feat(auth/oidc): wider key algorithm support

.env.example

@@ -26,13 +26,6 @@ DB_DATABASE=database_database
 DB_USERNAME=database_username
 DB_PASSWORD=database_user_password
 
-# Storage system to use
-# By default files are stored on the local filesystem, with images being placed in
-# public web space so they can be efficiently served directly by the web-server.
-# For other options with different security levels & considerations, refer to:
-# https://www.bookstackapp.com/docs/admin/upload-config/
-STORAGE_TYPE=local
-
 # Mail system to use
 # Can be 'smtp' or 'sendmail'
 MAIL_DRIVER=smtp

.env.example.complete

@@ -351,25 +351,10 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow JavaScript, and other potentiall dangerous content in page content.
-# This also removes CSP-level JavaScript control.
+# Allow <script> tags in page content
 # Note, if set to 'true' the page editor may still escape scripts.
-# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
-# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
-# Control the behaviour of content filtering, primarily used for page content.
-# This setting is a string of characters which represent different available filters:
-# - j - Filter out JavaScript and unknown binary data based content
-# - h - Filter out unexpected, and potentially dangerous, HTML elements
-# - f - Filter out unexpected form elements
-# - a - Run content through a more complex allowlist filter
-# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
-# to ensure you are always using the full range of filters.
-APP_CONTENT_FILTERING="jfha"
-
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

.github/translators.txt

@@ -511,22 +511,3 @@ MrCharlesIII :: Arabic
 David Olsen (dawin) :: Danish
 ltnzr :: French
 Frank Holler (holler.frank) :: German; German Informal
-Korab Arifi (korabidev) :: Albanian
-Petr Husák (petrhusak) :: Czech
-Bernardo Maia (bernardo.bmaia2) :: Portuguese, Brazilian
-Amr (amr3k) :: Arabic
-Tahsin Ahmed (tahsinahmed2012) :: Bengali
-bojan_che :: Serbian (Cyrillic)
-setiawan setiawan (culture.setiawan) :: Indonesian
-Donald Mac Kenzie (kiuman) :: Norwegian Bokmal
-Gabriel Silver (GabrielBSilver) :: Hebrew
-Tomas Darius Davainis (Tomasdd) :: Lithuanian
-CriedHero :: Chinese Simplified
-Henrik (henrik2105) :: Norwegian Bokmal
-FoW (fofwisdom) :: Korean
-serinf-lauza :: French
-Diyan Nikolaev (nikolaev.diyan) :: Bulgarian
-Shadluk Avan (quldosh) :: Uzbek
-Marci (MartonPoto) :: Hungarian
-Michał Sadurski (wheeskeey) :: Polish
-JanDziaslo :: Polish

.github/workflows/test-migrations.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        php: ['8.2', '8.3', '8.4', '8.5']
+        php: ['8.2', '8.3', '8.4']
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/test-php.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        php: ['8.2', '8.3', '8.4', '8.5']
+        php: ['8.2', '8.3', '8.4']
     steps:
     - uses: actions/checkout@v4
 

.gitignore

@@ -8,10 +8,10 @@ Homestead.yaml
 .idea
 npm-debug.log
 yarn-error.log
-/public/dist/*.map
+/public/dist
 /public/plugins
-/public/css/*.map
-/public/js/*.map
+/public/css
+/public/js
 /public/bower
 /public/build/
 /public/favicon.ico

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2026, Dan Brown and the BookStack project contributors.
+Copyright (c) 2015-2025, Dan Brown and the BookStack project contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

app/Access/Controllers/OidcController.php

@@ -9,9 +9,11 @@ use Illuminate\Http\Request;
 
 class OidcController extends Controller
 {
-    public function __construct(
-        protected OidcService $oidcService
-    ) {
+    protected OidcService $oidcService;
+
+    public function __construct(OidcService $oidcService)
+    {
+        $this->oidcService = $oidcService;
         $this->middleware('guard:oidc');
     }
 
@@ -28,7 +30,7 @@ class OidcController extends Controller
             return redirect('/login');
         }
 
-        session()->put('oidc_state', time() . ':' . $loginDetails['state']);
+        session()->flash('oidc_state', $loginDetails['state']);
 
         return redirect($loginDetails['url']);
     }
@@ -39,16 +41,10 @@ class OidcController extends Controller
      */
     public function callback(Request $request)
     {
+        $storedState = session()->pull('oidc_state');
         $responseState = $request->query('state');
-        $splitState =  explode(':', session()->pull('oidc_state', ':'), 2);
-        if (count($splitState) !== 2) {
-            $splitState = [null, null];
-        }
 
-        [$storedStateTime, $storedState] = $splitState;
-        $threeMinutesAgo = time() - 3 * 60;
-
-        if (!$storedState || $storedState !== $responseState || intval($storedStateTime) < $threeMinutesAgo) {
+        if ($storedState !== $responseState) {
             $this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));
 
             return redirect('/login');
@@ -66,7 +62,7 @@ class OidcController extends Controller
     }
 
     /**
-     * Log the user out, then start the OIDC RP-initiated logout process.
+     * Log the user out then start the OIDC RP-initiated logout process.
      */
     public function logout()
     {

app/Access/Mfa/TotpService.php

@@ -14,9 +14,10 @@ use PragmaRX\Google2FA\Support\Constants;
 
 class TotpService
 {
-    public function __construct(
-        protected Google2FA $google2fa
-    ) {
+    protected $google2fa;
+
+    public function __construct(Google2FA $google2fa)
+    {
         $this->google2fa = $google2fa;
         // Use SHA1 as a default, Personal testing of other options in 2021 found
         // many apps lack support for other algorithms yet still will scan
@@ -34,7 +35,7 @@ class TotpService
     }
 
     /**
-     * Generate a TOTP URL from a secret key.
+     * Generate a TOTP URL from secret key.
      */
     public function generateUrl(string $secret, User $user): string
     {

app/Access/Oidc/OidcJwtSigningKey.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Access\Oidc;
 
+use Illuminate\Support\Facades\Log;
 use phpseclib3\Crypt\Common\PublicKey;
 use phpseclib3\Crypt\PublicKeyLoader;
 use phpseclib3\Crypt\RSA;
@@ -63,8 +64,9 @@ class OidcJwtSigningKey
         // 'alg' is optional for a JWK, but we will still attempt to validate if
         // it exists otherwise presume it will be compatible.
         $alg = $jwk['alg'] ?? null;
-        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
+        $algorithm = OidcJwtSigningKeyAlgorithm::tryFrom($alg ?? OidcJwtSigningKeyAlgorithm::RS256->value);
+        if ($jwk['kty'] !== 'RSA' || $algorithm === null) {
+            throw new OidcInvalidKeyException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " keys are currently supported. Found key using {$alg}");
         }
 
         // 'use' is optional for a JWK but we assume 'sig' where no value exists since that's what
@@ -97,7 +99,16 @@ class OidcJwtSigningKey
             throw new OidcInvalidKeyException('Key loaded from file path is not an RSA key as expected');
         }
 
