision->page ?? null;
+
             if (is_null($page)) {
                 throw $e;
             }
@@ -175,7 +176,7 @@ class PageController extends Controller
     }
 
     /**
-     * Get a page from an ajax request.
+     * Get page from an ajax request.
      *
      * @throws NotFoundException
      */
@@ -185,10 +186,6 @@ class PageController extends Controller
         $page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
         $page->makeHidden(['book']);
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $page->html = $filter->filterString($page->html);
-
         return response()->json($page);
     }
 

app/Entities/Models/Book.php

@@ -67,7 +67,8 @@ class Book extends Entity implements HasDescriptionInterface, HasCoverInterface,
      */
     public function chapters(): HasMany
     {
-        return $this->hasMany(Chapter::class);
+        return $this->hasMany(Chapter::class)
+            ->where('type', '=', 'chapter');
     }
 
     /**

app/Entities/Models/BookChild.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Entities\Models;
 
+use BookStack\References\ReferenceUpdater;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
 /**
@@ -16,10 +17,34 @@ abstract class BookChild extends Entity
 {
     /**
      * Get the book this page sits in.
-     * @return BelongsTo<Book, $this>
      */
     public function book(): BelongsTo
     {
         return $this->belongsTo(Book::class)->withTrashed();
     }
+
+    /**
+     * Change the book that this entity belongs to.
+     */
+    public function changeBook(int $newBookId): self
+    {
+        $oldUrl = $this->getUrl();
+        $this->book_id = $newBookId;
+        $this->unsetRelation('book');
+        $this->refreshSlug();
+        $this->save();
+
+        if ($oldUrl !== $this->getUrl()) {
+            app()->make(ReferenceUpdater::class)->updateEntityReferences($this, $oldUrl);
+        }
+
+        // Update all child pages if a chapter
+        if ($this instanceof Chapter) {
+            foreach ($this->pages()->withTrashed()->get() as $page) {
+                $page->changeBook($newBookId);
+            }
+        }
+
+        return $this;
+    }
 }

app/Entities/Models/Entity.php

@@ -13,6 +13,7 @@ use BookStack\Activity\Models\Viewable;
 use BookStack\Activity\Models\Watch;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
+use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Permissions\JointPermissionBuilder;
 use BookStack\Permissions\Models\EntityPermission;
 use BookStack\Permissions\Models\JointPermission;
@@ -404,6 +405,16 @@ abstract class Entity extends Model implements
         app()->make(SearchIndex::class)->indexEntity(clone $this);
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function refreshSlug(): string
+    {
+        $this->slug = app()->make(SlugGenerator::class)->generate($this, $this->name);
+
+        return $this->slug;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -430,14 +441,6 @@ abstract class Entity extends Model implements
         return $this->morphMany(Watch::class, 'watchable');
     }
 
-    /**
-     * Get the related slug history for this entity.
-     */
-    public function slugHistory(): MorphMany
-    {
-        return $this->morphMany(SlugHistory::class, 'sluggable');
-    }
-
     /**
      * {@inheritdoc}
      */

app/Entities/Models/EntityScope.php

@@ -15,12 +15,11 @@ class EntityScope implements Scope
     public function apply(Builder $builder, Model $model): void
     {
         $builder = $builder->where('type', '=', $model->getMorphClass());
-        $table = $model->getTable();
         if ($model instanceof Page) {
-            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', "{$table}.id");
+            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', 'entities.id');
         } else {
-            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model, $table) {
-                $join->on('entity_container_data.entity_id', '=', "{$table}.id")
+            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model) {
+                $join->on('entity_container_data.entity_id', '=', 'entities.id')
                     ->where('entity_container_data.entity_type', '=', $model->getMorphClass());
             });
         }

app/Entities/Models/Page.php

@@ -124,14 +124,6 @@ class Page extends BookChild
         return url('/' . implode('/', $parts));
     }
 
-    /**
-     * Get the ID-based permalink for this page.
-     */
-    public function getPermalink(): string
-    {
-        return url("/link/{$this->id}");
-    }
-
     /**
      * Get this page for JSON display.
      */

app/Entities/Models/SlugHistory.php

@@ -1,28 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Models;
-
-use BookStack\App\Model;
-use BookStack\Permissions\Models\JointPermission;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Relations\HasMany;
-
-/**
- * @property int $id
- * @property int $sluggable_id
- * @property string $sluggable_type
- * @property string $slug
- * @property ?string $parent_slug
- */
-class SlugHistory extends Model
-{
-    use HasFactory;
-
-    protected $table = 'slug_history';
-
-    public function jointPermissions(): HasMany
-    {
-        return $this->hasMany(JointPermission::class, 'entity_id', 'sluggable_id')
-            ->whereColumn('joint_permissions.entity_type', '=', 'slug_history.sluggable_type');
-    }
-}

app/Entities/Queries/EntityQueries.php

@@ -4,7 +4,6 @@ namespace BookStack\Entities\Queries;
 
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\EntityTable;
-use BookStack\Entities\Tools\SlugHistory;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Query\Builder as QueryBuilder;
 use Illuminate\Database\Query\JoinClause;
@@ -19,7 +18,6 @@ class EntityQueries
         public ChapterQueries $chapters,
         public PageQueries $pages,
         public PageRevisionQueries $revisions,
-        protected SlugHistory $slugHistory,
     ) {
     }
 
@@ -33,30 +31,9 @@ class EntityQueries
         $explodedId = explode(':', $identifier);
         $entityType = $explodedId[0];
         $entityId = intval($explodedId[1]);
+        $queries = $this->getQueriesForType($entityType);
 
-        return $this->findVisibleById($entityType, $entityId);
-    }
-
-    /**
-     * Find an entity by its ID.
-     */
-    public function findVisibleById(string $type, int $id): ?Entity
-    {
-        $queries = $this->getQueriesForType($type);
-        return $queries->findVisibleById($id);
-    }
-
-    /**
-     * Find an entity by looking up old slugs in the slug history.
-     */
-    public function findVisibleByOldSlugs(string $type, string $slug, string $parentSlug = ''): ?Entity
-    {
-        $id = $this->slugHistory->lookupEntityIdUsingSlugs($type, $slug, $parentSlug);
-        if ($id === null) {
-            return null;
-        }
-
-        return $this->findVisibleById($type, $id);
+        return $queries->findVisibleById($entityId);
     }
 
     /**

app/Entities/Repos/BaseRepo.php

@@ -8,8 +8,6 @@ use BookStack\Entities\Models\HasCoverInterface;
 use BookStack\Entities\Models\HasDescriptionInterface;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\PageQueries;
-use BookStack\Entities\Tools\SlugGenerator;
-use BookStack\Entities\Tools\SlugHistory;
 use BookStack\Exceptions\ImageUploadException;
 use BookStack\References\ReferenceStore;
 use BookStack\References\ReferenceUpdater;
@@ -27,8 +25,6 @@ class BaseRepo
         protected ReferenceStore $referenceStore,
         protected PageQueries $pageQueries,
         protected BookSorter $bookSorter,
-        protected SlugGenerator $slugGenerator,
-        protected SlugHistory $slugHistory,
     ) {
     }
 
@@ -47,7 +43,7 @@ class BaseRepo
             'updated_by' => user()->id,
             'owned_by'   => user()->id,
         ]);
-        $this->refreshSlug($entity);
+        $entity->refreshSlug();
 
         if ($entity instanceof HasDescriptionInterface) {
             $this->updateDescription($entity, $input);
@@ -82,7 +78,7 @@ class BaseRepo
         $entity->updated_by = user()->id;
 
         if ($entity->isDirty('name') || empty($entity->slug)) {
-            $this->refreshSlug($entity);
+            $entity->refreshSlug();
         }
 
         if ($entity instanceof HasDescriptionInterface) {
@@ -159,13 +155,4 @@ class BaseRepo
             $entity->descriptionInfo()->set('', $input['description']);
         }
     }
-
-    /**
-     * Refresh the slug for the given entity.
-     */
-    public function refreshSlug(Entity $entity): void
-    {
-        $this->slugHistory->recordForEntity($entity);
-        $this->slugGenerator->regenerateForEntity($entity);
-    }
 }

app/Entities/Repos/ChapterRepo.php

@@ -7,7 +7,6 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\BookContents;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Entities\Tools\TrashCan;
 use BookStack\Exceptions\MoveOperationException;
 use BookStack\Exceptions\PermissionsException;
@@ -22,7 +21,6 @@ class ChapterRepo
         protected BaseRepo $baseRepo,
         protected EntityQueries $entityQueries,
         protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -99,7 +97,7 @@ class ChapterRepo
         }
 
         return (new DatabaseTransaction(function () use ($chapter, $parent) {
-            $this->parentChanger->changeBook($chapter, $parent->id);
+            $chapter = $chapter->changeBook($parent->id);
             $chapter->rebuildPermissions();
             Activity::add(ActivityType::CHAPTER_MOVE, $chapter);
 

app/Entities/Repos/PageRepo.php

@@ -12,7 +12,6 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Entities\Tools\PageContent;
 use BookStack\Entities\Tools\PageEditorType;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Entities\Tools\TrashCan;
 use BookStack\Exceptions\MoveOperationException;
 use BookStack\Exceptions\PermissionsException;
@@ -32,7 +31,6 @@ class PageRepo
         protected ReferenceStore $referenceStore,
         protected ReferenceUpdater $referenceUpdater,
         protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -244,7 +242,7 @@ class PageRepo
         }
 
         $page->updated_by = user()->id;
-        $this->baseRepo->refreshSlug($page);
+        $page->refreshSlug();
         $page->save();
         $page->indexForSearch();
         $this->referenceStore->updateForEntity($page);
@@ -286,7 +284,7 @@ class PageRepo
         return (new DatabaseTransaction(function () use ($page, $parent) {
             $page->chapter_id = ($parent instanceof Chapter) ? $parent->id : null;
             $newBookId = ($parent instanceof Chapter) ? $parent->book->id : $parent->id;
-            $this->parentChanger->changeBook($page, $newBookId);
+            $page = $page->changeBook($newBookId);
             $page->rebuildPermissions();
 
             Activity::add(ActivityType::PAGE_MOVE, $page);

app/Entities/Tools/Cloner.php

@@ -13,47 +13,30 @@ use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Repos\ChapterRepo;
 use BookStack\Entities\Repos\PageRepo;
 use BookStack\Permissions\Permission;
-use BookStack\References\ReferenceChangeContext;
-use BookStack\References\ReferenceUpdater;
 use BookStack\Uploads\Image;
 use BookStack\Uploads\ImageService;
 use Illuminate\Http\UploadedFile;
 
 class Cloner
 {
-    protected ReferenceChangeContext $referenceChangeContext;
-
     public function __construct(
         protected PageRepo $pageRepo,
         protected ChapterRepo $chapterRepo,
         protected BookRepo $bookRepo,
         protected ImageService $imageService,
-        protected ReferenceUpdater $referenceUpdater,
     ) {
-        $this->referenceChangeContext = new ReferenceChangeContext();
     }
 
     /**
      * Clone the given page into the given parent using the provided name.
      */
     public function clonePage(Page $original, Entity $parent, string $newName): Page
-    {
-        $context = $this->newReferenceChangeContext();
-        $page = $this->createPageClone($original, $parent, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $page;
-    }
-
-    protected function createPageClone(Page $original, Entity $parent, string $newName): Page
     {
         $copyPage = $this->pageRepo->getNewDraftPage($parent);
         $pageData = $this->entityToInputData($original);
         $pageData['name'] = $newName;
 
-        $newPage = $this->pageRepo->publishDraft($copyPage, $pageData);
-        $this->referenceChangeContext->add($original, $newPage);
-
-        return $newPage;
+        return $this->pageRepo->publishDraft($copyPage, $pageData);
     }
 
     /**
@@ -61,14 +44,6 @@ class Cloner
      * Clones all child pages.
      */
     public function cloneChapter(Chapter $original, Book $parent, string $newName): Chapter
-    {
-        $context = $this->newReferenceChangeContext();
-        $chapter = $this->createChapterClone($original, $parent, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $chapter;
-    }
-
-    protected function createChapterClone(Chapter $original, Book $parent, string $newName): Chapter
     {
         $chapterDetails = $this->entityToInputData($original);
         $chapterDetails['name'] = $newName;
@@ -78,12 +53,10 @@ class Cloner
         if (userCan(Permission::PageCreate, $copyChapter)) {
             /** @var Page $page */
             foreach ($original->getVisiblePages() as $page) {
-                $this->createPageClone($page, $copyChapter, $page->name);
+                $this->clonePage($page, $copyChapter, $page->name);
             }
         }
 
-        $this->referenceChangeContext->add($original, $copyChapter);
-
         return $copyChapter;
     }
 
@@ -92,14 +65,6 @@ class Cloner
      * Clones all child chapters and pages.
      */
     public function cloneBook(Book $original, string $newName): Book
-    {
-        $context = $this->newReferenceChangeContext();
-        $book = $this->createBookClone($original, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $book;
-    }
-
-    protected function createBookClone(Book $original, string $newName): Book
     {
         $bookDetails = $this->entityToInputData($original);
         $bookDetails['name'] = $newName;
@@ -111,11 +76,11 @@ class Cloner
         $directChildren = $original->getDirectVisibleChildren();
         foreach ($directChildren as $child) {
             if ($child instanceof Chapter && userCan(Permission::ChapterCreate, $copyBook)) {
-                $this->createChapterClone($child, $copyBook, $child->name);
+                $this->cloneChapter($child, $copyBook, $child->name);
             }
 
             if ($child instanceof Page && !$child->draft && userCan(Permission::PageCreate, $copyBook)) {
-                $this->createPageClone($child, $copyBook, $child->name);
+                $this->clonePage($child, $copyBook, $child->name);
             }
         }
 
@@ -127,8 +92,6 @@ class Cloner
             }
         }
 
-        $this->referenceChangeContext->add($original, $copyBook);
-
         return $copyBook;
     }
 
@@ -192,10 +155,4 @@ class Cloner
 
         return $tags;
     }
-
-    protected function newReferenceChangeContext(): ReferenceChangeContext
-    {
-        $this->referenceChangeContext = new ReferenceChangeContext();
-        return $this->referenceChangeContext;
-    }
 }

app/Entities/Tools/EntityHtmlDescription.php

@@ -6,7 +6,6 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class EntityHtmlDescription
 {
@@ -51,8 +50,7 @@ class EntityHtmlDescription
             return $html;
         }
 
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($html);
+        return HtmlContentFilter::removeScriptsFromHtmlString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/HierarchyTransformer.php

@@ -17,8 +17,7 @@ class HierarchyTransformer
         protected BookRepo $bookRepo,
         protected BookshelfRepo $shelfRepo,
         protected Cloner $cloner,
-        protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
+        protected TrashCan $trashCan
     ) {
     }
 
@@ -36,7 +35,7 @@ class HierarchyTransformer
         foreach ($chapter->pages as $page) {
             $page->chapter_id = 0;
             $page->save();
-            $this->parentChanger->changeBook($page, $book->id);
+            $page->changeBook($book->id);
         }
 
         $this->trashCan->destroyEntity($chapter);

app/Entities/Tools/PageContent.php

@@ -2,7 +2,6 @@
 
 namespace BookStack\Entities\Tools;
 
-use BookStack\App\AppVersion;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
@@ -14,7 +13,6 @@ use BookStack\Uploads\ImageRepo;
 use BookStack\Uploads\ImageService;
 use BookStack\Users\Models\User;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlDocument;
 use BookStack\Util\WebSafeMimeSniffer;
 use Closure;
@@ -319,30 +317,11 @@ class PageContent
             $this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
         }
 