-        $this->key = $key->withPadding(RSA::SIGNATURE_PKCS1);
+        // apply key-algorithm depending hash
+        $key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256 => $key->withHash('sha256'),
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withHash('sha512'),
+        };
+        // apply key-algorithm depending padding
+        $this->key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256,
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withPadding(RSA::SIGNATURE_PKCS1),
+        };
     }
 
     /**

app/Access/Oidc/OidcJwtSigningKeyAlgorithm.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace BookStack\Access\Oidc;
+
+use UnitEnum;
+
+enum OidcJwtSigningKeyAlgorithm: string
+{
+    case RS256 = 'RS256';
+    case RS512 = 'RS512';
+
+    public static function getSupportedAlgorithms(): string
+    {
+        return join(',', array_map(static fn (UnitEnum $enum) => $enum->value, self::cases()));
+    }
+}

app/Access/Oidc/OidcJwtWithClaims.php

@@ -119,8 +119,8 @@ class OidcJwtWithClaims implements ProvidesClaims
      */
     protected function validateTokenSignature(): void
     {
-        if ($this->header['alg'] !== 'RS256') {
-            throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
+        if (OidcJwtSigningKeyAlgorithm::tryFrom($this->header['alg']) === null) {
+            throw new OidcInvalidTokenException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " signature validation is supported. Token reports using {$this->header['alg']}");
         }
 
         $parsedKeys = array_map(function ($key) {

app/Access/Oidc/OidcProviderSettings.php

@@ -158,10 +158,10 @@ class OidcProviderSettings
     protected function filterKeys(array $keys): array
     {
         return array_filter($keys, function (array $key) {
-            $alg = $key['alg'] ?? 'RS256';
+            $alg = $key['alg'] ?? OidcJwtSigningKeyAlgorithm::RS256->value;
             $use = $key['use'] ?? 'sig';
 
-            return $key['kty'] === 'RSA' && $use === 'sig' && $alg === 'RS256';
+            return $key['kty'] === 'RSA' && $use === 'sig' && OidcJwtSigningKeyAlgorithm::tryFrom($alg) !== null;
         });
     }
 

app/Activity/Models/Comment.php

@@ -8,7 +8,6 @@ use BookStack\Permissions\PermissionApplicator;
 use BookStack\Users\Models\HasCreatorAndUpdater;
 use BookStack\Users\Models\OwnableInterface;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
@@ -42,19 +41,7 @@ class Comment extends Model implements Loggable, OwnableInterface
      */
     public function entity(): MorphTo
     {
-        // We specifically define null here to avoid the different name (commentable)
-        // being used by Laravel eager loading instead of the method name, which it was doing
-        // in some scenarios like when deserialized when going through the queue system.
-        // So we instead specify the type and id column names to use.
-        // Related to:
-        // https://github.com/laravel/framework/pull/24815
-        // https://github.com/laravel/framework/issues/27342
-        // https://github.com/laravel/framework/issues/47953
-        // (and probably more)
-
-        // Ultimately, we could just align the method name to 'commentable' but that would be a potential
-        // breaking change and not really worthwhile in a patch due to the risk of creating extra problems.
-        return $this->morphTo(null, 'commentable_type', 'commentable_id');
+        return $this->morphTo('commentable');
     }
 
     /**
@@ -83,8 +70,7 @@ class Comment extends Model implements Loggable, OwnableInterface
 
     public function safeHtml(): string
     {
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($this->html ?? '');
+        return HtmlContentFilter::removeScriptsFromHtmlString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/Activity/Models/MentionHistory.php

@@ -1,20 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Models;
-
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Support\Carbon;
-
-/**
- * @property int $id
- * @property string $mentionable_type
- * @property int $mentionable_id
- * @property int $from_user_id
- * @property int $to_user_id
- * @property Carbon $created_at
- * @property Carbon $updated_at
- */
-class MentionHistory extends Model
-{
-    protected $table = 'mention_history';
-}

app/Activity/Notifications/Handlers/BaseNotificationHandler.php

@@ -20,7 +20,6 @@ abstract class BaseNotificationHandler implements NotificationHandler
     {
         $users = User::query()->whereIn('id', array_unique($userIds))->get();
 
-        /** @var User $user */
         foreach ($users as $user) {
             // Prevent sending to the user that initiated the activity
             if ($user->id === $initiator->id) {

app/Activity/Notifications/Handlers/CommentMentionNotificationHandler.php

@@ -1,85 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Notifications\Handlers;
-
-use BookStack\Activity\ActivityType;
-use BookStack\Activity\Models\Activity;
-use BookStack\Activity\Models\Comment;
-use BookStack\Activity\Models\Loggable;
-use BookStack\Activity\Models\MentionHistory;
-use BookStack\Activity\Notifications\Messages\CommentMentionNotification;
-use BookStack\Activity\Tools\MentionParser;
-use BookStack\Entities\Models\Page;
-use BookStack\Settings\UserNotificationPreferences;
-use BookStack\Users\Models\User;
-use Illuminate\Database\Eloquent\Collection;
-use Illuminate\Support\Carbon;
-
-class CommentMentionNotificationHandler extends BaseNotificationHandler
-{
-    public function handle(Activity $activity, Loggable|string $detail, User $user): void
-    {
-        if (!($detail instanceof Comment) || !($detail->entity instanceof Page)) {
-            throw new \InvalidArgumentException("Detail for comment mention notifications must be a comment on a page");
-        }
-
-        /** @var Page $page */
-        $page = $detail->entity;
-
-        $parser = new MentionParser();
-        $mentionedUserIds = $parser->parseUserIdsFromHtml($detail->html);
-        $realMentionedUsers = User::whereIn('id', $mentionedUserIds)->get();
-
-        $receivingNotifications = $realMentionedUsers->filter(function (User $user) {
-            $prefs = new UserNotificationPreferences($user);
-            return $prefs->notifyOnCommentMentions();
-        });
-        $receivingNotificationsUserIds = $receivingNotifications->pluck('id')->toArray();
-
-        $userMentionsToLog = $realMentionedUsers;
-
-        // When an edit, we check our history to see if we've already notified the user about this comment before
-        // so that we can filter them out to avoid double notifications.
-        if ($activity->type === ActivityType::COMMENT_UPDATE) {
-            $previouslyNotifiedUserIds = $this->getPreviouslyNotifiedUserIds($detail);
-            $receivingNotificationsUserIds = array_values(array_diff($receivingNotificationsUserIds, $previouslyNotifiedUserIds));
-            $userMentionsToLog = $userMentionsToLog->filter(function (User $user) use ($previouslyNotifiedUserIds) {
-                return !in_array($user->id, $previouslyNotifiedUserIds);
-            });
-        }
-
-        $this->logMentions($userMentionsToLog, $detail, $user);
-        $this->sendNotificationToUserIds(CommentMentionNotification::class, $receivingNotificationsUserIds, $user, $detail, $page);
-    }
-
-    /**
-     * @param Collection<User> $mentionedUsers
-     */
-    protected function logMentions(Collection $mentionedUsers, Comment $comment, User $fromUser): void
-    {
-        $mentions = [];
-        $now = Carbon::now();
-
-        foreach ($mentionedUsers as $mentionedUser) {
-            $mentions[] = [
-                'mentionable_type' => $comment->getMorphClass(),
-                'mentionable_id' => $comment->id,
-                'from_user_id' => $fromUser->id,
-                'to_user_id' => $mentionedUser->id,
-                'created_at' => $now,
-                'updated_at' => $now,
-            ];
-        }
-
-        MentionHistory::query()->insert($mentions);
-    }
-
-    protected function getPreviouslyNotifiedUserIds(Comment $comment): array
-    {
-        return MentionHistory::query()
-            ->where('mentionable_id', $comment->id)
-            ->where('mentionable_type', $comment->getMorphClass())
-            ->pluck('to_user_id')
-            ->toArray();
-    }
-}

app/Activity/Notifications/Messages/CommentMentionNotification.php

@@ -1,37 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Notifications\Messages;
-
-use BookStack\Activity\Models\Comment;
-use BookStack\Activity\Notifications\MessageParts\EntityLinkMessageLine;
-use BookStack\Activity\Notifications\MessageParts\ListMessageLine;
-use BookStack\Entities\Models\Page;
-use BookStack\Users\Models\User;
-use Illuminate\Notifications\Messages\MailMessage;
-
-class CommentMentionNotification extends BaseActivityNotification
-{
-    public function toMail(User $notifiable): MailMessage
-    {
-        /** @var Comment $comment */
-        $comment = $this->detail;
-        /** @var Page $page */
-        $page = $comment->entity;
-
-        $locale = $notifiable->getLocale();
-
-        $listLines = array_filter([
-            $locale->trans('notifications.detail_page_name') => new EntityLinkMessageLine($page),
-            $locale->trans('notifications.detail_page_path') => $this->buildPagePathLine($page, $notifiable),
-            $locale->trans('notifications.detail_commenter') => $this->user->name,
-            $locale->trans('notifications.detail_comment') => strip_tags($comment->html),
-        ]);
-
-        return $this->newMailMessage($locale)
-            ->subject($locale->trans('notifications.comment_mention_subject', ['pageName' => $page->getShortName()]))
-            ->line($locale->trans('notifications.comment_mention_intro', ['appName' => setting('app-name')]))
-            ->line(new ListMessageLine($listLines))
-            ->action($locale->trans('notifications.action_view_comment'), $page->getUrl('#comment' . $comment->local_id))
-            ->line($this->buildReasonFooterLine($locale));
-    }
-}

app/Activity/Notifications/NotificationManager.php

@@ -6,7 +6,6 @@ use BookStack\Activity\ActivityType;
 use BookStack\Activity\Models\Activity;
 use BookStack\Activity\Models\Loggable;
 use BookStack\Activity\Notifications\Handlers\CommentCreationNotificationHandler;
-use BookStack\Activity\Notifications\Handlers\CommentMentionNotificationHandler;
 use BookStack\Activity\Notifications\Handlers\NotificationHandler;
 use BookStack\Activity\Notifications\Handlers\PageCreationNotificationHandler;
 use BookStack\Activity\Notifications\Handlers\PageUpdateNotificationHandler;
@@ -49,7 +48,5 @@ class NotificationManager
         $this->registerHandler(ActivityType::PAGE_CREATE, PageCreationNotificationHandler::class);
         $this->registerHandler(ActivityType::PAGE_UPDATE, PageUpdateNotificationHandler::class);
         $this->registerHandler(ActivityType::COMMENT_CREATE, CommentCreationNotificationHandler::class);
-        $this->registerHandler(ActivityType::COMMENT_CREATE, CommentMentionNotificationHandler::class);
-        $this->registerHandler(ActivityType::COMMENT_UPDATE, CommentMentionNotificationHandler::class);
     }
 }

app/Activity/Tools/MentionParser.php

@@ -1,28 +0,0 @@
-<?php
-
-namespace BookStack\Activity\Tools;
-
-use BookStack\Util\HtmlDocument;
-use DOMElement;
-
-class MentionParser
-{
-    public function parseUserIdsFromHtml(string $html): array
-    {
-        $doc = new HtmlDocument($html);
-
-        $ids = [];
-        $mentionLinks = $doc->queryXPath('//a[@data-mention-user-id]');
-
-        foreach ($mentionLinks as $link) {
-            if ($link instanceof DOMElement) {
-                $id = intval($link->getAttribute('data-mention-user-id'));
-                if ($id > 0) {
-                    $ids[] = $id;
-                }
-            }
-        }
-
-        return array_values(array_unique($ids));
-    }
-}

app/App/HomeController.php

@@ -83,7 +83,7 @@ class HomeController extends Controller
         if ($homepageOption === 'bookshelves') {
             $shelves = $this->queries->shelves->visibleForListWithCover()
                 ->orderBy($commonData['listOptions']->getSort(), $commonData['listOptions']->getOrder())
-                ->paginate(setting()->getInteger('lists-page-count-shelves', 18, 1, 1000));
+                ->paginate(18);
             $data = array_merge($commonData, ['shelves' => $shelves]);
 
             return view('home.shelves', $data);
@@ -92,7 +92,7 @@ class HomeController extends Controller
         if ($homepageOption === 'books') {
             $books = $this->queries->books->visibleForListWithCover()
                 ->orderBy($commonData['listOptions']->getSort(), $commonData['listOptions']->getOrder())
-                ->paginate(setting()->getInteger('lists-page-count-books', 18, 1, 1000));
+                ->paginate(18);
             $data = array_merge($commonData, ['books' => $books]);
 
             return view('home.books', $data);

app/App/Providers/AppServiceProvider.php

@@ -3,7 +3,6 @@
 namespace BookStack\App\Providers;
 
 use BookStack\Access\SocialDriverManager;
-use BookStack\Activity\Models\Comment;
 use BookStack\Activity\Tools\ActivityLogger;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
@@ -74,7 +73,6 @@ class AppServiceProvider extends ServiceProvider
             'book'      => Book::class,
             'chapter'   => Chapter::class,
             'page'      => Page::class,
-            'comment'   => Comment::class,
         ]);
     }
 }

app/App/SluggableInterface.php

@@ -5,9 +5,11 @@ namespace BookStack\App;
 /**
  * Assigned to models that can have slugs.
  * Must have the below properties.
- *
- * @property string $slug
  */
 interface SluggableInterface
 {
+    /**
+     * Regenerate the slug for this model.
+     */
+    public function refreshSlug(): string;
 }

app/Config/app.php

@@ -37,15 +37,10 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Control the behaviour of content filtering, primarily used for page content.
-    // This setting is a string of characters which represent different available filters:
-    // - j - Filter out JavaScript and unknown binary data based content
-    // - h - Filter out unexpected, and potentially dangerous, HTML elements
-    // - f - Filter out unexpected form elements
-    // - a - Run content through a more complex allowlist filter
-    // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
-    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
+    // Allow <script> tags to entered within page content.
+    // <script> tags are escaped by default.
+    // Even when overridden the WYSIWYG editor may still escape script content.
+    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading
@@ -53,8 +48,8 @@ return [
     'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
 