-        $cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
-        $cached = cache()->get($cacheKey, null);
-        if ($cached !== null) {
-            return $cached;
+        if (!config('app.allow_content_scripts')) {
+            HtmlContentFilter::removeScriptsFromDocument($doc);
         }
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $filtered = $filter->filterDocument($doc);
-
-        $cacheTime = 86400 * 7; // 1 week
-        cache()->put($cacheKey, $filtered, $cacheTime);
-
-        return $filtered;
-    }
-
-    protected function getContentCacheKey(string $html): string
-    {
-        $contentHash = md5($html);
-        $contentId = $this->page->id;
-        $contentTime = $this->page->updated_at?->timestamp ?? time();
-        $appVersion = AppVersion::get();
-        $filterConfig = config('app.content_filtering') ?? '';
-        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
+        return $doc->getBodyInnerHtml();
     }
 
     /**

app/Entities/Tools/PageEditorData.php

@@ -8,8 +8,6 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
 use BookStack\Permissions\Permission;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class PageEditorData
 {
@@ -49,7 +47,6 @@ class PageEditorData
         $isDraftRevision = false;
         $this->warnings = [];
         $editActivity = new PageEditActivity($page);
-        $lastEditorId = $page->updated_by ?? user()->id;
 
         if ($editActivity->hasActiveEditing()) {
             $this->warnings[] = $editActivity->activeEditingMessage();
@@ -61,20 +58,11 @@ class PageEditorData
             $page->forceFill($userDraft->only(['name', 'html', 'markdown']));
             $isDraftRevision = true;
             $this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
-            $lastEditorId = $userDraft->created_by;
         }
 
-        // Get editor type and handle changes
         $editorType = $this->getEditorType($page);
         $this->updateContentForEditor($page, $editorType);
 
-        // Filter HTML content if required
-        if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
-            $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-            $filter = new HtmlContentFilter($filterConfig);
-            $page->html = $filter->filterString($page->html);
-        }
-
         return [
             'page'            => $page,
             'book'            => $page->book,

app/Entities/Tools/ParentChanger.php

@@ -1,40 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Tools;
-
-use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Chapter;
-use BookStack\References\ReferenceUpdater;
-
-class ParentChanger
-{
-    public function __construct(
-        protected SlugGenerator $slugGenerator,
-        protected ReferenceUpdater $referenceUpdater
-    ) {
-    }
-
-    /**
-     * Change the parent book of a chapter or page.
-     */
-    public function changeBook(BookChild $child, int $newBookId): void
-    {
-        $oldUrl = $child->getUrl();
-
-        $child->book_id = $newBookId;
-        $child->unsetRelation('book');
-        $this->slugGenerator->regenerateForEntity($child);
-        $child->save();
-
-        if ($oldUrl !== $child->getUrl()) {
-            $this->referenceUpdater->updateEntityReferences($child, $oldUrl);
-        }
-
-        // Update all child pages if a chapter
-        if ($child instanceof Chapter) {
-            foreach ($child->pages()->withTrashed()->get() as $page) {
-                $this->changeBook($page, $newBookId);
-            }
-        }
-    }
-}

app/Entities/Tools/SlugGenerator.php

@@ -5,14 +5,12 @@ namespace BookStack\Entities\Tools;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
 use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Entity;
-use BookStack\Users\Models\User;
 use Illuminate\Support\Str;
 
 class SlugGenerator
 {
     /**
-     * Generate a fresh slug for the given item.
+     * Generate a fresh slug for the given entity.
      * The slug will be generated so that it doesn't conflict within the same parent item.
      */
     public function generate(SluggableInterface&Model $model, string $slugSource): string
@@ -25,26 +23,6 @@ class SlugGenerator
         return $slug;
     }
 
-    /**
-     * Regenerate the slug for the given entity.
-     */
-    public function regenerateForEntity(Entity $entity): string
-    {
-        $entity->slug = $this->generate($entity, $entity->name);
-
-        return $entity->slug;
-    }
-
-    /**
-     * Regenerate the slug for a user.
-     */
-    public function regenerateForUser(User $user): string
-    {
-        $user->slug = $this->generate($user, $user->name);
-
-        return $user->slug;
-    }
-
     /**
      * Format a name as a URL slug.
      */

app/Entities/Tools/SlugHistory.php

@@ -1,97 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Tools;
-
-use BookStack\Entities\Models\Book;
-use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Entity;
-use BookStack\Entities\Models\EntityTable;
-use BookStack\Entities\Models\SlugHistory as SlugHistoryModel;
-use BookStack\Permissions\PermissionApplicator;
-use Illuminate\Support\Facades\DB;
-
-class SlugHistory
-{
-    public function __construct(
-        protected PermissionApplicator $permissions,
-    ) {
-    }
-
-    /**
-     * Record the current slugs for the given entity.
-     */
-    public function recordForEntity(Entity $entity): void
-    {
-        if (!$entity->id || !$entity->slug) {
-            return;
-        }
-
-        $parentSlug = null;
-        if ($entity instanceof BookChild) {
-            $parentSlug = $entity->book()->first()?->slug;
-        }
-
-        $latest = $this->getLatestEntryForEntity($entity);
-        if ($latest && $latest->slug === $entity->slug && $latest->parent_slug === $parentSlug) {
-            return;
-        }
-
-        $info = [
-            'sluggable_type' => $entity->getMorphClass(),
-            'sluggable_id'   => $entity->id,
-            'slug'           => $entity->slug,
-            'parent_slug'    => $parentSlug,
-        ];
-
-        $entry = new SlugHistoryModel();
-        $entry->forceFill($info);
-        $entry->save();
-
-        if ($entity instanceof Book) {
-            $this->recordForBookChildren($entity);
-        }
-    }
-
-    protected function recordForBookChildren(Book $book): void
-    {
-        $query = EntityTable::query()
-            ->select(['type', 'id', 'slug', DB::raw("'{$book->slug}' as parent_slug"), DB::raw('now() as created_at'), DB::raw('now() as updated_at')])
-            ->where('book_id', '=', $book->id)
-            ->whereNotNull('book_id');
-
-        SlugHistoryModel::query()->insertUsing(
-            ['sluggable_type', 'sluggable_id', 'slug', 'parent_slug', 'created_at', 'updated_at'],
-            $query
-        );
-    }
-
-    /**
-     * Find the latest visible entry for an entity which uses the given slug(s) in the history.
-     */
-    public function lookupEntityIdUsingSlugs(string $type, string $slug, string $parentSlug = ''): ?int
-    {
-        $query = SlugHistoryModel::query()
-            ->where('sluggable_type', '=', $type)
-            ->where('slug', '=', $slug);
-
-        if ($parentSlug) {
-            $query->where('parent_slug', '=', $parentSlug);
-        }
-
-        $query = $this->permissions->restrictEntityRelationQuery($query, 'slug_history', 'sluggable_id', 'sluggable_type');
-
-        /** @var SlugHistoryModel|null $result */
-        $result = $query->orderBy('created_at', 'desc')->first();
-
-        return $result?->sluggable_id;
-    }
-
-    protected function getLatestEntryForEntity(Entity $entity): SlugHistoryModel|null
-    {
-        return SlugHistoryModel::query()
-            ->where('sluggable_type', '=', $entity->getMorphClass())
-            ->where('sluggable_id', '=', $entity->id)
-            ->orderBy('created_at', 'desc')
-            ->first();
-    }
-}

app/Entities/Tools/TrashCan.php

@@ -388,7 +388,7 @@ class TrashCan
     /**
      * Update entity relations to remove or update outstanding connections.
      */
-    protected function destroyCommonRelations(Entity $entity): void
+    protected function destroyCommonRelations(Entity $entity)
     {
         Activity::removeEntity($entity);
         $entity->views()->delete();
@@ -402,7 +402,6 @@ class TrashCan
         $entity->watches()->delete();
         $entity->referencesTo()->delete();
         $entity->referencesFrom()->delete();
-        $entity->slugHistory()->delete();
 
         if ($entity instanceof HasCoverInterface && $entity->coverInfo()->exists()) {
             $imageService = app()->make(ImageService::class);

app/Exports/ZipExports/ZipExportReader.php

@@ -58,16 +58,6 @@ class ZipExportReader
     {
         $this->open();
 
-        $info = $this->zip->statName('data.json');
-        if ($info === false) {
-            throw new ZipExportException(trans('errors.import_zip_cant_decode_data'));
-        }
-
-        $maxSize = max(intval(config()->get('app.upload_limit')), 1) * 1000000;
-        if ($info['size'] > $maxSize) {
-            throw new ZipExportException(trans('errors.import_zip_data_too_large'));
-        }
-
         // Validate json data exists, including metadata
         $jsonData = $this->zip->getFromName('data.json') ?: '';
         $importData = json_decode($jsonData, true);
@@ -83,17 +73,6 @@ class ZipExportReader
         return $this->zip->statName("files/{$fileName}") !== false;
     }
 
-    public function fileWithinSizeLimit(string $fileName): bool
-    {
-        $fileInfo = $this->zip->statName("files/{$fileName}");
-        if ($fileInfo === false) {
-            return false;
-        }
-
-        $maxSize = max(intval(config()->get('app.upload_limit')), 1) * 1000000;
-        return $fileInfo['size'] <= $maxSize;
-    }
-
     /**
      * @return false|resource
      */

app/Exports/ZipExports/ZipExportReferences.php

@@ -15,7 +15,6 @@ use BookStack\Exports\ZipExports\Models\ZipExportPage;
 use BookStack\Permissions\Permission;
 use BookStack\Uploads\Attachment;
 use BookStack\Uploads\Image;
-use BookStack\Uploads\ImageService;
 
 class ZipExportReferences
 {
@@ -34,7 +33,6 @@ class ZipExportReferences
 
     public function __construct(
         protected ZipReferenceParser $parser,
-        protected ImageService $imageService,
     ) {
     }
 
@@ -135,17 +133,10 @@ class ZipExportReferences
                 return "[[bsexport:image:{$model->id}]]";
             }
 
-            // Get the page which we'll reference this image upon
+            // Find and include images if in visibility
             $page = $model->getPage();
-            $pageExportModel = null;
-            if ($page && isset($this->pages[$page->id])) {
-                $pageExportModel = $this->pages[$page->id];
-            } elseif ($exportModel instanceof ZipExportPage) {
-                $pageExportModel = $exportModel;
-            }
-
-            // Add the image to the export if it's accessible or just return the existing reference if already added
-            if (isset($this->images[$model->id]) || ($pageExportModel && $this->imageService->imageAccessible($model))) {
+            $pageExportModel = $this->pages[$page->id] ?? ($exportModel instanceof ZipExportPage ? $exportModel : null);
+            if (isset($this->images[$model->id]) || ($page && $pageExportModel && userCan(Permission::PageView, $page))) {
                 if (!isset($this->images[$model->id])) {
                     $exportImage = ZipExportImage::fromModel($model, $files);
                     $this->images[$model->id] = $exportImage;
@@ -153,7 +144,6 @@ class ZipExportReferences
                 }
                 return "[[bsexport:image:{$model->id}]]";
             }
-
             return null;
         }
 

app/Exports/ZipExports/ZipFileReferenceRule.php

@@ -13,6 +13,7 @@ class ZipFileReferenceRule implements ValidationRule
     ) {
     }
 
+
     /**
      * @inheritDoc
      */
@@ -22,13 +23,6 @@ class ZipFileReferenceRule implements ValidationRule
             $fail('validation.zip_file')->translate();
         }
 
-        if (!$this->context->zipReader->fileWithinSizeLimit($value)) {
-            $fail('validation.zip_file_size')->translate([
-                'attribute' => $value,
-                'size' => config('app.upload_limit'),
-            ]);
-        }
-
         if (!empty($this->acceptedMimes)) {
             $fileMime = $this->context->zipReader->sniffFileMime($value);
             if (!in_array($fileMime, $this->acceptedMimes)) {

app/Exports/ZipExports/ZipImportRunner.php

@@ -265,12 +265,6 @@ class ZipImportRunner
 
     protected function zipFileToUploadedFile(string $fileName, ZipExportReader $reader): UploadedFile
     {
-        if (!$reader->fileWithinSizeLimit($fileName)) {
-            throw new ZipImportException([
-                "File $fileName exceeds app upload limit."
-            ]);
-        }
-
         $tempPath = tempnam(sys_get_temp_dir(), 'bszipextract');
         $fileStream = $reader->streamFile($fileName);
         $tempStream = fopen($tempPath, 'wb');

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken($request);
+        $this->ensureAuthorizedBySessionOrToken();
 
         return $next($request);
     }
@@ -28,28 +28,22 @@ class ApiAuthenticate
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(Request $request): void
+    protected function ensureAuthorizedBySessionOrToken(): void
     {
-        // Use the active user session already exists.
-        // This is to make it easy to explore API endpoints via the UI.
-        if (session()->isStarted()) {
-            // Ensure the user has API access permission
+        // Return if the user is already found to be signed in via session-based auth.
+        // This is to make it easy to browser the API via browser after just logging into the system.
+        if (!user()->isGuest() || session()->isStarted()) {
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
-            // Only allow GET requests for cookie-based API usage
-            if ($request->method() !== 'GET') {
-                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
-            }
-
             return;
         }
 
         // Set our api guard to be the default for this request lifecycle.
         auth()->shouldUse('api');
 
-        // Validate the token and its users API access
+        // Validate the token and it's users API access
         auth()->authenticate();
     }
 

app/Http/Middleware/StartSessionExtended.php

@@ -14,10 +14,7 @@ use Illuminate\Session\Middleware\StartSession as Middleware;
 class StartSessionExtended extends Middleware
 {
     protected static array $pathPrefixesExcludedFromHistory = [
-        'uploads/images/',
-        'dist/',
-        'manifest.json',
-        'opensearch.xml',
+        'uploads/images/'
     ];
 
     /**

app/References/ReferenceChangeContext.php

@@ -1,45 +0,0 @@
-<?php
-
-namespace BookStack\References;
-
-use BookStack\Entities\Models\Entity;
-
-class ReferenceChangeContext
-{
-    /**
-     * Entity pairs where the first is the old entity and the second is the new entity.
-     * @var array<array{0: Entity, 1: Entity}>
-     */
-    protected array $changes = [];
-
-    public function add(Entity $oldEntity, Entity $newEntity): void
-    {
-        $this->changes[] = [$oldEntity, $newEntity];
-    }
-
-    /**
-     * Get all the new entities from the changes.
-     */
-    public function getNewEntities(): array
-    {
-        return array_column($this->changes, 1);
-    }
-
-    /**
-     * Get all the old entities from the changes.
-     */
-    public function getOldEntities(): array
-    {
-        return array_column($this->changes, 0);
-    }
-
-    public function getNewForOld(Entity $oldEntity): ?Entity
-    {
-        foreach ($this->changes as [$old, $new]) {
-            if ($old->id === $oldEntity->id && $old->type === $oldEntity->type) {
-                return $new;
-            }
-        }
-        return null;
-    }
-}

app/References/ReferenceUpdater.php

@@ -5,6 +5,7 @@ namespace BookStack\References;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\HasDescriptionInterface;
 use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Models\EntityContainerData;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Repos\RevisionRepo;
 use BookStack\Util\HtmlDocument;
@@ -29,47 +30,6 @@ class ReferenceUpdater
         }
     }
 