     // Override the default behaviour for allowing crawlers to crawl the instance.
-    // May be ignored if the underlying view has been overridden or modified.
-    // Defaults to null in which case the 'app-public' status is used instead.
+    // May be ignored if view has be overridden or modified.
+    // Defaults to null since, if not set, 'app-public' status used instead.
     'allow_robots' => env('ALLOW_ROBOTS', null),
 
     // Application Base URL, Used by laravel in development commands

app/Config/database.php

@@ -81,8 +81,7 @@ return [
             'strict'         => false,
             'engine'         => null,
             'options'        => extension_loaded('pdo_mysql') ? array_filter([
-                // @phpstan-ignore class.notFound
-                (PHP_VERSION_ID >= 80500 ? \Pdo\Mysql::ATTR_SSL_CA : \PDO::MYSQL_ATTR_SSL_CA) => env('MYSQL_ATTR_SSL_CA'),
+                PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
             ]) : [],
         ],
 

app/Config/setting-defaults.php

@@ -41,7 +41,6 @@ return [
         'bookshelves_view_type' => env('APP_VIEWS_BOOKSHELVES', 'grid'),
         'bookshelf_view_type'   => env('APP_VIEWS_BOOKSHELF', 'grid'),
         'books_view_type'       => env('APP_VIEWS_BOOKS', 'grid'),
-        'notifications#comment-mentions' => true,
     ],
 
 ];

app/Entities/Controllers/BookController.php

@@ -8,7 +8,6 @@ use BookStack\Activity\Models\View;
 use BookStack\Activity\Tools\UserEntityWatchOptions;
 use BookStack\Entities\Queries\BookQueries;
 use BookStack\Entities\Queries\BookshelfQueries;
-use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Entities\Tools\Cloner;
@@ -32,7 +31,6 @@ class BookController extends Controller
         protected ShelfContext $shelfContext,
         protected BookRepo $bookRepo,
         protected BookQueries $queries,
-        protected EntityQueries $entityQueries,
         protected BookshelfQueries $shelfQueries,
         protected ReferenceFetcher $referenceFetcher,
     ) {
@@ -52,7 +50,7 @@ class BookController extends Controller
 
         $books = $this->queries->visibleForListWithCover()
             ->orderBy($listOptions->getSort(), $listOptions->getOrder())
-            ->paginate(setting()->getInteger('lists-page-count-books', 18, 1, 1000));
+            ->paginate(18);
         $recents = $this->isSignedIn() ? $this->queries->recentlyViewedForCurrentUser()->take(4)->get() : false;
         $popular = $this->queries->popularForList()->take(4)->get();
         $new = $this->queries->visibleForList()->orderBy('created_at', 'desc')->take(4)->get();
@@ -129,16 +127,7 @@ class BookController extends Controller
      */
     public function show(Request $request, ActivityQueries $activities, string $slug)
     {
-        try {
-            $book = $this->queries->findVisibleBySlugOrFail($slug);
-        } catch (NotFoundException $exception) {
-            $book = $this->entityQueries->findVisibleByOldSlugs('book', $slug);
-            if (is_null($book)) {
-                throw $exception;
-            }
-            return redirect($book->getUrl());
-        }
-
+        $book = $this->queries->findVisibleBySlugOrFail($slug);
         $bookChildren = (new BookContents($book))->getTree(true);
         $bookParentShelves = $book->shelves()->scopes('visible')->get();
 

app/Entities/Controllers/BookshelfController.php

@@ -6,7 +6,6 @@ use BookStack\Activity\ActivityQueries;
 use BookStack\Activity\Models\View;
 use BookStack\Entities\Queries\BookQueries;
 use BookStack\Entities\Queries\BookshelfQueries;
-use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Repos\BookshelfRepo;
 use BookStack\Entities\Tools\ShelfContext;
 use BookStack\Exceptions\ImageUploadException;
@@ -24,7 +23,6 @@ class BookshelfController extends Controller
     public function __construct(
         protected BookshelfRepo $shelfRepo,
         protected BookshelfQueries $queries,
-        protected EntityQueries $entityQueries,
         protected BookQueries $bookQueries,
         protected ShelfContext $shelfContext,
         protected ReferenceFetcher $referenceFetcher,
@@ -45,7 +43,7 @@ class BookshelfController extends Controller
 
         $shelves = $this->queries->visibleForListWithCover()
             ->orderBy($listOptions->getSort(), $listOptions->getOrder())
-            ->paginate(setting()->getInteger('lists-page-count-shelves', 18, 1, 1000));
+            ->paginate(18);
         $recents = $this->isSignedIn() ? $this->queries->recentlyViewedForCurrentUser()->get() : false;
         $popular = $this->queries->popularForList()->get();
         $new = $this->queries->visibleForList()
@@ -107,16 +105,7 @@ class BookshelfController extends Controller
      */
     public function show(Request $request, ActivityQueries $activities, string $slug)
     {
-        try {
-            $shelf = $this->queries->findVisibleBySlugOrFail($slug);
-        } catch (NotFoundException $exception) {
-            $shelf = $this->entityQueries->findVisibleByOldSlugs('bookshelf', $slug);
-            if (is_null($shelf)) {
-                throw $exception;
-            }
-            return redirect($shelf->getUrl());
-        }
-
+        $shelf = $this->queries->findVisibleBySlugOrFail($slug);
         $this->checkOwnablePermission(Permission::BookshelfView, $shelf);
 
         $listOptions = SimpleListOptions::fromRequest($request, 'shelf_books')->withSortOptions([

app/Entities/Controllers/ChapterController.php

@@ -77,15 +77,7 @@ class ChapterController extends Controller
      */
     public function show(string $bookSlug, string $chapterSlug)
     {
-        try {
-            $chapter = $this->queries->findVisibleBySlugsOrFail($bookSlug, $chapterSlug);
-        } catch (NotFoundException $exception) {
-            $chapter = $this->entityQueries->findVisibleByOldSlugs('chapter', $chapterSlug, $bookSlug);
-            if (is_null($chapter)) {
-                throw $exception;
-            }
-            return redirect($chapter->getUrl());
-        }
+        $chapter = $this->queries->findVisibleBySlugsOrFail($bookSlug, $chapterSlug);
 
         $sidebarTree = (new BookContents($chapter->book))->getTree();
         $pages = $this->entityQueries->pages->visibleForChapterList($chapter->id)->get();

app/Entities/Controllers/PageController.php

@@ -17,12 +17,11 @@ use BookStack\Entities\Tools\PageContent;
 use BookStack\Entities\Tools\PageEditActivity;
 use BookStack\Entities\Tools\PageEditorData;
 use BookStack\Exceptions\NotFoundException;
+use BookStack\Exceptions\NotifyException;
 use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\References\ReferenceFetcher;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use Exception;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Http\Request;
@@ -141,7 +140,9 @@ class PageController extends Controller
         try {
             $page = $this->queries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
         } catch (NotFoundException $e) {
-            $page = $this->entityQueries->findVisibleByOldSlugs('page', $pageSlug, $bookSlug);
+            $revision = $this->entityQueries->revisions->findLatestVersionBySlugs($bookSlug, $pageSlug);
+            $page = $revision->page ?? null;
+
             if (is_null($page)) {
                 throw $e;
             }
@@ -175,7 +176,7 @@ class PageController extends Controller
     }
 
     /**
-     * Get a page from an ajax request.
+     * Get page from an ajax request.
      *
      * @throws NotFoundException
      */
@@ -185,10 +186,6 @@ class PageController extends Controller
         $page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
         $page->makeHidden(['book']);
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $page->html = $filter->filterString($page->html);
-
         return response()->json($page);
     }
 

app/Entities/Controllers/PageRevisionController.php

@@ -12,8 +12,6 @@ use BookStack\Exceptions\NotFoundException;
 use BookStack\Facades\Activity;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\SimpleListOptions;
 use Illuminate\Http\Request;
 use Ssddanbrown\HtmlDiff\Diff;
@@ -103,15 +101,12 @@ class PageRevisionController extends Controller
 
         $prev = $revision->getPreviousRevision();
         $prevContent = $prev->html ?? '';
-
-        // TODO - Refactor PageContent so we can de-dupe these steps
-        $rawDiff = Diff::excecute($prevContent, $revision->html);
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $diff = $filter->filterString($rawDiff);
+        $diff = Diff::excecute($prevContent, $revision->html);
 
         $page->fill($revision->toArray());
-        $page->html = '';
+        // TODO - Refactor PageContent so we don't need to juggle this
+        $page->html = $revision->html;
+        $page->html = (new PageContent($page))->render();
         $this->setPageTitle(trans('entities.pages_revision_named', ['pageName' => $page->getShortName()]));
 
         return view('pages.revision', [

app/Entities/Models/Book.php

@@ -67,7 +67,8 @@ class Book extends Entity implements HasDescriptionInterface, HasCoverInterface,
      */
     public function chapters(): HasMany
     {
-        return $this->hasMany(Chapter::class);
+        return $this->hasMany(Chapter::class)
+            ->where('type', '=', 'chapter');
     }
 
     /**

app/Entities/Models/BookChild.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Entities\Models;
 
+use BookStack\References\ReferenceUpdater;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
 /**
@@ -16,10 +17,34 @@ abstract class BookChild extends Entity
 {
     /**
      * Get the book this page sits in.
-     * @return BelongsTo<Book, $this>
      */
     public function book(): BelongsTo
     {
         return $this->belongsTo(Book::class)->withTrashed();
     }
+
+    /**
+     * Change the book that this entity belongs to.
+     */
+    public function changeBook(int $newBookId): self
+    {
+        $oldUrl = $this->getUrl();
+        $this->book_id = $newBookId;
+        $this->unsetRelation('book');
+        $this->refreshSlug();
+        $this->save();
+
+        if ($oldUrl !== $this->getUrl()) {
+            app()->make(ReferenceUpdater::class)->updateEntityReferences($this, $oldUrl);
+        }
+
+        // Update all child pages if a chapter
+        if ($this instanceof Chapter) {
+            foreach ($this->pages()->withTrashed()->get() as $page) {
+                $page->changeBook($newBookId);
+            }
+        }
+
+        return $this;
+    }
 }

app/Entities/Models/Entity.php

@@ -13,6 +13,7 @@ use BookStack\Activity\Models\Viewable;
 use BookStack\Activity\Models\Watch;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
+use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Permissions\JointPermissionBuilder;
 use BookStack\Permissions\Models\EntityPermission;
 use BookStack\Permissions\Models\JointPermission;
@@ -404,6 +405,16 @@ abstract class Entity extends Model implements
         app()->make(SearchIndex::class)->indexEntity(clone $this);
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function refreshSlug(): string
+    {
+        $this->slug = app()->make(SlugGenerator::class)->generate($this, $this->name);
+
+        return $this->slug;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -430,14 +441,6 @@ abstract class Entity extends Model implements
         return $this->morphMany(Watch::class, 'watchable');
     }
 
-    /**
-     * Get the related slug history for this entity.
-     */
-    public function slugHistory(): MorphMany
-    {
-        return $this->morphMany(SlugHistory::class, 'sluggable');
-    }
-
     /**
      * {@inheritdoc}
      */

app/Entities/Models/EntityScope.php

@@ -15,12 +15,11 @@ class EntityScope implements Scope
     public function apply(Builder $builder, Model $model): void
     {
         $builder = $builder->where('type', '=', $model->getMorphClass());
-        $table = $model->getTable();
         if ($model instanceof Page) {
-            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', "{$table}.id");
+            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', 'entities.id');
         } else {
-            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model, $table) {
-                $join->on('entity_container_data.entity_id', '=', "{$table}.id")
+            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model) {
+                $join->on('entity_container_data.entity_id', '=', 'entities.id')
                     ->where('entity_container_data.entity_type', '=', $model->getMorphClass());
             });
         }

app/Entities/Models/Page.php

@@ -124,14 +124,6 @@ class Page extends BookChild
         return url('/' . implode('/', $parts));
     }
 
-    /**
-     * Get the ID-based permalink for this page.
-     */
-    public function getPermalink(): string
-    {
-        return url("/link/{$this->id}");
-    }
-
     /**
      * Get this page for JSON display.
      */

app/Entities/Models/SlugHistory.php

@@ -1,28 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Models;
-
-use BookStack\App\Model;
-use BookStack\Permissions\Models\JointPermission;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Relations\HasMany;
-
-/**
- * @property int $id
- * @property int $sluggable_id
- * @property string $sluggable_type
- * @property string $slug
- * @property ?string $parent_slug
- */
-class SlugHistory extends Model
-{
-    use HasFactory;
-
-    protected $table = 'slug_history';
-
-    public function jointPermissions(): HasMany
-    {
-        return $this->hasMany(JointPermission::class, 'entity_id', 'sluggable_id')
-            ->whereColumn('joint_permissions.entity_type', '=', 'slug_history.sluggable_type');
-    }
-}

app/Entities/Queries/EntityQueries.php

@@ -4,7 +4,6 @@ namespace BookStack\Entities\Queries;
 
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\EntityTable;
-use BookStack\Entities\Tools\SlugHistory;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Query\Builder as QueryBuilder;
 use Illuminate\Database\Query\JoinClause;
@@ -19,7 +18,6 @@ class EntityQueries
         public ChapterQueries $chapters,
         public PageQueries $pages,
         public PageRevisionQueries $revisions,
-        protected SlugHistory $slugHistory,
     ) {
     }
 
@@ -33,30 +31,9 @@ class EntityQueries
         $explodedId = explode(':', $identifier);
         $entityType = $explodedId[0];
         $entityId = intval($explodedId[1]);
+        $queries = $this->getQueriesForType($entityType);
 