-    /**
-     * Change existing references for a range of entities using the given context.
-     */
-    public function changeReferencesUsingContext(ReferenceChangeContext $context): void
-    {
-        $bindings = [];
-        foreach ($context->getOldEntities() as $old) {
-            $bindings[] = $old->getMorphClass();
-            $bindings[] = $old->id;
-        }
-
-        // No targets to update within the context, so no need to continue.
-        if (count($bindings) < 2) {
-            return;
-        }
-
-        $toReferenceQuery = '(to_type, to_id) IN (' . rtrim(str_repeat('(?,?),', count($bindings) / 2), ',') . ')';
-
-        // Cycle each new entity in the context
-        foreach ($context->getNewEntities() as $new) {
-            // For each, get all references from it which lead to other items within the context of the change
-            $newReferencesInContext = $new->referencesFrom()->whereRaw($toReferenceQuery, $bindings)->get();
-            // For each reference, update the URL and the reference entry
-            foreach ($newReferencesInContext as $reference) {
-                $oldToEntity = $reference->to;
-                $newToEntity = $context->getNewForOld($oldToEntity);
-                if ($newToEntity === null) {
-                    continue;
-                }
-
-                $this->updateReferencesWithinEntity($new, $oldToEntity->getUrl(), $newToEntity->getUrl());
-                if ($newToEntity instanceof Page && $oldToEntity instanceof Page) {
-                    $this->updateReferencesWithinEntity($new, $oldToEntity->getPermalink(), $newToEntity->getPermalink());
-                }
-                $reference->to_id = $newToEntity->id;
-                $reference->to_type = $newToEntity->getMorphClass();
-                $reference->save();
-            }
-        }
-    }
-
     /**
      * @return Reference[]
      */

app/Search/SearchController.php

@@ -25,12 +25,11 @@ class SearchController extends Controller
         $searchOpts = SearchOptions::fromRequest($request);
         $fullSearchString = $searchOpts->toString();
         $page = intval($request->get('page', '0')) ?: 1;
-        $count = setting()->getInteger('lists-page-count-search', 18, 1, 1000);
 
-        $results = $this->searchRunner->searchEntities($searchOpts, 'all', $page, $count);
+        $results = $this->searchRunner->searchEntities($searchOpts, 'all', $page, 20);
         $formatter->format($results['results']->all(), $searchOpts);
-        $paginator = new LengthAwarePaginator($results['results'], $results['total'], $count, $page);
-        $paginator->setPath(url('/search'));
+        $paginator = new LengthAwarePaginator($results['results'], $results['total'], 20, $page);
+        $paginator->setPath('/search');
         $paginator->appends($request->except('page'));
 
         $this->setPageTitle(trans('entities.search_for_term', ['term' => $fullSearchString]));
@@ -78,9 +77,8 @@ class SearchController extends Controller
 
         // Search for entities otherwise show most popular
         if ($searchTerm !== false) {
-            $options = SearchOptions::fromString($searchTerm);
-            $options->setFilter('type', implode('|', $entityTypes));
-            $entities = $this->searchRunner->searchEntities($options, 'all', 1, 20)['results'];
+            $searchTerm .= ' {type:' . implode('|', $entityTypes) . '}';
+            $entities = $this->searchRunner->searchEntities(SearchOptions::fromString($searchTerm), 'all', 1, 20)['results'];
         } else {
             $entities = $queryPopular->run(20, 0, $entityTypes);
         }

app/Search/SearchIndex.php

@@ -126,7 +126,7 @@ class SearchIndex
         $termMap = $this->textToTermCountMap($text);
 
         foreach ($termMap as $term => $count) {
-            $termMap[$term] = intval($count * $scoreAdjustment);
+            $termMap[$term] = floor($count * $scoreAdjustment);
         }
 
         return $termMap;

app/Search/SearchOptionSet.php

@@ -82,12 +82,4 @@ class SearchOptionSet
         $values = array_values(array_filter($this->options, fn (SearchOption $option) => !$option->negated));
         return new self($values);
     }
-
-    /**
-     * @return self<T>
-     */
-    public function limit(int $limit): self
-    {
-        return new self(array_slice(array_values($this->options), 0, $limit));
-    }
 }

app/Search/SearchOptions.php

@@ -35,7 +35,6 @@ class SearchOptions
     {
         $instance = new self();
         $instance->addOptionsFromString($search);
-        $instance->limitOptions();
         return $instance;
     }
 
@@ -88,8 +87,6 @@ class SearchOptions
             $instance->filters = $instance->filters->merge($extras->filters);
         }
 
-        $instance->limitOptions();
-
         return $instance;
     }
 
@@ -150,25 +147,6 @@ class SearchOptions
         $this->filters = $this->filters->merge(new SearchOptionSet($terms['filters']));
     }
 
-    /**
-     * Limit the amount of search options to reasonable levels.
-     * Provides higher limits to logged-in users since that signals a slightly
-     * higher level of trust.
-     */
-    protected function limitOptions(): void
-    {
-        $userLoggedIn = !user()->isGuest();
-        $searchLimit = $userLoggedIn ? 10 : 5;
-        $exactLimit = $userLoggedIn ? 4 : 2;
-        $tagLimit = $userLoggedIn ? 8 : 4;
-        $filterLimit = $userLoggedIn ? 10 : 5;
-
-        $this->searches = $this->searches->limit($searchLimit);
-        $this->exacts = $this->exacts->limit($exactLimit);
-        $this->tags = $this->tags->limit($tagLimit);
-        $this->filters = $this->filters->limit($filterLimit);
-    }
-
     /**
      * Decode backslash escaping within the input string.
      */

app/Settings/AppSettingsStore.php

@@ -14,7 +14,7 @@ class AppSettingsStore
     ) {
     }
 
-    public function storeFromUpdateRequest(Request $request, string $category): void
+    public function storeFromUpdateRequest(Request $request, string $category)
     {
         $this->storeSimpleSettings($request);
         if ($category === 'customization') {
@@ -76,7 +76,7 @@ class AppSettingsStore
     protected function storeSimpleSettings(Request $request): void
     {
         foreach ($request->all() as $name => $value) {
-            if (!str_starts_with($name, 'setting-')) {
+            if (strpos($name, 'setting-') !== 0) {
                 continue;
             }
 
@@ -85,7 +85,7 @@ class AppSettingsStore
         }
     }
 
-    protected function destroyExistingSettingImage(string $settingKey): void
+    protected function destroyExistingSettingImage(string $settingKey)
     {
         $existingVal = setting()->get($settingKey);
         if ($existingVal) {

app/Settings/SettingService.php

@@ -28,21 +28,6 @@ class SettingService
         return $this->formatValue($value, $default);
     }
 
-    /**
-     * Get a setting from the database as an integer.
-     * Returns the default value if not found or not an integer, and clamps the value to the given min/max range.
-     */
-    public function getInteger(string $key, int $default, int $min = 0, int $max = PHP_INT_MAX): int
-    {
-        $value = $this->get($key, $default);
-        if (!is_numeric($value)) {
-            return $default;
-        }
-
-        $int = intval($value);
-        return max($min, min($max, $int));
-    }
-
     /**
      * Get a value from the session instead of the main store option.
      */

app/Settings/UserNotificationPreferences.php

@@ -26,14 +26,9 @@ class UserNotificationPreferences
         return $this->getNotificationSetting('comment-replies');
     }
 
-    public function notifyOnCommentMentions(): bool
-    {
-        return $this->getNotificationSetting('comment-mentions');
-    }
-
     public function updateFromSettingsArray(array $settings)
     {
-        $allowList = ['own-page-changes', 'own-page-comments', 'comment-replies', 'comment-mentions'];
+        $allowList = ['own-page-changes', 'own-page-comments', 'comment-replies'];
         foreach ($settings as $setting => $status) {
             if (!in_array($setting, $allowList)) {
                 continue;

app/Sorting/BookSorter.php

@@ -8,14 +8,12 @@ use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\EntityQueries;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Permissions\Permission;
 
 class BookSorter
 {
     public function __construct(
         protected EntityQueries $queries,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -157,7 +155,7 @@ class BookSorter
 
         // Action the required changes
         if ($bookChanged) {
-            $this->parentChanger->changeBook($model, $newBook->id);
+            $model = $model->changeBook($newBook->id);
         }
 
         if ($model instanceof Page && $chapterChanged) {

app/Theming/CustomHtmlHeadContentProvider.php

@@ -4,16 +4,25 @@ namespace BookStack\Theming;
 
 use BookStack\Util\CspService;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlNonceApplicator;
 use Illuminate\Contracts\Cache\Repository as Cache;
 
 class CustomHtmlHeadContentProvider
 {
-    public function __construct(
-        protected CspService $cspService,
-        protected Cache $cache
-    ) {
+    /**
+     * @var CspService
+     */
+    protected $cspService;
+
+    /**
+     * @var Cache
+     */
+    protected $cache;
+
+    public function __construct(CspService $cspService, Cache $cache)
+    {
+        $this->cspService = $cspService;
+        $this->cache = $cache;
     }
 
     /**
@@ -41,8 +50,7 @@ class CustomHtmlHeadContentProvider
         $hash = md5($content);
 
         return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
-            $config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
-            return (new HtmlContentFilter($config))->filterString($content);
+            return HtmlContentFilter::removeScriptsFromHtmlString($content);
         });
     }
 

app/Uploads/Image.php

@@ -13,14 +13,14 @@ use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 
 /**
- * @property int      $id
- * @property string   $name
- * @property string   $url
- * @property string   $path
- * @property string   $type
- * @property int|null $uploaded_to
- * @property int      $created_by
- * @property int      $updated_by
+ * @property int    $id
+ * @property string $name
+ * @property string $url
+ * @property string $path
+ * @property string $type
+ * @property int    $uploaded_to
+ * @property int    $created_by
+ * @property int    $updated_by
  */
 class Image extends Model implements OwnableInterface
 {

app/Uploads/ImageResizer.php

@@ -55,7 +55,7 @@ class ImageResizer
 
     /**
      * Get the thumbnail for an image.
-     * If $keepRatio is true, only the width will be used.
+     * If $keepRatio is true only the width will be used.
      * Checks the cache then storage to avoid creating / accessing the filesystem on every check.
      *
      * @throws Exception
@@ -84,7 +84,7 @@ class ImageResizer
             return $this->storage->getPublicUrl($cachedThumbPath);
         }
 
-        // If a thumbnail has already been generated, serve that and cache path
+        // If thumbnail has already been generated, serve that and cache path
         $disk = $this->storage->getDisk($image->type);
         if (!$shouldCreate && $disk->exists($thumbFilePath)) {
             Cache::put($thumbCacheKey, $thumbFilePath, static::THUMBNAIL_CACHE_TIME);
@@ -110,7 +110,7 @@ class ImageResizer
     }
 
     /**
-     * Resize the image of given data to the specified size and return the new image data.
+     * Resize the image of given data to the specified size, and return the new image data.
      * Format will remain the same as the input format, unless specified.
      *
      * @throws ImageUploadException
@@ -125,7 +125,6 @@ class ImageResizer
         try {
             $thumb = $this->interventionFromImageData($imageData, $format);
         } catch (Exception $e) {
-            Log::error('Failed to resize image with error:' . $e->getMessage());
             throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
         }
 
@@ -155,21 +154,17 @@ class ImageResizer
 
     /**
      * Create an intervention image instance from the given image data.
-     * Performs some manual library usage to ensure the image is specifically loaded
+     * Performs some manual library usage to ensure image is specifically loaded
      * from given binary data instead of data being misinterpreted.
      */
     protected function interventionFromImageData(string $imageData, ?string $fileType): InterventionImage
     {
-        if (!extension_loaded('gd')) {
-            throw new ImageUploadException('The PHP "gd" extension is required to resize images, but is missing.');
-        }
-
         $manager = new ImageManager(
             new Driver(),
             autoOrientation: false,
         );
 
-        // Ensure GIF images are decoded natively instead of deferring to intervention GIF
+        // Ensure gif images are decoded natively instead of deferring to intervention GIF
         // handling since we don't need the added animation support.
         $isGif = $fileType === 'gif';
         $decoder = $isGif ? NativeObjectDecoder::class : BinaryImageDecoder::class;
@@ -228,7 +223,7 @@ class ImageResizer
     }
 
     /**
-     * Checks if the image is a GIF. Returns true if it is, else false.
+     * Checks if the image is a gif. Returns true if it is, else false.
      */
     protected function isGif(Image $image): bool
     {
@@ -255,7 +250,7 @@ class ImageResizer
 
     /**
      * Check if the given avif image data represents an animated image.
-     * This is based upon the answer here: https://stackoverflow.com/a/79457313
+     * This is based up the answer here: https://stackoverflow.com/a/79457313
      */
     protected function isAnimatedAvifData(string &$imageData): bool
     {

app/Uploads/ImageService.php

@@ -148,7 +148,7 @@ class ImageService
     }
 
     /**
-     * Destroy an image along with its revisions, thumbnails, and remaining folders.
+     * Destroy an image along with its revisions, thumbnails and remaining folders.
      *
      * @throws Exception
      */
@@ -252,7 +252,16 @@ class ImageService
     {
         $disk = $this->storage->getDisk('gallery');
 
-        return $disk->usingSecureImages() && $this->pathAccessible($imagePath);
+        if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
+            return false;
+        }
+
+        // Check local_secure is active
+        return $disk->usingSecureImages()
+            // Check the image file exists
+            && $disk->exists($imagePath)
+            // Check the file is likely an image file
+            && str_starts_with($disk->mimeType($imagePath), 'image/');
     }
 
     /**
@@ -260,51 +269,16 @@ class ImageService
      */
     public function pathAccessible(string $imagePath): bool
     {
+        $disk = $this->storage->getDisk('gallery');
+
         if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
             return false;
         }
 
-        if ($this->blockedBySecureImages()) {
-            return false;
-        }
-
-        return $this->imageFileExists($imagePath, 'gallery');
-    }
-
-    /**
-     * Check if the given image should be accessible to the current user.
-     */
-    public function imageAccessible(Image $image): bool
-    {
-        if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImage($image)) {
-            return false;
-        }
-
-        if ($this->blockedBySecureImages()) {
-            return false;
-        }
-
-        return $this->imageFileExists($image->path, $image->type);
-    }
-
-    /**
-     * Check if the current user should be blocked from accessing images based on if secure images are enabled
-     * and if public access is enabled for the application.
-     */
-    protected function blockedBySecureImages(): bool
-    {
-        $enforced = $this->storage->usingSecureImages() && !setting('app-public');
-
-        return $enforced && user()->isGuest();
-    }
-
-    /**
-     * Check if the given image path exists for the given image type and that it is likely an image file.
-     */
-    protected function imageFileExists(string $imagePath, string $imageType): bool
-    {
-        $disk = $this->storage->getDisk($imageType);
-        return $disk->exists($imagePath) && str_starts_with($disk->mimeType($imagePath), 'image/');
+        // Check local_secure is active
+        return $disk->exists($imagePath)
+            // Check the file is likely an image file
+            && str_starts_with($disk->mimeType($imagePath), 'image/');
     }
 
     /**
@@ -333,11 +307,6 @@ class ImageService
             return false;
         }
 
-        return $this->checkUserHasAccessToRelationOfImage($image);
-    }
-
-    protected function checkUserHasAccessToRelationOfImage(Image $image): bool
-    {
         $imageType = $image->type;
 
         // Allow user or system (logo) images

app/Uploads/ImageStorage.php

@@ -34,15 +34,6 @@ class ImageStorage
         return config('filesystems.images') === 'local_secure_restricted';
     }
 
-    /**
-     * Check if "local secure" (Fetched behind auth, either with or without permissions enforced)
-     * is currently active in the instance.
-     */
-    public function usingSecureImages(): bool
-    {
-        return config('filesystems.images') === 'local_secure' || $this->usingSecureRestrictedImages();
-    }
-
     /**
      * Clean up an image file name to be both URL and storage safe.
      */
@@ -74,7 +65,7 @@ class ImageStorage
             return 'local';
         }
 
-        // Rename local_secure options to get our image-specific storage driver, which
+        // Rename local_secure options to get our image specific storage driver which
         // is scoped to the relevant image directories.
         if ($localSecureInUse) {
             return 'local_secure_images';

app/Users/Controllers/UserSearchController.php

@@ -5,7 +5,6 @@ namespace BookStack\Users\Controllers;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\Users\Models\User;
-use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 
 class UserSearchController extends Controller
@@ -35,43 +34,8 @@ class UserSearchController extends Controller
             $query->where('name', 'like', '%' . $search . '%');
         }
 
-        /** @var Collection<User> $users */
-        $users = $query->get();
-
         return view('form.user-select-list', [
-            'users' => $users,
-        ]);
-    }
-
-    /**
-     * Search users in the system, with the response formatted
-     * for use in a list of mentions.
-     */
-    public function forMentions(Request $request)
-    {
-        $hasPermission = !user()->isGuest() && (
-                userCan(Permission::CommentCreateAll)
-                || userCan(Permission::CommentUpdate)
-            );
-
-        if (!$hasPermission) {
-            $this->showPermissionError();
-        }
-
-        $search = $request->get('search', '');
-        $query = User::query()
-            ->orderBy('name', 'asc')
-            ->take(20);
-
-        if (!empty($search)) {
-            $query->where('name', 'like', '%' . $search . '%');
-        }
-
-        /** @var Collection<User> $users */
-        $users = $query->get();
-
-        return view('form.user-mention-list', [
-            'users' => $users,
+            'users' => $query->get(),
         ]);
     }
 }

app/Users/Models/User.php

@@ -11,6 +11,7 @@ use BookStack\Activity\Models\Watch;
 use BookStack\Api\ApiToken;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
+use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Permissions\Permission;
 use BookStack\Translation\LocaleDefinition;
 use BookStack\Translation\LocaleManager;
@@ -357,4 +358,14 @@ class User extends Model implements AuthenticatableContract, CanResetPasswordCon
     {
         return "({$this->id}) {$this->name}";
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function refreshSlug(): string
+    {
+        $this->slug = app()->make(SlugGenerator::class)->generate($this, $this->name);
+
+        return $this->slug;
+    }
 }

app/Users/UserRepo.php

@@ -5,7 +5,6 @@ namespace BookStack\Users;
 use BookStack\Access\UserInviteException;
 use BookStack\Access\UserInviteService;
 use BookStack\Activity\ActivityType;
-use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Exceptions\NotifyException;
 use BookStack\Exceptions\UserUpdateException;
 use BookStack\Facades\Activity;
@@ -22,8 +21,7 @@ class UserRepo
 {
     public function __construct(
         protected UserAvatars $userAvatar,
-        protected UserInviteService $inviteService,
-        protected SlugGenerator $slugGenerator,
+        protected UserInviteService $inviteService
     ) {
     }
 
@@ -65,7 +63,7 @@ class UserRepo
         $user->email_confirmed = $emailConfirmed;
         $user->external_auth_id = $data['external_auth_id'] ?? '';
 
-        $this->slugGenerator->regenerateForUser($user);
+        $user->refreshSlug();
         $user->save();
 
         if (!empty($data['language'])) {
@@ -111,7 +109,7 @@ class UserRepo
     {
         if (!empty($data['name'])) {
             $user->name = $data['name'];
-            $this->slugGenerator->regenerateForUser($user);
+            $user->refreshSlug();
         }
 
         if (!empty($data['email']) && $manageUsersAllowed) {

app/Util/ConfiguredHtmlPurifier.php

@@ -1,143 +0,0 @@
-<?php
-
-namespace BookStack\Util;
-
-use BookStack\App\AppVersion;
-use HTMLPurifier;
-use HTMLPurifier_Config;
-use HTMLPurifier_DefinitionCache_Serializer;
-use HTMLPurifier_HTML5Config;
-use HTMLPurifier_HTMLDefinition;
-
-/**
- * Provides a configured HTML Purifier instance.
- * https://github.com/ezyang/htmlpurifier
- * Also uses this to extend support to HTML5 elements:
- * https://github.com/xemlock/htmlpurifier-html5
- */
-class ConfiguredHtmlPurifier
-{
-    protected HTMLPurifier $purifier;
-    protected static bool $cachedChecked = false;
-
-    public function __construct()
-    {
-        // This is done by the web-server at run-time, with the existing
-        // storage/framework/cache folder to ensure we're using a server-writable folder.
-        $cachePath = storage_path('framework/cache/purifier');
-        $this->createCacheFolderIfNeeded($cachePath);
-
-        $config = HTMLPurifier_HTML5Config::createDefault();
-        $this->setConfig($config, $cachePath);
-        $this->resetCacheIfNeeded($config);
-
-        $htmlDef = $config->getDefinition('HTML', true, true);
-        if ($htmlDef instanceof HTMLPurifier_HTMLDefinition) {
-            $this->configureDefinition($htmlDef);
-        }
-
-        $this->purifier = new HTMLPurifier($config);
-    }
-
-    protected function createCacheFolderIfNeeded(string $cachePath): void
-    {
-        if (!file_exists($cachePath)) {
-            mkdir($cachePath, 0777, true);
-        }
-    }
-
-    protected function resetCacheIfNeeded(HTMLPurifier_Config $config): void
-    {
-        if (self::$cachedChecked) {
-            return;
-        }
-
-        $cachedForVersion = cache('htmlpurifier::cache-version');
-        $appVersion = AppVersion::get();
-        if ($cachedForVersion !== $appVersion) {
-            foreach (['HTML', 'CSS', 'URI'] as $name) {
-                $cache = new HTMLPurifier_DefinitionCache_Serializer($name);
-                $cache->flush($config);
-            }
-            cache()->set('htmlpurifier::cache-version', $appVersion);
-        }
-
-        self::$cachedChecked = true;
-    }
-
-    protected function setConfig(HTMLPurifier_Config $config, string $cachePath): void
-    {
-        $config->set('Cache.SerializerPath', $cachePath);
-        $config->set('Core.AllowHostnameUnderscore', true);
-        $config->set('CSS.AllowTricky', true);
-        $config->set('HTML.SafeIframe', true);
-        $config->set('Attr.EnableID', true);
-        $config->set('Attr.ID.HTML5', true);
-        $config->set('Output.FixInnerHTML', false);
-        $config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
-        $config->set('URI.AllowedSchemes', [
-            'http' => true,
-            'https' => true,
-            'mailto' => true,
-            'ftp' => true,
-            'nntp' => true,
-            'news' => true,
-            'tel' => true,
-            'file' => true,
-        ]);
-
-         // $config->set('Cache.DefinitionImpl', null); // Disable cache during testing
-    }
-
-    public function configureDefinition(HTMLPurifier_HTMLDefinition $definition): void
-    {
-        // Allow the object element
-        $definition->addElement(
-            'object',
-            'Inline',
-            'Flow',
-            'Common',
-            [
-                'data'   => 'URI',
-                'type'   => 'Text',
-                'width'  => 'Length',
-                'height' => 'Length',
-            ]
-        );
-
-        // Allow the embed element
-        $definition->addElement(
-            'embed',
-            'Inline',
-            'Empty',
-            'Common',
-            [
-                'src'   => 'URI',
-                'type'   => 'Text',
-                'width'  => 'Length',
-                'height' => 'Length',
-            ]
-        );
-
-        // Allow checkbox inputs
-        $definition->addElement(
-            'input',
-            'Formctrl',
-            'Empty',
-            'Common',
-            [
-                'checked' => 'Bool#checked',
-                'disabled' => 'Bool#disabled',
-                'name' => 'Text',
-                'readonly' => 'Bool#readonly',
-                'type' => 'Enum#checkbox',
-                'value' => 'Text',
-            ]
-        );
-    }
-
-    public function purify(string $html): string
-    {
-        return $this->purifier->purify($html);
-    }
-}

app/Util/CspService.php

@@ -65,7 +65,7 @@ class CspService
      */
     protected function getScriptSrc(): string
     {
-        if ($this->scriptFilteringDisabled()) {
+        if (config('app.allow_content_scripts')) {
             return '';
         }
 
@@ -108,7 +108,7 @@ class CspService
      */
     protected function getObjectSrc(): string
     {
-        if ($this->scriptFilteringDisabled()) {
+        if (config('app.allow_content_scripts')) {
             return '';
         }
 
@@ -124,11 +124,6 @@ class CspService
         return "base-uri 'self'";
     }
 
-    protected function scriptFilteringDisabled(): bool
-    {
-        return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
-    }
-
     protected function getAllowedIframeHosts(): array
     {
         $hosts = config('app.iframe_hosts') ?? '';

app/Util/HtmlContentFilter.php

@@ -8,46 +8,10 @@ use DOMNodeList;
 
 class HtmlContentFilter
 {
-    public function __construct(
-        protected HtmlContentFilterConfig $config
-    ) {
-    }
-
-    public function filterDocument(HtmlDocument $doc): string
-    {
-        if ($this->config->filterOutJavaScript) {
-            $this->filterOutScriptsFromDocument($doc);
-        }
-        if ($this->config->filterOutFormElements) {
-            $this->filterOutFormElementsFromDocument($doc);
-        }
-        if ($this->config->filterOutBadHtmlElements) {
-            $this->filterOutBadHtmlElementsFromDocument($doc);
-        }
-        if ($this->config->filterOutNonContentElements) {
-            $this->filterOutNonContentElementsFromDocument($doc);
-        }
-
-        $filtered = $doc->getBodyInnerHtml();
-        if ($this->config->useAllowListFilter) {
-            $filtered = $this->applyAllowListFiltering($filtered);
-        }
-
-        return $filtered;
-    }
-
-    public function filterString(string $html): string
-    {
-        return $this->filterDocument(new HtmlDocument($html));
-    }
-
-    protected function applyAllowListFiltering(string $html): string
-    {
-        $purifier = new ConfiguredHtmlPurifier();
-        return $purifier->purify($html);
-    }
-
-    protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
+    /**
+     * Remove all the script elements from the given HTML document.
+     */
+    public static function removeScriptsFromDocument(HtmlDocument $doc)
     {
         // Remove standard script tags
         $scriptElems = $doc->queryXPath('//script');
@@ -57,21 +21,21 @@ class HtmlContentFilter
         $badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');
         static::removeNodes($badLinks);
 
-        // Remove elements with form-like attributes with calls to JavaScript URI
+        // Remove forms with calls to JavaScript URI
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
-        // Remove data or JavaScript iFrames & embeds
+        // Remove meta tag to prevent external redirects
+        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
+        static::removeNodes($metaTags);
+
+        // Remove data or JavaScript iFrames
         $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
-        // Remove data or JavaScript objects
-        $badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
-        static::removeNodes($badObjects);
-
         // Remove attributes, within svg children, hiding JavaScript or data uris.
         // A bunch of svg element and attribute combinations expose xss possibilities.
-        // For example, SVG animate tag can exploit JavaScript in values.
+        // For example, SVG animate tag can exploit javascript in values.
         $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
         static::removeAttributes($badValuesAttrs);
 
@@ -85,52 +49,23 @@ class HtmlContentFilter
         static::removeAttributes($onAttributes);
     }
 
-    protected function filterOutFormElementsFromDocument(HtmlDocument $doc): void
+    /**
+     * Remove scripts from the given HTML string.
+     */
+    public static function removeScriptsFromHtmlString(string $html): string
     {
-        // Remove form elements
-        $formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
-        foreach ($formElements as $formElement) {
-            $matchingFormElements = $doc->queryXPath('//' . $formElement);
-            static::removeNodes($matchingFormElements);
+        if (empty($html)) {
+            return $html;
         }
 
-        // Remove non-checkbox inputs
-        $inputsToRemove = $doc->queryXPath('//input');
-        /** @var DOMElement $input */
-        foreach ($inputsToRemove as $input) {
-            $type = strtolower($input->getAttribute('type'));
-            if ($type !== 'checkbox') {
-                $input->parentNode->removeChild($input);
-            }
-        }
+        $doc = new HtmlDocument($html);
+        static::removeScriptsFromDocument($doc);
 
-        // Remove form attributes
-        $formAttrs = ['form', 'formaction', 'formmethod', 'formtarget'];
-        foreach ($formAttrs as $formAttr) {
-            $matchingFormAttrs = $doc->queryXPath('//@' . $formAttr);
-            static::removeAttributes($matchingFormAttrs);
-        }
-    }
-
-    protected function filterOutBadHtmlElementsFromDocument(HtmlDocument $doc): void
-    {
-        // Remove meta tag to prevent external redirects
-        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
-        static::removeNodes($metaTags);
-    }
-
-    protected function filterOutNonContentElementsFromDocument(HtmlDocument $doc): void
-    {
-        // Remove non-content elements
-        $formElements = ['link', 'style', 'meta', 'title', 'template'];
-        foreach ($formElements as $formElement) {
-            $matchingFormElements = $doc->queryXPath('//' . $formElement);
-            static::removeNodes($matchingFormElements);
-        }
+        return $doc->getBodyInnerHtml();
     }
 
     /**
-     * Create an x-path 'contains' statement with a translation automatically built within
+     * Create a xpath contains statement with a translation automatically built within
      * to affectively search in a cases-insensitive manner.
      */
     protected static function xpathContains(string $property, string $value): string
@@ -164,34 +99,4 @@ class HtmlContentFilter
             $parentNode->removeAttribute($attrName);
         }
     }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use filterDocument instead.
-     */
-    public static function removeScriptsFromDocument(HtmlDocument $doc): void
-    {
-        $config = new HtmlContentFilterConfig(
-            filterOutNonContentElements: false,
-            useAllowListFilter: false,
-        );
-        $filter = new self($config);
-        $filter->filterDocument($doc);
-    }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use filterString instead.
-     */
-    public static function removeScriptsFromHtmlString(string $html): string
-    {
-        $config = new HtmlContentFilterConfig(
-            filterOutNonContentElements: false,
-            useAllowListFilter: false,
-        );
-        $filter = new self($config);
-        return $filter->filterString($html);
-    }
 }

app/Util/HtmlContentFilterConfig.php

@@ -1,31 +0,0 @@
-<?php
-
-namespace BookStack\Util;
-
-readonly class HtmlContentFilterConfig
-{
-    public function __construct(
-        public bool $filterOutJavaScript = true,
-        public bool $filterOutBadHtmlElements = true,
-        public bool $filterOutFormElements = true,
-        public bool $filterOutNonContentElements = true,
-        public bool $useAllowListFilter = true,
-    ) {
-    }
-
-    /**
-     * Create an instance from a config string, where the string
-     * is a combination of characters to enable filters.
-     */
-    public static function fromConfigString(string $config): self
-    {
-        $config = strtolower($config);
-        return new self(
-            filterOutJavaScript: str_contains($config, 'j'),
-            filterOutBadHtmlElements: str_contains($config, 'h'),
-            filterOutFormElements: str_contains($config, 'f'),
-            filterOutNonContentElements: str_contains($config, 'h'),
-            useAllowListFilter: str_contains($config, 'a'),
-        );
-    }
-}

app/Util/HtmlDescriptionFilter.php

@@ -19,7 +19,7 @@ class HtmlDescriptionFilter
      */
     protected static array $allowedAttrsByElements = [
         'p' => [],
-        'a' => ['href', 'title', 'target', 'data-mention-user-id'],
+        'a' => ['href', 'title', 'target'],
         'ol' => [],
         'ul' => [],
         'li' => [],