-        return $this->findVisibleById($entityType, $entityId);
-    }
-
-    /**
-     * Find an entity by its ID.
-     */
-    public function findVisibleById(string $type, int $id): ?Entity
-    {
-        $queries = $this->getQueriesForType($type);
-        return $queries->findVisibleById($id);
-    }
-
-    /**
-     * Find an entity by looking up old slugs in the slug history.
-     */
-    public function findVisibleByOldSlugs(string $type, string $slug, string $parentSlug = ''): ?Entity
-    {
-        $id = $this->slugHistory->lookupEntityIdUsingSlugs($type, $slug, $parentSlug);
-        if ($id === null) {
-            return null;
-        }
-
-        return $this->findVisibleById($type, $id);
+        return $queries->findVisibleById($entityId);
     }
 
     /**

app/Entities/Repos/BaseRepo.php

@@ -8,8 +8,6 @@ use BookStack\Entities\Models\HasCoverInterface;
 use BookStack\Entities\Models\HasDescriptionInterface;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\PageQueries;
-use BookStack\Entities\Tools\SlugGenerator;
-use BookStack\Entities\Tools\SlugHistory;
 use BookStack\Exceptions\ImageUploadException;
 use BookStack\References\ReferenceStore;
 use BookStack\References\ReferenceUpdater;
@@ -27,8 +25,6 @@ class BaseRepo
         protected ReferenceStore $referenceStore,
         protected PageQueries $pageQueries,
         protected BookSorter $bookSorter,
-        protected SlugGenerator $slugGenerator,
-        protected SlugHistory $slugHistory,
     ) {
     }
 
@@ -47,7 +43,7 @@ class BaseRepo
             'updated_by' => user()->id,
             'owned_by'   => user()->id,
         ]);
-        $this->refreshSlug($entity);
+        $entity->refreshSlug();
 
         if ($entity instanceof HasDescriptionInterface) {
             $this->updateDescription($entity, $input);
@@ -82,7 +78,7 @@ class BaseRepo
         $entity->updated_by = user()->id;
 
         if ($entity->isDirty('name') || empty($entity->slug)) {
-            $this->refreshSlug($entity);
+            $entity->refreshSlug();
         }
 
         if ($entity instanceof HasDescriptionInterface) {
@@ -159,13 +155,4 @@ class BaseRepo
             $entity->descriptionInfo()->set('', $input['description']);
         }
     }
-
-    /**
-     * Refresh the slug for the given entity.
-     */
-    public function refreshSlug(Entity $entity): void
-    {
-        $this->slugHistory->recordForEntity($entity);
-        $this->slugGenerator->regenerateForEntity($entity);
-    }
 }

app/Entities/Repos/ChapterRepo.php

@@ -7,7 +7,6 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\BookContents;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Entities\Tools\TrashCan;
 use BookStack\Exceptions\MoveOperationException;
 use BookStack\Exceptions\PermissionsException;
@@ -22,7 +21,6 @@ class ChapterRepo
         protected BaseRepo $baseRepo,
         protected EntityQueries $entityQueries,
         protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -99,7 +97,7 @@ class ChapterRepo
         }
 
         return (new DatabaseTransaction(function () use ($chapter, $parent) {
-            $this->parentChanger->changeBook($chapter, $parent->id);
+            $chapter = $chapter->changeBook($parent->id);
             $chapter->rebuildPermissions();
             Activity::add(ActivityType::CHAPTER_MOVE, $chapter);
 

app/Entities/Repos/PageRepo.php

@@ -12,7 +12,6 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Entities\Tools\PageContent;
 use BookStack\Entities\Tools\PageEditorType;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Entities\Tools\TrashCan;
 use BookStack\Exceptions\MoveOperationException;
 use BookStack\Exceptions\PermissionsException;
@@ -32,7 +31,6 @@ class PageRepo
         protected ReferenceStore $referenceStore,
         protected ReferenceUpdater $referenceUpdater,
         protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -244,7 +242,7 @@ class PageRepo
         }
 
         $page->updated_by = user()->id;
-        $this->baseRepo->refreshSlug($page);
+        $page->refreshSlug();
         $page->save();
         $page->indexForSearch();
         $this->referenceStore->updateForEntity($page);
@@ -286,7 +284,7 @@ class PageRepo
         return (new DatabaseTransaction(function () use ($page, $parent) {
             $page->chapter_id = ($parent instanceof Chapter) ? $parent->id : null;
             $newBookId = ($parent instanceof Chapter) ? $parent->book->id : $parent->id;
-            $this->parentChanger->changeBook($page, $newBookId);
+            $page = $page->changeBook($newBookId);
             $page->rebuildPermissions();
 
             Activity::add(ActivityType::PAGE_MOVE, $page);

app/Entities/Tools/Cloner.php

@@ -13,47 +13,30 @@ use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Repos\ChapterRepo;
 use BookStack\Entities\Repos\PageRepo;
 use BookStack\Permissions\Permission;
-use BookStack\References\ReferenceChangeContext;
-use BookStack\References\ReferenceUpdater;
 use BookStack\Uploads\Image;
 use BookStack\Uploads\ImageService;
 use Illuminate\Http\UploadedFile;
 
 class Cloner
 {
-    protected ReferenceChangeContext $referenceChangeContext;
-
     public function __construct(
         protected PageRepo $pageRepo,
         protected ChapterRepo $chapterRepo,
         protected BookRepo $bookRepo,
         protected ImageService $imageService,
-        protected ReferenceUpdater $referenceUpdater,
     ) {
-        $this->referenceChangeContext = new ReferenceChangeContext();
     }
 
     /**
      * Clone the given page into the given parent using the provided name.
      */
     public function clonePage(Page $original, Entity $parent, string $newName): Page
-    {
-        $context = $this->newReferenceChangeContext();
-        $page = $this->createPageClone($original, $parent, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $page;
-    }
-
-    protected function createPageClone(Page $original, Entity $parent, string $newName): Page
     {
         $copyPage = $this->pageRepo->getNewDraftPage($parent);
         $pageData = $this->entityToInputData($original);
         $pageData['name'] = $newName;
 
-        $newPage = $this->pageRepo->publishDraft($copyPage, $pageData);
-        $this->referenceChangeContext->add($original, $newPage);
-
-        return $newPage;
+        return $this->pageRepo->publishDraft($copyPage, $pageData);
     }
 
     /**
@@ -61,14 +44,6 @@ class Cloner
      * Clones all child pages.
      */
     public function cloneChapter(Chapter $original, Book $parent, string $newName): Chapter
-    {
-        $context = $this->newReferenceChangeContext();
-        $chapter = $this->createChapterClone($original, $parent, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $chapter;
-    }
-
-    protected function createChapterClone(Chapter $original, Book $parent, string $newName): Chapter
     {
         $chapterDetails = $this->entityToInputData($original);
         $chapterDetails['name'] = $newName;
@@ -78,12 +53,10 @@ class Cloner
         if (userCan(Permission::PageCreate, $copyChapter)) {
             /** @var Page $page */
             foreach ($original->getVisiblePages() as $page) {
-                $this->createPageClone($page, $copyChapter, $page->name);
+                $this->clonePage($page, $copyChapter, $page->name);
             }
         }
 