composer.json

@@ -19,7 +19,6 @@
         "ext-zip": "*",
         "bacon/bacon-qr-code": "^3.0",
         "dompdf/dompdf": "^3.1",
-        "ezyang/htmlpurifier": "^4.19",
         "guzzlehttp/guzzle": "^7.4",
         "intervention/image": "^3.5",
         "knplabs/knp-snappy": "^1.5",
@@ -30,17 +29,16 @@
         "league/flysystem-aws-s3-v3": "^3.0",
         "league/html-to-markdown": "^5.0.0",
         "league/oauth2-client": "^2.6",
-        "onelogin/php-saml": "^4.3.1",
+        "onelogin/php-saml": "^4.0",
         "phpseclib/phpseclib": "^3.0",
-        "pragmarx/google2fa": "^9.0",
+        "pragmarx/google2fa": "^8.0",
         "predis/predis": "^3.2",
         "socialiteproviders/discord": "^4.1",
         "socialiteproviders/gitlab": "^4.1",
         "socialiteproviders/microsoft-azure": "^5.1",
         "socialiteproviders/okta": "^4.2",
         "socialiteproviders/twitch": "^5.3",
-        "ssddanbrown/htmldiff": "^2.0.0",
-        "xemlock/htmlpurifier-html5": "^0.1.12"
+        "ssddanbrown/htmldiff": "^2.0.0"
     },
     "require-dev": {
         "fakerphp/faker": "^1.21",
@@ -49,7 +47,7 @@
         "nunomaduro/collision": "^8.6",
         "larastan/larastan": "^v3.0",
         "phpunit/phpunit": "^11.5",
-        "squizlabs/php_codesniffer": "^4.0.1",
+        "squizlabs/php_codesniffer": "^3.7",
         "ssddanbrown/asserthtml": "^3.1"
     },
     "autoload": {
@@ -95,7 +93,6 @@
             "@php artisan view:clear"
         ],
         "refresh-test-database": [
-            "@putenv APP_TIMEZONE=UTC",
             "@php artisan migrate:refresh --database=mysql_testing",
             "@php artisan db:seed --class=DummyContentSeeder --database=mysql_testing"
         ]

crowdin.yml

@@ -1,4 +1,3 @@
-project_id: "377219"
 project_identifier: bookstack
 base_path: .
 preserve_hierarchy: false

database/factories/Entities/Models/SlugHistoryFactory.php

@@ -1,29 +0,0 @@
-<?php
-
-namespace Database\Factories\Entities\Models;
-
-use BookStack\Entities\Models\Book;
-use Illuminate\Database\Eloquent\Factories\Factory;
-
-/**
- * @extends \Illuminate\Database\Eloquent\Factories\Factory<\BookStack\Entities\Models\SlugHistory>
- */
-class SlugHistoryFactory extends Factory
-{
-    protected $model = \BookStack\Entities\Models\SlugHistory::class;
-
-    /**
-     * Define the model's default state.
-     *
-     * @return array<string, mixed>
-     */
-    public function definition(): array
-    {
-        return [
-            'sluggable_id' => Book::factory(),
-            'sluggable_type' => 'book',
-            'slug' => $this->faker->slug(),
-            'parent_slug' => null,
-        ];
-    }
-}

database/migrations/2025_11_23_161812_create_slug_history_table.php

@@ -1,51 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\DB;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        // Create the table for storing slug history
-        Schema::create('slug_history', function (Blueprint $table) {
-            $table->increments('id');
-            $table->string('sluggable_type', 10)->index();
-            $table->unsignedBigInteger('sluggable_id')->index();
-            $table->string('slug')->index();
-            $table->string('parent_slug')->nullable()->index();
-            $table->timestamps();
-        });
-
-        // Migrate in slugs from page revisions
-        $revisionSlugQuery = DB::table('page_revisions')
-            ->select([
-                DB::raw('\'page\' as sluggable_type'),
-                'page_id as sluggable_id',
-                'slug',
-                'book_slug as parent_slug',
-                DB::raw('min(created_at) as created_at'),
-                DB::raw('min(updated_at) as updated_at'),
-            ])
-            ->where('type', '=', 'version')
-            ->groupBy(['sluggable_id', 'slug', 'parent_slug']);
-
-        DB::table('slug_history')->insertUsing(
-            ['sluggable_type', 'sluggable_id', 'slug', 'parent_slug', 'created_at', 'updated_at'],
-            $revisionSlugQuery,
-        );
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::dropIfExists('slug_history');
-    }
-};

database/migrations/2025_12_15_140219_create_mention_history_table.php

@@ -1,31 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        Schema::create('mention_history', function (Blueprint $table) {
-            $table->increments('id');
-            $table->string('mentionable_type', 50)->index();
-            $table->unsignedBigInteger('mentionable_id')->index();
-            $table->unsignedInteger('from_user_id');
-            $table->unsignedInteger('to_user_id');
-            $table->timestamps();
-        });
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::dropIfExists('mention_history');
-    }
-};

database/migrations/2025_12_19_103417_add_views_viewable_type_index.php

@@ -1,28 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        Schema::table('views', function (Blueprint $table) {
-            $table->index('viewable_type', 'views_viewable_type_index');
-        });
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::table('views', function (Blueprint $table) {
-            $table->dropIndex('views_viewable_type_index');
-        });
-    }
-};

database/seeders/DummyContentSeeder.php

@@ -13,6 +13,7 @@ use BookStack\Search\SearchIndex;
 use BookStack\Users\Models\Role;
 use BookStack\Users\Models\User;
 use Illuminate\Database\Eloquent\Relations\HasMany;
+use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Database\Seeder;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Hash;
@@ -22,8 +23,10 @@ class DummyContentSeeder extends Seeder
 {
     /**
      * Run the database seeds.
+     *
+     * @return void
      */
-    public function run(): void
+    public function run()
     {
         // Create an editor user
         $editorUser = User::factory()->create();

dev/build/esbuild.js

@@ -1,15 +1,12 @@
 #!/usr/bin/env node
 
-import * as esbuild from 'esbuild';
-import * as path from 'node:path';
-import * as fs from 'node:fs';
-import * as process from "node:process";
+const esbuild = require('esbuild');
+const path = require('path');
+const fs = require('fs');
 
 // Check if we're building for production
 // (Set via passing `production` as first argument)
-const mode = process.argv[2];
-const isProd = mode === 'production';
-const __dirname = import.meta.dirname;
+const isProd = process.argv[2] === 'production';
 
 // Gather our input files
 const entryPoints = {
@@ -20,16 +17,11 @@ const entryPoints = {
     wysiwyg: path.join(__dirname, '../../resources/js/wysiwyg/index.ts'),
 };
 
-// Watch styles so we can reload on change
-if (mode === 'watch') {
-    entryPoints['styles-dummy'] = path.join(__dirname, '../../public/dist/styles.css');
-}
-
 // Locate our output directory
 const outdir = path.join(__dirname, '../../public/dist');
 
-// Define the options for esbuild
-const options = {
+// Build via esbuild
+esbuild.build({
     bundle: true,
     metafile: true,
     entryPoints,
@@ -41,7 +33,6 @@ const options = {
     minify: isProd,
     logLevel: 'info',
     loader: {
-        '.html': 'copy',
         '.svg': 'text',
     },
     absWorkingDir: path.join(__dirname, '../..'),
@@ -54,34 +45,6 @@ const options = {
         js: '// See the "/licenses" URI for full package license details',
         css: '/* See the "/licenses" URI for full package license details */',
     },
-};
-
-if (mode === 'watch') {
-    options.inject = [
-        path.join(__dirname, './livereload.js'),
-    ];
-}
-
-const ctx = await esbuild.context(options);
-
-if (mode === 'watch') {
-    // Watch for changes and rebuild on change
-    ctx.watch({});
-    let {hosts, port} = await ctx.serve({
-        servedir: path.join(__dirname, '../../public'),
-        cors: {
-            origin: '*',
-        }
-    });
-} else {
-    // Build with meta output for analysis
-    const result = await ctx.rebuild();
-    const outputs = result.metafile.outputs;
-    const files = Object.keys(outputs);
-    for (const file of files) {
-        const output = outputs[file];
-        console.log(`Written: ${file} @ ${Math.round(output.bytes / 1000)}kB`);
-    }
+}).then(result => {
     fs.writeFileSync('esbuild-meta.json', JSON.stringify(result.metafile));
-    process.exit(0);
-}
+}).catch(() => process.exit(1));

dev/build/livereload.js

@@ -1,35 +0,0 @@
-if (!window.__dev_reload_listening) {
-    listen();
-    window.__dev_reload_listening = true;
-}
-
-
-function listen() {
-    console.log('Listening for livereload events...');
-    new EventSource("http://127.0.0.1:8000/esbuild").addEventListener('change', e => {
-        const { added, removed, updated } = JSON.parse(e.data);
-
-        if (!added.length && !removed.length && updated.length > 0) {
-            const updatedPath = updated.filter(path => path.endsWith('.css'))[0]
-            if (!updatedPath) return;
-
-            const links = [...document.querySelectorAll("link[rel='stylesheet']")];
-            for (const link of links) {
-                const url = new URL(link.href);
-                const name = updatedPath.replace('-dummy', '');
-
-                if (url.pathname.endsWith(name)) {
-                    const next = link.cloneNode();
-                    next.href = name + '?version=' + Math.random().toString(36).slice(2);
-                    next.onload = function() {
-                        link.remove();
-                    };
-                    link.after(next);
-                    return
-                }
-            }
-        }
-
-        location.reload()
-    });
-}

dev/checksums/vendor

@@ -1 +1 @@
-52295e0eb95cb07da14e4d794b8b44371e37052ffed98362341a686a02c10389
+22e02ee72d21ff719c1073abbec8302f8e2096ba6d072e133051064ed24b45b1

dev/docker/Dockerfile

@@ -14,9 +14,6 @@ RUN apt-get update && \
         wait-for-it && \
     rm -rf /var/lib/apt/lists/*
 
-# Mark /app as safe for Git >= 2.35.2
-RUN git config --system --add safe.directory /app
-
 # Install PHP extensions
 RUN docker-php-ext-configure ldap --with-libdir="lib/$(gcc -dumpmachine)" && \
     docker-php-ext-configure gd --with-freetype --with-jpeg && \

dev/docker/db-testing/Dockerfile

@@ -1,30 +0,0 @@
-FROM ubuntu:24.04
-
-# Install additional dependencies
-RUN apt-get update && \
-    apt-get install -y \
-        git \
-		wget \
-        zip \
-        unzip \
-		php \
-		php-bcmath php-curl php-mbstring php-gd php-xml php-zip php-mysql php-ldap \
-       && \
-    rm -rf /var/lib/apt/lists/*
-
-# Take branch as an argument so we can choose which BookStack
-# branch to test against
-ARG BRANCH=development
-
-# Download BookStack & install PHP deps
-RUN mkdir -p /var/www && \
-    git clone https://github.com/bookstackapp/bookstack.git --branch "$BRANCH" --single-branch /var/www/bookstack && \
-    cd /var/www/bookstack && \
-    wget https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer -O - -q | php -- --quiet --filename=composer && \
-    php composer install
-
-# Set the BookStack dir as the default working dir
-WORKDIR /var/www/bookstack
-
-# Set the default action as running php
-ENTRYPOINT ["/bin/php"]

dev/docker/db-testing/readme.md

@@ -1,32 +0,0 @@
-# Database Testing Suite
-
-This docker setup is designed to run BookStack's test suite against each major database version we support
-across MySQL and MariaDB to ensure compatibility and highlight any potential issues before a release.
-This is a fairly slow and heavy process, so is designed to just be run manually before a release which
-makes changes to the database schema, or a release which makes significant changes to database queries.
-
-### Running
-
-Everything is ran via the `run.sh` script. This will:
-
-- Optionally, accept a branch of BookStack to use for testing.
-- Build the docker image from the `Dockerfile`.
-  - This will include a built-in copy of the chosen BookStack branch. 
-- Cycle through each major supported database version:
-  - Migrate and seed the database.
-  - Run the full PHP test suite.
-
-If there's a failure for a database version, the script will prompt if you'd like to continue or stop testing.
-
-This script should be ran from this `db-testing` directory:
-
-```bash
-# Enter this directory
-cd dev/docker/db-testing
-
-# Runs for the 'development' branch by default
-./run.sh
-
-# Run for a specific branch
-./run.sh v25-11
-```

dev/docker/db-testing/run.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-BRANCH=${1:-development}
-
-# Build the container with a known name
-docker build --no-cache --build-arg BRANCH="$BRANCH" -t bookstack:db-testing .
-if [ $? -eq 1 ]; then
-  echo "Failed to build app container for testing"
-  exit 1
-fi
-
-# List of database containers to test against
-containers=(
-  "mysql:8.0"
-  "mysql:8.4"
-  "mysql:9.5"
-  "mariadb:10.6"
-  "mariadb:10.11"
-  "mariadb:11.4"
-  "mariadb:11.8"
-  "mariadb:12.0"
-)
-
-# Pre-clean-up from prior runs
-docker stop bs-dbtest-db
-docker network rm bs-dbtest-net
-
-# Cycle over each database image
-for img in "${containers[@]}"; do
-  echo "Starting tests with $img..."
-  docker network create bs-dbtest-net
-  docker run -d --rm --name "bs-dbtest-db" \
-    -e MYSQL_DATABASE=bookstack-test \
-    -e MYSQL_USER=bookstack \
-    -e MYSQL_PASSWORD=bookstack \
-    -e MYSQL_ROOT_PASSWORD=password \
-	  --network=bs-dbtest-net \
-    "$img"
-  sleep 20
-  APP_RUN='docker run -it --rm --network=bs-dbtest-net -e TEST_DATABASE_URL="mysql://bookstack:bookstack@bs-dbtest-db:3306" bookstack:db-testing'
-  $APP_RUN artisan migrate --force --database=mysql_testing
-  $APP_RUN artisan db:seed --force --class=DummyContentSeeder --database=mysql_testing
-  $APP_RUN vendor/bin/phpunit
-  if [ $? -eq 0 ]; then
-    echo "$img - Success"
-  else
-    echo "$img - Error"
-    read -p "Stop script? [y/N] " ans
-    [[ $ans == [yY] ]] && exit 0
-  fi
-
-  docker stop "bs-dbtest-db"
-  docker network rm bs-dbtest-net
-done
-

dev/docs/development.md

@@ -3,11 +3,11 @@
 All development on BookStack is currently done on the `development` branch. 
 When it's time for a release the `development` branch is merged into release with built & minified CSS & JS then tagged at its version. Here are the current development requirements:
 
-* [Node.js](https://nodejs.org/en/) v22.0+
+* [Node.js](https://nodejs.org/en/) v20.0+
 
 ## Building CSS & JavaScript Assets
 
-This project uses SASS for CSS development which is built, along with the JavaScript, using a range of npm scripts. The below npm commands can be used to install the dependencies & run the build tasks:
+This project uses SASS for CSS development and this is built, along with the JavaScript, using a range of npm scripts. The below npm commands can be used to install the dependencies & run the build tasks:
 
 ``` bash
 # Install NPM Dependencies
@@ -113,4 +113,4 @@ docker-compose run app php vendor/bin/phpunit
 ### Debugging
 
 The docker-compose setup ships with Xdebug, which you can listen to on port 9090.
-NB: For some editors like Visual Studio Code, you might need to map your workspace folder to the /app folder within the docker container for this to work.
+NB : For some editors like Visual Studio Code, you might need to map your workspace folder to the /app folder within the docker container for this to work.

dev/docs/javascript-code.md

@@ -161,7 +161,3 @@ window.$components.firstOnElement(element, name);
 There are a range of available events that are emitted as part of a public & supported API for accessing or extending JavaScript libraries & components used in the system.
 
 Details on these events can be found in the [JavaScript Public Events file](javascript-public-events.md).
-
-## WYSIWYG Editor API
-
-Details on the API for our custom-built WYSIWYG editor can be found in the [WYSIWYG JavaScript API file](./wysiwyg-js-api.md).

dev/docs/javascript-public-events.md

@@ -60,7 +60,7 @@ This event is called when the markdown editor loads, post configuration but befo
 
 #### Event Data
 
-- `markdownIt` - A reference to the [MarkdownIt](https://markdown-it.github.io/markdown-it/#MarkdownIt) instance used to render markdown to HTML (Just for the preview).
+- `markdownIt` - A references to the [MarkdownIt](https://markdown-it.github.io/markdown-it/#MarkdownIt) instance used to render markdown to HTML (Just for the preview).
 - `displayEl` - The IFrame Element that wraps the HTML preview display.
 - `cmEditorView` - The CodeMirror [EditorView](https://codemirror.net/docs/ref/#view.EditorView) instance used for the markdown input editor.
 
@@ -79,7 +79,7 @@ window.addEventListener('editor-markdown::setup', event => {
 This event is called as the embedded diagrams.net drawing editor loads, to allow configuration of the diagrams.net interface.
 See [this diagrams.net page](https://www.diagrams.net/doc/faq/configure-diagram-editor) for details on the available options for the configure event.
 
-If using a custom diagrams.net instance, via the `DRAWIO` option, you will need to ensure your DRAWIO option URL has the `configure=1` query parameter.
+If using a custom diagrams.net instance, via the `DRAWIO` option, you will need to ensure  your DRAWIO option URL has the `configure=1` query parameter.
 
 #### Event Data
 
@@ -134,47 +134,6 @@ window.addEventListener('editor-tinymce::setup', event => {
 });
 ```
 
-### `editor-wysiwyg::post-init`
-
-This is called after the (new custom-built Lexical-based) WYSIWYG editor has been initialised.
-
-#### Event Data
-
-- `usage` - A string label to identify the usage type of the WYSIWYG editor in BookStack.
-- `api` - An instance to the WYSIWYG editor API, as documented in the [WYSIWYG JavaScript API file](./wysiwyg-js-api.md).
-
-##### Example
-
-The below example shows how you'd use this API to create a button, with that button added to the main toolbar of the page editor, which inserts bold "Hello!" text on press:
-
-<details>
-<summary>Show Example</summary>
-
-```javascript
-window.addEventListener('editor-wysiwyg::post-init', event => {
-    const {usage, api} = event.detail;
-    // Check that it's the page editor which is being loaded
-    if (usage !== 'page-editor') {
-        return;
-    }
-    
-    // Create a custom button which inserts bold hello text on press
-    const button = api.ui.createButton({
-        label: 'Greet',
-        action: () => {
-            api.content.insertHtml(`<strong>Hello!</strong>`);
-        }
-    });
-    
-    // Add the button to the start of the first section within the main toolbar
-    const toolbar = api.ui.getMainToolbar();
-    if (toolbar) {
-      toolbar.getSections()[0]?.addButton(button, 0);   
-    }
-});
-```
-</details>
-
 ### `library-cm6::configure-theme`
 
 This event is called whenever a CodeMirror instance is loaded, as a method to configure the theme used by CodeMirror. This applies to all CodeMirror instances including in-page code blocks, editors using in BookStack settings, and the Page markdown editor.
@@ -183,7 +142,7 @@ This event is called whenever a CodeMirror instance is loaded, as a method to co
 
 - `darkModeActive` - A boolean to indicate if the current view/page is being loaded with dark mode active.
 - `registerViewTheme(builder)` - A method that can be called to register a new view (CodeMirror UI) theme.
-  - `builder` - A function that will return an object that will be passed into the CodeMirror [EditorView.theme()](https://codemirror.net/docs/ref/#view.EditorView^theme) function as a StyleSpec.
+  - `builder` - A function that will return  an object that will be passed into the CodeMirror [EditorView.theme()](https://codemirror.net/docs/ref/#view.EditorView^theme) function as a StyleSpec.
 - `registerHighlightStyle(builder)` - A method that can be called to register a new HighlightStyle (code highlighting) theme.
   - `builder` - A function, that receives a reference to [Tag.tags](https://lezer.codemirror.net/docs/ref/#highlight.tags) and returns an array of [TagStyle](https://codemirror.net/docs/ref/#language.TagStyle) objects.
 
@@ -342,7 +301,7 @@ This event is called just after any CodeMirror instances are initialised so that
 
 ##### Example
 
-The below example shows how you'd prepend some default text to all content (page) code blocks.
+The below shows how you'd prepend some default text to all content (page) code blocks.
 