-        $this->referenceChangeContext->add($original, $copyChapter);
-
         return $copyChapter;
     }
 
@@ -92,14 +65,6 @@ class Cloner
      * Clones all child chapters and pages.
      */
     public function cloneBook(Book $original, string $newName): Book
-    {
-        $context = $this->newReferenceChangeContext();
-        $book = $this->createBookClone($original, $newName);
-        $this->referenceUpdater->changeReferencesUsingContext($context);
-        return $book;
-    }
-
-    protected function createBookClone(Book $original, string $newName): Book
     {
         $bookDetails = $this->entityToInputData($original);
         $bookDetails['name'] = $newName;
@@ -111,11 +76,11 @@ class Cloner
         $directChildren = $original->getDirectVisibleChildren();
         foreach ($directChildren as $child) {
             if ($child instanceof Chapter && userCan(Permission::ChapterCreate, $copyBook)) {
-                $this->createChapterClone($child, $copyBook, $child->name);
+                $this->cloneChapter($child, $copyBook, $child->name);
             }
 
             if ($child instanceof Page && !$child->draft && userCan(Permission::PageCreate, $copyBook)) {
-                $this->createPageClone($child, $copyBook, $child->name);
+                $this->clonePage($child, $copyBook, $child->name);
             }
         }
 
@@ -127,8 +92,6 @@ class Cloner
             }
         }
 
-        $this->referenceChangeContext->add($original, $copyBook);
-
         return $copyBook;
     }
 
@@ -192,10 +155,4 @@ class Cloner
 
         return $tags;
     }
-
-    protected function newReferenceChangeContext(): ReferenceChangeContext
-    {
-        $this->referenceChangeContext = new ReferenceChangeContext();
-        return $this->referenceChangeContext;
-    }
 }

app/Entities/Tools/EntityHtmlDescription.php

@@ -6,7 +6,6 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class EntityHtmlDescription
 {
@@ -51,8 +50,7 @@ class EntityHtmlDescription
             return $html;
         }
 
-        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
-        return $filter->filterString($html);
+        return HtmlContentFilter::removeScriptsFromHtmlString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/HierarchyTransformer.php

@@ -17,8 +17,7 @@ class HierarchyTransformer
         protected BookRepo $bookRepo,
         protected BookshelfRepo $shelfRepo,
         protected Cloner $cloner,
-        protected TrashCan $trashCan,
-        protected ParentChanger $parentChanger,
+        protected TrashCan $trashCan
     ) {
     }
 
@@ -36,7 +35,7 @@ class HierarchyTransformer
         foreach ($chapter->pages as $page) {
             $page->chapter_id = 0;
             $page->save();
-            $this->parentChanger->changeBook($page, $book->id);
+            $page->changeBook($book->id);
         }
 
         $this->trashCan->destroyEntity($chapter);

app/Entities/Tools/PageContent.php

@@ -2,7 +2,6 @@
 
 namespace BookStack\Entities\Tools;
 
-use BookStack\App\AppVersion;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
@@ -14,7 +13,6 @@ use BookStack\Uploads\ImageRepo;
 use BookStack\Uploads\ImageService;
 use BookStack\Users\Models\User;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlDocument;
 use BookStack\Util\WebSafeMimeSniffer;
 use Closure;
@@ -319,30 +317,11 @@ class PageContent
             $this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
         }
 
-        $cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
-        $cached = cache()->get($cacheKey, null);
-        if ($cached !== null) {
-            return $cached;
+        if (!config('app.allow_content_scripts')) {
+            HtmlContentFilter::removeScriptsFromDocument($doc);
         }
 
-        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-        $filter = new HtmlContentFilter($filterConfig);
-        $filtered = $filter->filterDocument($doc);
-
-        $cacheTime = 86400 * 7; // 1 week
-        cache()->put($cacheKey, $filtered, $cacheTime);
-
-        return $filtered;
-    }
-
-    protected function getContentCacheKey(string $html): string
-    {
-        $contentHash = md5($html);
-        $contentId = $this->page->id;
-        $contentTime = $this->page->updated_at?->timestamp ?? time();
-        $appVersion = AppVersion::get();
-        $filterConfig = config('app.content_filtering') ?? '';
-        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
+        return $doc->getBodyInnerHtml();
     }
 
     /**

app/Entities/Tools/PageEditorData.php

@@ -8,8 +8,6 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
 use BookStack\Permissions\Permission;
-use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 
 class PageEditorData
 {
@@ -49,7 +47,6 @@ class PageEditorData
         $isDraftRevision = false;
         $this->warnings = [];
         $editActivity = new PageEditActivity($page);
-        $lastEditorId = $page->updated_by ?? user()->id;
 
         if ($editActivity->hasActiveEditing()) {
             $this->warnings[] = $editActivity->activeEditingMessage();
@@ -61,20 +58,11 @@ class PageEditorData
             $page->forceFill($userDraft->only(['name', 'html', 'markdown']));
             $isDraftRevision = true;
             $this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
-            $lastEditorId = $userDraft->created_by;
         }
 
-        // Get editor type and handle changes
         $editorType = $this->getEditorType($page);
         $this->updateContentForEditor($page, $editorType);
 
-        // Filter HTML content if required
-        if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
-            $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
-            $filter = new HtmlContentFilter($filterConfig);
-            $page->html = $filter->filterString($page->html);
-        }
-
         return [
             'page'            => $page,
             'book'            => $page->book,

app/Entities/Tools/ParentChanger.php

@@ -1,40 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Tools;
-
-use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Chapter;
-use BookStack\References\ReferenceUpdater;
-
-class ParentChanger
-{
-    public function __construct(
-        protected SlugGenerator $slugGenerator,
-        protected ReferenceUpdater $referenceUpdater
-    ) {
-    }
-
-    /**
-     * Change the parent book of a chapter or page.
-     */
-    public function changeBook(BookChild $child, int $newBookId): void
-    {
-        $oldUrl = $child->getUrl();
-
-        $child->book_id = $newBookId;
-        $child->unsetRelation('book');
-        $this->slugGenerator->regenerateForEntity($child);
-        $child->save();
-
-        if ($oldUrl !== $child->getUrl()) {
-            $this->referenceUpdater->updateEntityReferences($child, $oldUrl);
-        }
-
-        // Update all child pages if a chapter
-        if ($child instanceof Chapter) {
-            foreach ($child->pages()->withTrashed()->get() as $page) {
-                $this->changeBook($page, $newBookId);
-            }
-        }
-    }
-}

app/Entities/Tools/SlugGenerator.php

@@ -5,14 +5,12 @@ namespace BookStack\Entities\Tools;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
 use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Entity;
-use BookStack\Users\Models\User;
 use Illuminate\Support\Str;
 
 class SlugGenerator
 {
     /**
-     * Generate a fresh slug for the given item.
+     * Generate a fresh slug for the given entity.
      * The slug will be generated so that it doesn't conflict within the same parent item.
      */
     public function generate(SluggableInterface&Model $model, string $slugSource): string
@@ -25,26 +23,6 @@ class SlugGenerator
         return $slug;
     }
 