 <details>
 <summary>Show Example</summary>
@@ -359,4 +318,4 @@ window.addEventListener('library-cm6::post-init', event => {
     }
 });
 ```
-</details>
+</details>

dev/docs/php-testing.md

@@ -4,7 +4,7 @@ BookStack has many test cases defined within the `tests/` directory of the app.
 
 ## Setup
 
-The application tests are mostly functional, rather than unit tests, meaning they simulate user actions and system components, and therefore these require use of the database. To avoid potential conflicts within your development environment, the tests use a separate database. This is defined via a specific `mysql_testing` database connection in our configuration, and expects to use the following database access details:
+The application tests are mostly functional, rather than unit tests, meaning they simulate user actions and system components and therefore these require use of the database. To avoid potential conflicts within your development environment, the tests use a separate database. This is defined via a specific `mysql_testing` database connection in our configuration, and expects to use the following database access details:
 
 - Host: `127.0.0.1`
 - Username: `bookstack-test`

dev/docs/wysiwyg-js-api.md

@@ -1,136 +0,0 @@
-# WYSIWYG JavaScript API
-
-**Warning: This API is currently in development and may change without notice.**
-
-Feedback is very much welcomed via this issue: https://github.com/BookStackApp/BookStack/issues/5937
-
-This document covers the JavaScript API for the (newer Lexical-based) WYSIWYG editor.
-This API is built and designed to abstract the internals of the editor away
-to provide a stable interface for performing common customizations.
-
-Only the methods and properties documented here are guaranteed to be stable **once this API
-is out of initial development**.
-Other elements may be accessible but are not designed to be used directly, and therefore may change
-without notice.
-Stable parts of the API may still change where needed, but such changes would be noted as part of BookStack update advisories.
-
-The methods shown here are documented using standard TypeScript notation.
-
-## Overview
-
-The API is provided as an object, which itself provides a number of modules
-via its properties:
-
-- `ui` - Provides methods related to the UI of the editor, like buttons and toolbars.
-- `content` - Provides methods related to the live user content being edited upon.
-
-Each of these modules, and the relevant types used within, are documented in detail below.
-
-The API object itself is provided via the [editor-wysiwyg::post-init](./javascript-public-events.md#editor-wysiwygpost-init)
-JavaScript public event, so you can access it like so:
-
-```javascript
-window.addEventListener('editor-wysiwyg::post-init', event => {
-    const {api} = event.detail;
-});
-```
-
----
-
-## UI Module
-
-This module provides methods related to the UI of the editor, like buttons and toolbars.
-
-### Methods
-
-#### createButton(options: object): EditorApiButton
-
-Creates a new button which can be used by other methods.
-This takes an option object with the following properties:
-
-- `label` - string, optional - Used for the button text if no icon provided, or the button tooltip if an icon is provided.
-- `icon` - string, optional - The icon to use for the button. Expected to be an SVG string.
-- `action` - callback, required - The action to perform when the button is clicked.
-
-The function returns an [EditorApiButton](#editorapibutton) object.
-
-**Example**
-
-```javascript
-const button = api.ui.createButton({
-    label: 'Warn',
-    icon: '<svg>...</svg>',
-    action: () => {
-        window.alert('You clicked the button!');
-    }
-});
-```
-
-### getMainToolbar(): EditorApiToolbar
-
-Get the main editor toolbar. This is typically the toolbar at the top of the editor.
-The function returns an [EditorApiToolbar](#editorapitoolbar) object, or null if no toolbar is found.
-
-**Example**
-
-```javascript
-const toolbar = api.ui.getMainToolbar();
-const sections = toolbar?.getSections() || [];
-if (sections.length > 0) {
-    sections[0].addButton(button);
-}
-```
-
-### Types
-
-These are types which may be provided from UI module methods.
-
-#### EditorApiButton
-
-Represents a button created via the `createButton` method.
-This has the following methods:
-
-- `setActive(isActive: boolean): void` - Sets whether the button should be in an active state or not (typically active buttons appear as pressed).
-
-#### EditorApiToolbar
-
-Represents a toolbar within the editor. This is a bar typically containing sets of buttons.
-This has the following methods:
-
-- `getSections(): EditorApiToolbarSection[]` - Provides the main [EditorApiToolbarSections](#editorapitoolbarsection) contained within this toolbar.
-
-#### EditorApiToolbarSection
-
-Represents a section of the main editor toolbar, which contains a set of buttons.
-This has the following methods:
-
-- `getLabel(): string` - Provides the string label of the section.
-- `addButton(button: EditorApiButton, targetIndex: number = -1): void` - Adds a button to the section.
-  - By default, this will append the button, although a target index can be provided to insert at a specific position.
-
----
-
-## Content Module
-
-This module provides methods related to the live user content being edited within the editor.
-
-### Methods
-
-#### insertHtml(html: string, position: string = 'selection'): void
-
-Inserts the given HTML string at the given position string.
-The position, if not provided, will default to `'selection'`, replacing any existing selected content (or inserting at the selection if there's no active selection range).
-Valid position string values are: `selection`, `start` and `end`. `start` & `end` are relative to the whole editor document.
-The HTML is not assured to be added to the editor exactly as provided, since it will be parsed and serialised to fit the editor's internal known model format. Different parts of the HTML content may be handled differently depending on if it's block or inline content.
-
-The function does not return anything.
-
-**Example**
-
-```javascript
-// Basic insert at selection
-api.content.insertHtml('<p>Hello <strong>world</strong>!</p>');
-
-// Insert at the start of the editor content
-api.content.insertHtml('<p>I\'m at the start!</p>', 'start');
-```

dev/licensing/js-library-licenses.txt

@@ -1,3 +1,16 @@
+abab
+License: BSD-3-Clause
+License File: node_modules/abab/LICENSE.md
+Source: git+https://github.com/jsdom/abab.git
+Link: https://github.com/jsdom/abab#readme
+-----------
+acorn-globals
+License: MIT
+License File: node_modules/acorn-globals/LICENSE
+Copyright: Copyright (c) 2014 Forbes Lindesay
+Source: https://github.com/ForbesLindesay/acorn-globals.git
+Link: https://github.com/ForbesLindesay/acorn-globals.git
+-----------
 acorn-jsx
 License: MIT
 License File: node_modules/acorn-jsx/LICENSE
@@ -21,10 +34,8 @@ Link: https://github.com/acornjs/acorn
 -----------
 agent-base
 License: MIT
-License File: node_modules/agent-base/LICENSE
-Copyright: Copyright (c) 2013 Nathan Rajlich <******@***********.***>
-Source: https://github.com/TooTallNate/proxy-agents.git
-Link: https://github.com/TooTallNate/proxy-agents.git
+Source: git://github.com/TooTallNate/node-agent-base.git
+Link: git://github.com/TooTallNate/node-agent-base.git
 -----------
 ajv
 License: MIT
@@ -43,7 +54,7 @@ Link: sindresorhus/ansi-escapes
 ansi-regex
 License: MIT
 License File: node_modules/ansi-regex/license
-Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (https://sindresorhus.com)
+Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.com)
 Source: chalk/ansi-regex
 Link: chalk/ansi-regex
 -----------
@@ -123,6 +134,20 @@ Copyright: Copyright (c) 2016 EduardoRFS
 Source: git+https://github.com/ljharb/async-function.git
 Link: https://github.com/ljharb/async-function#readme
 -----------
+async
+License: MIT
+License File: node_modules/async/LICENSE
+Copyright: Copyright (c) 2010-2018 Caolan McMahon
+Source: https://github.com/caolan/async.git
+Link: https://caolan.github.io/async/
+-----------
+asynckit
+License: MIT
+License File: node_modules/asynckit/LICENSE
+Copyright: Copyright (c) 2016 Alex Indigo
+Source: git+https://github.com/alexindigo/asynckit.git
+Link: https://github.com/alexindigo/asynckit#readme
+-----------
 available-typed-arrays
 License: MIT
 License File: node_modules/available-typed-arrays/LICENSE
@@ -293,7 +318,7 @@ ci-info
 License: MIT
 License File: node_modules/ci-info/LICENSE
 Copyright: Copyright (c) 2016 Thomas Watson Steen
-Source: github:watson/ci-info
+Source: https://github.com/watson/ci-info.git
 Link: https://github.com/watson/ci-info
 -----------
 cjs-module-lexer
@@ -344,6 +369,13 @@ License File: node_modules/color-name/LICENSE
 Source: git@github.com:colorjs/color-name.git
 Link: https://github.com/colorjs/color-name
 -----------
+combined-stream
+License: MIT
+License File: node_modules/combined-stream/License
+Copyright: Copyright (c) 2011 Debuggable Limited <*****@**********.***>
+Source: git://github.com/felixge/node-combined-stream.git
+Link: https://github.com/felixge/node-combined-stream
+-----------
 concat-map
 License: MIT
 License File: node_modules/concat-map/LICENSE
@@ -358,6 +390,13 @@ All rights reserved.
 Source: git://github.com/thlorenz/convert-source-map.git
 Link: https://github.com/thlorenz/convert-source-map
 -----------
+create-jest
+License: MIT
+License File: node_modules/create-jest/LICENSE
+Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
+Source: https://github.com/jestjs/jest.git
+Link: https://github.com/jestjs/jest.git
+-----------
 create-require
 License: MIT
 License File: node_modules/create-require/LICENSE
@@ -379,6 +418,13 @@ Copyright: Copyright (c) 2018 Made With MOXY Lda <*****@****.******>
 Source: git@github.com:moxystudio/node-cross-spawn.git
 Link: https://github.com/moxystudio/node-cross-spawn
 -----------
+cssom
+License: MIT
+License File: node_modules/cssom/LICENSE.txt
+Copyright: Copyright (c) Nikita Vasilyev
+Source: NV/CSSOM
+Link: NV/CSSOM
+-----------
 cssstyle
 License: MIT
 License File: node_modules/cssstyle/LICENSE
@@ -469,6 +515,13 @@ Copyright: Copyright (C) 2015 Jordan Harband
 Source: git://github.com/ljharb/define-properties.git
 Link: git://github.com/ljharb/define-properties.git
 -----------
+delayed-stream
+License: MIT
+License File: node_modules/delayed-stream/License
+Copyright: Copyright (c) 2011 Debuggable Limited <*****@**********.***>
+Source: git://github.com/felixge/node-delayed-stream.git
+Link: https://github.com/felixge/node-delayed-stream
+-----------
 detect-libc
 License: Apache-2.0
 License File: node_modules/detect-libc/LICENSE
@@ -482,6 +535,13 @@ Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.co
 Source: sindresorhus/detect-newline
 Link: sindresorhus/detect-newline
 -----------
+diff-sequences
+License: MIT
+License File: node_modules/diff-sequences/LICENSE
+Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
+Source: https://github.com/jestjs/jest.git
+Link: https://github.com/jestjs/jest.git
+-----------
 diff
 License: BSD-3-Clause
 License File: node_modules/diff/LICENSE
@@ -495,6 +555,12 @@ License File: node_modules/doctrine/LICENSE
 Source: eslint/doctrine
 Link: https://github.com/eslint/doctrine
 -----------
+domexception
+License: MIT
+License File: node_modules/domexception/LICENSE.txt
+Source: jsdom/domexception
+Link: jsdom/domexception
+-----------
 dunder-proto
 License: MIT
 License File: node_modules/dunder-proto/LICENSE
@@ -502,10 +568,11 @@ Copyright: Copyright (c) 2024 ECMAScript Shims
 Source: git+https://github.com/es-shims/dunder-proto.git
 Link: https://github.com/es-shims/dunder-proto#readme
 -----------
-eastasianwidth
-License: MIT
-Source: git://github.com/komagata/eastasianwidth.git
-Link: git://github.com/komagata/eastasianwidth.git
+ejs
+License: Apache-2.0
+License File: node_modules/ejs/LICENSE
+Source: git://github.com/mde/ejs.git
+Link: https://github.com/mde/ejs
 -----------
 electron-to-chromium
 License: ISC
@@ -612,6 +679,13 @@ Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (https://sindres
 Source: sindresorhus/escape-string-regexp
 Link: sindresorhus/escape-string-regexp
 -----------
+escodegen
+License: BSD-2-Clause
+License File: node_modules/escodegen/LICENSE.BSD
+Copyright: Copyright (C) 2012 Yusuke Suzuki (twitter: @Constellation) and other contributors.
+Source: http://github.com/estools/escodegen.git
+Link: http://github.com/estools/escodegen
+-----------
 eslint-import-resolver-node
 License: MIT
 License File: node_modules/eslint-import-resolver-node/LICENSE
@@ -698,10 +772,9 @@ Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (https://sindres
 Source: sindresorhus/execa
 Link: sindresorhus/execa
 -----------
-exit-x
-License: MIT
-Source: git://github.com/gruntjs/node-exit-x.git
-Link: https://github.com/gruntjs/node-exit-x
+exit
+Source: git://github.com/cowboy/node-exit.git
+Link: https://github.com/cowboy/node-exit
 -----------
 expect
 License: MIT
@@ -744,6 +817,11 @@ Copyright: Copyright (c) Roy Riojas & Jared Wray
 Source: jaredwray/file-entry-cache
 Link: jaredwray/file-entry-cache
 -----------
+filelist
+License: Apache-2.0
+Source: git://github.com/mde/filelist.git
+Link: https://github.com/mde/filelist
+-----------
 fill-range
 License: MIT
 License File: node_modules/fill-range/LICENSE
@@ -779,12 +857,12 @@ Copyright: Copyright (c) 2012 Raynos.
 Source: https://github.com/Raynos/for-each.git
 Link: https://github.com/Raynos/for-each
 -----------
-foreground-child
-License: ISC
-License File: node_modules/foreground-child/LICENSE
-Copyright: Copyright (c) 2015-2023 Isaac Z. Schlueter and Contributors
-Source: git+https://github.com/tapjs/foreground-child.git
-Link: git+https://github.com/tapjs/foreground-child.git
+form-data
+License: MIT
+License File: node_modules/form-data/License
+Copyright: Copyright (c) 2012 Felix Geisendörfer (*****@**********.***) and contributors
+Source: git://github.com/form-data/form-data.git
+Link: git://github.com/form-data/form-data.git
 -----------
 fs.realpath
 License: ISC
@@ -873,7 +951,7 @@ Link: gulpjs/glob-parent
 glob
 License: ISC
 License File: node_modules/glob/LICENSE
-Copyright: Copyright (c) 2009-2023 Isaac Z. Schlueter and Contributors
+Copyright: Copyright (c) Isaac Z. Schlueter and Contributors
 Source: git://github.com/isaacs/node-glob.git
 Link: git://github.com/isaacs/node-glob.git
 -----------
@@ -905,13 +983,6 @@ Copyright: Copyright (c) 2011-2022 Isaac Z. Schlueter, Ben Noordhuis, and Contri
 Source: https://github.com/isaacs/node-graceful-fs
 Link: https://github.com/isaacs/node-graceful-fs
 -----------
-handlebars
-License: MIT
-License File: node_modules/handlebars/LICENSE
-Copyright: Copyright (C) 2011-2019 by Yehuda Katz
-Source: https://github.com/handlebars-lang/handlebars.js.git
-Link: https://www.handlebarsjs.com/
------------
 has-bigints
 License: MIT
 License File: node_modules/has-bigints/LICENSE
@@ -983,17 +1054,13 @@ Link: https://github.com/WebReflection/html-escaper
 -----------
 http-proxy-agent
 License: MIT
-License File: node_modules/http-proxy-agent/LICENSE
-Copyright: Copyright (c) 2013 Nathan Rajlich <******@***********.***>
-Source: https://github.com/TooTallNate/proxy-agents.git
-Link: https://github.com/TooTallNate/proxy-agents.git
+Source: git://github.com/TooTallNate/node-http-proxy-agent.git
+Link: git://github.com/TooTallNate/node-http-proxy-agent.git
 -----------
 https-proxy-agent
 License: MIT
-License File: node_modules/https-proxy-agent/LICENSE
-Copyright: Copyright (c) 2013 Nathan Rajlich <******@***********.***>
-Source: https://github.com/TooTallNate/proxy-agents.git
-Link: https://github.com/TooTallNate/proxy-agents.git
+Source: git://github.com/TooTallNate/node-https-proxy-agent.git
+Link: git://github.com/TooTallNate/node-https-proxy-agent.git
 -----------
 human-signals
 License: Apache-2.0
@@ -1331,11 +1398,10 @@ Copyright: Copyright 2012-2015 Yahoo! Inc.
 Source: git+ssh://git@github.com/istanbuljs/istanbuljs.git
 Link: https://istanbul.js.org/
 -----------
-jackspeak
-License: BlueOak-1.0.0
-License File: node_modules/jackspeak/LICENSE.md
-Source: git+https://github.com/isaacs/jackspeak.git
-Link: git+https://github.com/isaacs/jackspeak.git
+jake
+License: Apache-2.0
+Source: git://github.com/jakejs/jake.git
+Link: git://github.com/jakejs/jake.git
 -----------
 jest-changed-files
 License: MIT
@@ -1400,6 +1466,13 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://github.com/jestjs/jest.git
 -----------
+jest-get-type
+License: MIT
+License File: node_modules/jest-get-type/LICENSE
+Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
+Source: https://github.com/jestjs/jest.git
+Link: https://github.com/jestjs/jest.git
+-----------
 jest-haste-map
 License: MIT
 License File: node_modules/jest-haste-map/LICENSE
@@ -1535,8 +1608,8 @@ jsdom
 License: MIT
 License File: node_modules/jsdom/LICENSE.txt
 Copyright: Copyright (c) 2010 Elijah Insua
-Source: git+https://github.com/jsdom/jsdom.git
-Link: git+https://github.com/jsdom/jsdom.git
+Source: jsdom/jsdom
+Link: jsdom/jsdom
 -----------
 jsesc
 License: MIT
@@ -1591,6 +1664,13 @@ License: MIT
 Source: git+https://github.com/jaredwray/keyv.git
 Link: https://github.com/jaredwray/keyv
 -----------
+kleur
+License: MIT
+License File: node_modules/kleur/license
+Copyright: Copyright (c) Luke Edwards <****.*********@*****.***> (lukeed.com)
+Source: lukeed/kleur
+Link: lukeed/kleur
+-----------
 leven
 License: MIT
 License File: node_modules/leven/license
@@ -1619,6 +1699,20 @@ Copyright: Copyright (c) 2015 Vitaly Puzrin.
 Source: markdown-it/linkify-it
 Link: markdown-it/linkify-it
 -----------
+livereload-js
+License: MIT
+License File: node_modules/livereload-js/LICENSE
+Copyright: Copyright (c) 2010-2012 Andrey Tarantsov
+Source: git://github.com/livereload/livereload-js.git
+Link: https://github.com/livereload/livereload-js
+-----------
+livereload
+License: MIT
+License File: node_modules/livereload/LICENSE
+Copyright: Copyright (c) 2010 Joshua Peek
+Source: http://github.com/napcs/node-livereload.git
+Link: http://github.com/napcs/node-livereload.git
+-----------
 load-json-file
 License: MIT
 License File: node_modules/load-json-file/license
@@ -1733,6 +1827,22 @@ Copyright: Copyright (c) 2014-present, Jon Schlinkert.
 Source: micromatch/micromatch
 Link: https://github.com/micromatch/micromatch
 -----------
+mime-db
+License: MIT
+License File: node_modules/mime-db/LICENSE
+Copyright: Copyright (c) 2014 Jonathan Ong <**@***********.***>
+Copyright (c) 2015-2022 Douglas Christopher Wilson <****@*************.***>
+Source: jshttp/mime-db
+Link: jshttp/mime-db
+-----------
+mime-types
+License: MIT
+License File: node_modules/mime-types/LICENSE
+Copyright: Copyright (c) 2014 Jonathan Ong <**@***********.***>
+Copyright (c) 2015 Douglas Christopher Wilson <****@*************.***>
+Source: jshttp/mime-types
+Link: jshttp/mime-types
+-----------
 mimic-fn
 License: MIT
 License File: node_modules/mimic-fn/license
@@ -1753,13 +1863,6 @@ License File: node_modules/minimist/LICENSE
 Source: git://github.com/minimistjs/minimist.git
 Link: https://github.com/minimistjs/minimist
 -----------
-minipass
-License: ISC
-License File: node_modules/minipass/LICENSE
-Copyright: Copyright (c) 2017-2023 npm, Inc., Isaac Z. Schlueter, and Contributors
-Source: https://github.com/isaacs/minipass
-Link: https://github.com/isaacs/minipass
------------
 ms
 License: MIT
 License File: node_modules/ms/license.md
@@ -1767,26 +1870,11 @@ Copyright: Copyright (c) 2020 Vercel, Inc.
 Source: vercel/ms
 Link: vercel/ms
 -----------
-napi-postinstall
-License: MIT
-License File: node_modules/napi-postinstall/LICENSE
-Copyright: Copyright (c) 2021-present UnTS
-Source: git+https://github.com/un-ts/napi-postinstall.git
-Link: git+https://github.com/un-ts/napi-postinstall.git
------------
 natural-compare
 License: MIT
 Source: git://github.com/litejs/natural-compare-lite.git
 Link: git://github.com/litejs/natural-compare-lite.git
 -----------
-neo-async
-License: MIT
-License File: node_modules/neo-async/LICENSE
-Copyright: Copyright (c) 2014-2018 Suguru Motegi
-Based on Async.js, Copyright Caolan McMahon
-Source: git@github.com:suguru03/neo-async.git
-Link: https://github.com/suguru03/neo-async
------------
 nice-try
 License: MIT
 License File: node_modules/nice-try/LICENSE
@@ -1914,6 +2002,14 @@ Copyright: Copyright (c) George Zahariev
 Source: git://github.com/gkz/optionator.git
 Link: https://github.com/gkz/optionator
 -----------
+opts
+License: BSD-2-Clause
+License File: node_modules/opts/LICENSE.txt
+Copyright: Copyright (c) 2010, Joey Mazzarelli
+All rights reserved.
+Source: github:khtdr/opts
+Link: http://khtdr.com/opts
+-----------
 own-keys
 License: MIT
 License File: node_modules/own-keys/LICENSE
@@ -1942,12 +2038,6 @@ Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.co
 Source: sindresorhus/p-try
 Link: sindresorhus/p-try
 -----------
-package-json-from-dist
-License: BlueOak-1.0.0
-License File: node_modules/package-json-from-dist/LICENSE.md
-Source: git+https://github.com/isaacs/package-json-from-dist.git
-Link: git+https://github.com/isaacs/package-json-from-dist.git
------------
 parent-module
 License: MIT
 License File: node_modules/parent-module/license
@@ -1997,12 +2087,6 @@ Copyright: Copyright (c) 2015 Javier Blanco
 Source: https://github.com/jbgutierrez/path-parse.git
 Link: https://github.com/jbgutierrez/path-parse#readme
 -----------
-path-scurry
-License: BlueOak-1.0.0
-License File: node_modules/path-scurry/LICENSE.md
-Source: git+https://github.com/isaacs/path-scurry
-Link: git+https://github.com/isaacs/path-scurry
------------
 path-type
 License: MIT
 License File: node_modules/path-type/license
@@ -2073,6 +2157,20 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://github.com/jestjs/jest.git
 -----------
+prompts
+License: MIT
+License File: node_modules/prompts/license
+Copyright: Copyright (c) 2018 Terkel Gjervig Nielsen
+Source: terkelg/prompts
+Link: terkelg/prompts
+-----------
+psl
+License: MIT
+License File: node_modules/psl/LICENSE
+Copyright: Copyright (c) 2017 Lupo Montero ***********@*****.***
+Source: git@github.com:lupomontero/psl.git
+Link: git@github.com:lupomontero/psl.git
+-----------
 punycode.js
 License: MIT
 License File: node_modules/punycode.js/LICENSE-MIT.txt
@@ -2092,6 +2190,13 @@ Copyright: Copyright (c) 2018 Nicolas DUBIEN
 Source: git+https://github.com/dubzzz/pure-rand.git
 Link: https://github.com/dubzzz/pure-rand#readme
 -----------
+querystringify
+License: MIT
+License File: node_modules/querystringify/LICENSE
+Copyright: Copyright (c) 2015 Unshift.io, Arnout Kazemier,  the Contributors.
+Source: https://github.com/unshiftio/querystringify
+Link: https://github.com/unshiftio/querystringify
+-----------
 react-is
 License: MIT
 License File: node_modules/react-is/LICENSE
@@ -2141,6 +2246,13 @@ Copyright: Copyright (c) 2016, Contributors
 Source: git+ssh://git@github.com/yargs/require-main-filename.git
 Link: https://github.com/yargs/require-main-filename#readme
 -----------
+requires-port
+License: MIT
+License File: node_modules/requires-port/LICENSE
+Copyright: Copyright (c) 2015 Unshift.io, Arnout Kazemier,  the Contributors.
+Source: https://github.com/unshiftio/requires-port
+Link: https://github.com/unshiftio/requires-port
+-----------
 resolve-cwd
 License: MIT
 License File: node_modules/resolve-cwd/license
@@ -2155,6 +2267,13 @@ Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.co
 Source: sindresorhus/resolve-from
 Link: sindresorhus/resolve-from
 -----------
+resolve.exports
+License: MIT
+License File: node_modules/resolve.exports/license
+Copyright: Copyright (c) Luke Edwards <****.*********@*****.***> (lukeed.com)
+Source: lukeed/resolve.exports
+Link: lukeed/resolve.exports
+-----------
 resolve
 License: MIT
 License File: node_modules/resolve/LICENSE
@@ -2162,13 +2281,6 @@ Copyright: Copyright (c) 2012 James Halliday
 Source: git://github.com/browserify/resolve.git
 Link: git://github.com/browserify/resolve.git
 -----------
-rrweb-cssom
-License: MIT
-License File: node_modules/rrweb-cssom/LICENSE.txt
-Copyright: Copyright (c) Nikita Vasilyev
-Source: rrweb-io/CSSOM
-Link: rrweb-io/CSSOM
------------
 safe-array-concat
 License: MIT
 License File: node_modules/safe-array-concat/LICENSE
@@ -2296,9 +2408,16 @@ Link: https://github.com/ljharb/side-channel#readme
 signal-exit
 License: ISC
 License File: node_modules/signal-exit/LICENSE.txt
-Copyright: Copyright (c) 2015-2023 Benjamin Coe, Isaac Z. Schlueter, and Contributors
+Copyright: Copyright (c) 2015, Contributors
 Source: https://github.com/tapjs/signal-exit.git
-Link: https://github.com/tapjs/signal-exit.git
+Link: https://github.com/tapjs/signal-exit
+-----------
+sisteransi
+License: MIT
+License File: node_modules/sisteransi/license
+Copyright: Copyright (c) 2018 Terkel Gjervig Nielsen
+Source: https://github.com/terkelg/sisteransi
+Link: https://github.com/terkelg/sisteransi
 -----------
 slash
 License: MIT
@@ -2397,13 +2516,6 @@ Link: sindresorhus/string-length
 -----------
 string-width
 License: MIT
-License File: node_modules/string-width-cjs/license
-Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.com)
-Source: sindresorhus/string-width
-Link: sindresorhus/string-width
------------
-string-width
-License: MIT
 License File: node_modules/string-width/license
 Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.com)
 Source: sindresorhus/string-width
@@ -2439,15 +2551,8 @@ Link: git://github.com/es-shims/String.prototype.trimStart.git
 -----------
 strip-ansi
 License: MIT
-License File: node_modules/strip-ansi-cjs/license
-Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.com)
-Source: chalk/strip-ansi
-Link: chalk/strip-ansi
------------
-strip-ansi
-License: MIT
 License File: node_modules/strip-ansi/license
-Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (https://sindresorhus.com)
+Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (sindresorhus.com)
 Source: chalk/strip-ansi
 Link: chalk/strip-ansi
 -----------
@@ -2500,13 +2605,6 @@ Copyright: Copyright (c) 2015 Joris van der Wel
 Source: https://github.com/jsdom/js-symbol-tree.git
 Link: https://github.com/jsdom/js-symbol-tree#symbol-tree
 -----------
-synckit
-License: MIT
-License File: node_modules/synckit/LICENSE
-Copyright: Copyright (c) 2021 UnTS
-Source: https://github.com/un-ts/synckit.git
-Link: https://github.com/un-ts/synckit.git
------------
 test-exclude
 License: ISC
 License File: node_modules/test-exclude/LICENSE.txt
@@ -2514,20 +2612,6 @@ Copyright: Copyright (c) 2016, Contributors
 Source: git+https://github.com/istanbuljs/test-exclude.git
 Link: https://istanbul.js.org/
 -----------
-tldts-core
-License: MIT
-License File: node_modules/tldts-core/LICENSE
-Copyright: Copyright (c) 2017 Thomas Parisot, 2018 Rémi Berson
-Source: git+ssh://git@github.com/remusao/tldts.git
-Link: https://github.com/remusao/tldts#readme
------------
-tldts
-License: MIT
-License File: node_modules/tldts/LICENSE
-Copyright: Copyright (c) 2017 Thomas Parisot, 2018 Rémi Berson
-Source: git+ssh://git@github.com/remusao/tldts.git
-Link: https://github.com/remusao/tldts#readme
------------
 tmpl
 License: BSD-3-Clause
 License File: node_modules/tmpl/license
@@ -2638,13 +2722,6 @@ License File: node_modules/uc.micro/LICENSE.txt
 Source: markdown-it/uc.micro
 Link: markdown-it/uc.micro
 -----------
-uglify-js
-License: BSD-2-Clause
-License File: node_modules/uglify-js/LICENSE
-Copyright: Copyright 2012-2024 (c) Mihai Bazon <*****.*****@*****.***>
-Source: mishoo/UglifyJS
-Link: mishoo/UglifyJS
------------
 unbox-primitive
 License: MIT
 License File: node_modules/unbox-primitive/LICENSE
@@ -2659,10 +2736,12 @@ Copyright: Copyright (c) Matteo Collina and Undici contributors
 Source: git+https://github.com/nodejs/undici.git
 Link: https://undici.nodejs.org
 -----------
-unrs-resolver
+universalify
 License: MIT
-Source: git+https://github.com/unrs/unrs-resolver.git
-Link: https://github.com/unrs/unrs-resolver#readme
+License File: node_modules/universalify/LICENSE
+Copyright: Copyright (c) 2017, Ryan Zimmerman <*******@*******.***>
+Source: git+https://github.com/RyanZim/universalify.git
+Link: https://github.com/RyanZim/universalify#readme
 -----------
 update-browserslist-db
 License: MIT
@@ -2678,6 +2757,13 @@ Copyright: Copyright 2011 Gary Court. All rights reserved.
 Source: http://github.com/garycourt/uri-js
 Link: https://github.com/garycourt/uri-js
 -----------
+url-parse
+License: MIT
+License File: node_modules/url-parse/LICENSE
+Copyright: Copyright (c) 2015 Unshift.io, Arnout Kazemier,  the Contributors.
+Source: https://github.com/unshiftio/url-parse.git
+Link: https://github.com/unshiftio/url-parse.git
+-----------
 v8-compile-cache-lib
 License: MIT
 License File: node_modules/v8-compile-cache-lib/LICENSE
@@ -2794,19 +2880,6 @@ Copyright: Copyright (c) 2014-2016, Jon Schlinkert
 Source: jonschlinkert/word-wrap
 Link: https://github.com/jonschlinkert/word-wrap
 -----------
-wordwrap
-License: MIT
-License File: node_modules/wordwrap/LICENSE
-Source: git://github.com/substack/node-wordwrap.git
-Link: git://github.com/substack/node-wordwrap.git
------------
-wrap-ansi
-License: MIT
-License File: node_modules/wrap-ansi-cjs/license
-Copyright: Copyright (c) Sindre Sorhus <************@*****.***> (https://sindresorhus.com)
-Source: chalk/wrap-ansi
-Link: chalk/wrap-ansi
------------
 wrap-ansi
 License: MIT
 License File: node_modules/wrap-ansi/license
@@ -2898,31 +2971,6 @@ License File: node_modules/@ampproject/remapping/LICENSE
 Source: git+https://github.com/ampproject/remapping.git
 Link: git+https://github.com/ampproject/remapping.git
 -----------
-@asamuzakjp/css-color
-License: MIT
-License File: node_modules/@asamuzakjp/css-color/LICENSE
-Copyright: Copyright (c) 2024 asamuzaK (Kazz)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-Source: git+https://github.com/asamuzaK/cssColor.git
-Link: https://github.com/asamuzaK/cssColor#readme
------------
 @babel/code-frame
 License: MIT
 License File: node_modules/@babel/code-frame/LICENSE
@@ -3287,54 +3335,6 @@ Copyright: Copyright (c) 2014 Evan Wallace
 Source: https://github.com/cspotcode/node-source-map-support
 Link: https://github.com/cspotcode/node-source-map-support
 -----------
-@csstools/color-helpers
-License: MIT-0
-License File: node_modules/@csstools/color-helpers/LICENSE.md
-Source: git+https://github.com/csstools/postcss-plugins.git
-Link: https://github.com/csstools/postcss-plugins/tree/main/packages/color-helpers#readme
------------
-@csstools/css-calc
-License: MIT
-License File: node_modules/@csstools/css-calc/LICENSE.md
-Copyright: Copyright 2022 Romain Menke, Antonio Laguna <*******@******.**>
-Source: git+https://github.com/csstools/postcss-plugins.git
-Link: https://github.com/csstools/postcss-plugins/tree/main/packages/css-calc#readme
------------
-@csstools/css-color-parser
-License: MIT
-License File: node_modules/@csstools/css-color-parser/LICENSE.md
-Copyright: Copyright 2022 Romain Menke, Antonio Laguna <*******@******.**>
-Source: git+https://github.com/csstools/postcss-plugins.git
-Link: https://github.com/csstools/postcss-plugins/tree/main/packages/css-color-parser#readme
------------
-@csstools/css-parser-algorithms
-License: MIT
-License File: node_modules/@csstools/css-parser-algorithms/LICENSE.md
-Copyright: Copyright 2022 Romain Menke, Antonio Laguna <*******@******.**>
-Source: git+https://github.com/csstools/postcss-plugins.git
-Link: https://github.com/csstools/postcss-plugins/tree/main/packages/css-parser-algorithms#readme
------------
-@csstools/css-tokenizer
-License: MIT
-License File: node_modules/@csstools/css-tokenizer/LICENSE.md
-Copyright: Copyright 2022 Romain Menke, Antonio Laguna <*******@******.**>
-Source: git+https://github.com/csstools/postcss-plugins.git
-Link: https://github.com/csstools/postcss-plugins/tree/main/packages/css-tokenizer#readme
------------
-@emnapi/core
-License: MIT
-License File: node_modules/@emnapi/core/LICENSE
-Copyright: Copyright (c) 2021-present Toyobayashi
-Source: git+https://github.com/toyobayashi/emnapi.git
-Link: https://github.com/toyobayashi/emnapi#readme
------------
-@emnapi/runtime
-License: MIT
-License File: node_modules/@emnapi/runtime/LICENSE
-Copyright: Copyright (c) 2021-present Toyobayashi
-Source: git+https://github.com/toyobayashi/emnapi.git
-Link: https://github.com/toyobayashi/emnapi#readme
------------
 @esbuild/linux-x64
 License: MIT
 Source: git+https://github.com/evanw/esbuild.git
@@ -3388,7 +3388,7 @@ Link: https://eslint.org
 License: Apache-2.0
 License File: node_modules/@eslint/object-schema/LICENSE
 Source: git+https://github.com/eslint/rewrite.git
-Link: https://github.com/eslint/rewrite/tree/main/packages/object-schema#readme
+Link: https://github.com/eslint/rewrite#readme
 -----------
 @eslint/plugin-kit
 License: Apache-2.0
@@ -3420,13 +3420,6 @@ License File: node_modules/@humanwhocodes/retry/LICENSE
 Source: git+https://github.com/humanwhocodes/retry.git
 Link: git+https://github.com/humanwhocodes/retry.git
 -----------
-@isaacs/cliui
-License: ISC
-License File: node_modules/@isaacs/cliui/LICENSE.txt
-Copyright: Copyright (c) 2015, Contributors
-Source: yargs/cliui
-Link: yargs/cliui
------------
 @istanbuljs/load-nyc-config
 License: ISC
 License File: node_modules/@istanbuljs/load-nyc-config/LICENSE
@@ -3455,20 +3448,6 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://jestjs.io/
 -----------
-@jest/diff-sequences
-License: MIT
-License File: node_modules/@jest/diff-sequences/LICENSE
-Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
-Source: https://github.com/jestjs/jest.git
-Link: https://github.com/jestjs/jest.git
------------
-@jest/environment-jsdom-abstract
-License: MIT
-License File: node_modules/@jest/environment-jsdom-abstract/LICENSE
-Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
-Source: https://github.com/jestjs/jest.git
-Link: https://github.com/jestjs/jest.git
------------
 @jest/environment
 License: MIT
 License File: node_modules/@jest/environment/LICENSE
@@ -3497,13 +3476,6 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://github.com/jestjs/jest.git
 -----------
-@jest/get-type
-License: MIT
-License File: node_modules/@jest/get-type/LICENSE
-Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
-Source: https://github.com/jestjs/jest.git
-Link: https://github.com/jestjs/jest.git
------------
 @jest/globals
 License: MIT
 License File: node_modules/@jest/globals/LICENSE
@@ -3511,13 +3483,6 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://github.com/jestjs/jest.git
 -----------
-@jest/pattern
-License: MIT
-License File: node_modules/@jest/pattern/LICENSE
-Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
-Source: https://github.com/jestjs/jest.git
-Link: https://github.com/jestjs/jest.git
------------
 @jest/reporters
 License: MIT
 License File: node_modules/@jest/reporters/LICENSE
@@ -3532,13 +3497,6 @@ Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
 Source: https://github.com/jestjs/jest.git
 Link: https://github.com/jestjs/jest.git
 -----------
-@jest/snapshot-utils
-License: MIT
-License File: node_modules/@jest/snapshot-utils/LICENSE
-Copyright: Copyright (c) Meta Platforms, Inc. and affiliates.
-Source: https://github.com/jestjs/jest.git
-Link: https://github.com/jestjs/jest.git
------------
 @jest/source-map
 License: MIT
 License File: node_modules/@jest/source-map/LICENSE
@@ -3707,17 +3665,6 @@ Copyright: Copyright (c) 2017-present Devon Govett
 Source: https://github.com/parcel-bundler/watcher.git
 Link: https://github.com/parcel-bundler/watcher.git
 -----------
-@pkgjs/parseargs
-License: MIT
-License File: node_modules/@pkgjs/parseargs/LICENSE
-Source: git@github.com:pkgjs/parseargs.git
-Link: https://github.com/pkgjs/parseargs#readme
------------
-@pkgr/core
-License: MIT
-Source: git+https://github.com/un-ts/pkgr.git
-Link: https://github.com/un-ts/pkgr/blob/master/packages/core
------------
 @rtsao/scc
 License: MIT
 License File: node_modules/@rtsao/scc/LICENSE
@@ -3743,7 +3690,7 @@ Link: https://github.com/sinonjs/commons#readme
 License: BSD-3-Clause
 License File: node_modules/@sinonjs/fake-timers/LICENSE
 Copyright: Copyright (c) 2010-2014, Christian Johansen, *********@*********.**. All rights reserved.
-Source: git+https://github.com/sinonjs/fake-timers.git
+Source: https://github.com/sinonjs/fake-timers.git
 Link: https://github.com/sinonjs/fake-timers
 -----------
 @ssddanbrown/codemirror-lang-smarty
@@ -3756,6 +3703,13 @@ License: MIT
 License File: node_modules/@ssddanbrown/codemirror-lang-twig/LICENSE
 Copyright: Copyright (C) 2023 by Dan Brown, Marijn Haverbeke and others
 -----------
+@tootallnate/once
+License: MIT
+License File: node_modules/@tootallnate/once/LICENSE
+Copyright: Copyright (c) 2020 Nathan Rajlich
+Source: git://github.com/TooTallNate/once.git
+Link: git://github.com/TooTallNate/once.git
+-----------
 @tsconfig/node10
 License: MIT
 License File: node_modules/@tsconfig/node10/LICENSE
@@ -3784,11 +3738,6 @@ Copyright: Copyright (c) Microsoft Corporation.
 Source: https://github.com/tsconfig/bases.git
 Link: https://github.com/tsconfig/bases.git
 -----------
-@tybys/wasm-util
-License: MIT
-Source: https://github.com/toyobayashi/wasm-util.git
-Link: https://github.com/toyobayashi/wasm-util.git
------------
 @types/babel__core
 License: MIT
 License File: node_modules/@types/babel__core/LICENSE
@@ -3824,6 +3773,13 @@ Copyright: Copyright (c) Microsoft Corporation.
 Source: https://github.com/DefinitelyTyped/DefinitelyTyped.git
 Link: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/estree
 -----------
+@types/graceful-fs
+License: MIT
+License File: node_modules/@types/graceful-fs/LICENSE
+Copyright: Copyright (c) Microsoft Corporation.
+Source: https://github.com/DefinitelyTyped/DefinitelyTyped.git
+Link: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/graceful-fs
+-----------
 @types/istanbul-lib-coverage
 License: MIT
 License File: node_modules/@types/istanbul-lib-coverage/LICENSE
@@ -3933,20 +3889,3 @@ License File: node_modules/@types/yargs/LICENSE
 Copyright: Copyright (c) Microsoft Corporation.
 Source: https://github.com/DefinitelyTyped/DefinitelyTyped.git
 Link: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/yargs
------------
-@ungap/structured-clone
-License: ISC
-License File: node_modules/@ungap/structured-clone/LICENSE
-Copyright: Copyright (c) 2021, Andrea Giammarchi, @WebReflection
-Source: git+https://github.com/ungap/structured-clone.git
-Link: https://github.com/ungap/structured-clone#readme
------------
-@unrs/resolver-binding-linux-x64-gnu
-License: MIT
-Source: git+https://github.com/unrs/unrs-resolver.git
-Link: https://github.com/unrs/unrs-resolver#readme
------------
-@unrs/resolver-binding-linux-x64-musl
-License: MIT
-Source: git+https://github.com/unrs/unrs-resolver.git
-Link: https://github.com/unrs/unrs-resolver#readme