-    /**
-     * Regenerate the slug for the given entity.
-     */
-    public function regenerateForEntity(Entity $entity): string
-    {
-        $entity->slug = $this->generate($entity, $entity->name);
-
-        return $entity->slug;
-    }
-
-    /**
-     * Regenerate the slug for a user.
-     */
-    public function regenerateForUser(User $user): string
-    {
-        $user->slug = $this->generate($user, $user->name);
-
-        return $user->slug;
-    }
-
     /**
      * Format a name as a URL slug.
      */

app/Entities/Tools/SlugHistory.php

@@ -1,97 +0,0 @@
-<?php
-
-namespace BookStack\Entities\Tools;
-
-use BookStack\Entities\Models\Book;
-use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Entity;
-use BookStack\Entities\Models\EntityTable;
-use BookStack\Entities\Models\SlugHistory as SlugHistoryModel;
-use BookStack\Permissions\PermissionApplicator;
-use Illuminate\Support\Facades\DB;
-
-class SlugHistory
-{
-    public function __construct(
-        protected PermissionApplicator $permissions,
-    ) {
-    }
-
-    /**
-     * Record the current slugs for the given entity.
-     */
-    public function recordForEntity(Entity $entity): void
-    {
-        if (!$entity->id || !$entity->slug) {
-            return;
-        }
-
-        $parentSlug = null;
-        if ($entity instanceof BookChild) {
-            $parentSlug = $entity->book()->first()?->slug;
-        }
-
-        $latest = $this->getLatestEntryForEntity($entity);
-        if ($latest && $latest->slug === $entity->slug && $latest->parent_slug === $parentSlug) {
-            return;
-        }
-
-        $info = [
-            'sluggable_type' => $entity->getMorphClass(),
-            'sluggable_id'   => $entity->id,
-            'slug'           => $entity->slug,
-            'parent_slug'    => $parentSlug,
-        ];
-
-        $entry = new SlugHistoryModel();
-        $entry->forceFill($info);
-        $entry->save();
-
-        if ($entity instanceof Book) {
-            $this->recordForBookChildren($entity);
-        }
-    }
-
-    protected function recordForBookChildren(Book $book): void
-    {
-        $query = EntityTable::query()
-            ->select(['type', 'id', 'slug', DB::raw("'{$book->slug}' as parent_slug"), DB::raw('now() as created_at'), DB::raw('now() as updated_at')])
-            ->where('book_id', '=', $book->id)
-            ->whereNotNull('book_id');
-
-        SlugHistoryModel::query()->insertUsing(
-            ['sluggable_type', 'sluggable_id', 'slug', 'parent_slug', 'created_at', 'updated_at'],
-            $query
-        );
-    }
-
-    /**
-     * Find the latest visible entry for an entity which uses the given slug(s) in the history.
-     */
-    public function lookupEntityIdUsingSlugs(string $type, string $slug, string $parentSlug = ''): ?int
-    {
-        $query = SlugHistoryModel::query()
-            ->where('sluggable_type', '=', $type)
-            ->where('slug', '=', $slug);
-
-        if ($parentSlug) {
-            $query->where('parent_slug', '=', $parentSlug);
-        }
-
-        $query = $this->permissions->restrictEntityRelationQuery($query, 'slug_history', 'sluggable_id', 'sluggable_type');
-
-        /** @var SlugHistoryModel|null $result */
-        $result = $query->orderBy('created_at', 'desc')->first();
-
-        return $result?->sluggable_id;
-    }
-
-    protected function getLatestEntryForEntity(Entity $entity): SlugHistoryModel|null
-    {
-        return SlugHistoryModel::query()
-            ->where('sluggable_type', '=', $entity->getMorphClass())
-            ->where('sluggable_id', '=', $entity->id)
-            ->orderBy('created_at', 'desc')
-            ->first();
-    }
-}

app/Entities/Tools/TrashCan.php

@@ -388,7 +388,7 @@ class TrashCan
     /**
      * Update entity relations to remove or update outstanding connections.
      */
-    protected function destroyCommonRelations(Entity $entity): void
+    protected function destroyCommonRelations(Entity $entity)
     {
         Activity::removeEntity($entity);
         $entity->views()->delete();
@@ -402,7 +402,6 @@ class TrashCan
         $entity->watches()->delete();
         $entity->referencesTo()->delete();
         $entity->referencesFrom()->delete();
-        $entity->slugHistory()->delete();
 
         if ($entity instanceof HasCoverInterface && $entity->coverInfo()->exists()) {
             $imageService = app()->make(ImageService::class);

app/Exports/ZipExports/ZipExportReader.php

@@ -58,16 +58,6 @@ class ZipExportReader
     {
         $this->open();
 
-        $info = $this->zip->statName('data.json');
-        if ($info === false) {
-            throw new ZipExportException(trans('errors.import_zip_cant_decode_data'));
-        }
-
-        $maxSize = max(intval(config()->get('app.upload_limit')), 1) * 1000000;
-        if ($info['size'] > $maxSize) {
-            throw new ZipExportException(trans('errors.import_zip_data_too_large'));
-        }
-
         // Validate json data exists, including metadata
         $jsonData = $this->zip->getFromName('data.json') ?: '';
         $importData = json_decode($jsonData, true);
@@ -83,17 +73,6 @@ class ZipExportReader
         return $this->zip->statName("files/{$fileName}") !== false;
     }
 
-    public function fileWithinSizeLimit(string $fileName): bool
-    {
-        $fileInfo = $this->zip->statName("files/{$fileName}");
-        if ($fileInfo === false) {
-            return false;
-        }
-
-        $maxSize = max(intval(config()->get('app.upload_limit')), 1) * 1000000;
-        return $fileInfo['size'] <= $maxSize;
-    }
-
     /**
      * @return false|resource
      */

app/Exports/ZipExports/ZipExportReferences.php

@@ -15,7 +15,6 @@ use BookStack\Exports\ZipExports\Models\ZipExportPage;
 use BookStack\Permissions\Permission;
 use BookStack\Uploads\Attachment;
 use BookStack\Uploads\Image;
-use BookStack\Uploads\ImageService;
 
 class ZipExportReferences
 {
@@ -34,7 +33,6 @@ class ZipExportReferences
 
     public function __construct(
         protected ZipReferenceParser $parser,
-        protected ImageService $imageService,
     ) {
     }
 
@@ -135,17 +133,10 @@ class ZipExportReferences
                 return "[[bsexport:image:{$model->id}]]";
             }
 
-            // Get the page which we'll reference this image upon
+            // Find and include images if in visibility
             $page = $model->getPage();
-            $pageExportModel = null;
-            if ($page && isset($this->pages[$page->id])) {
-                $pageExportModel = $this->pages[$page->id];
-            } elseif ($exportModel instanceof ZipExportPage) {
-                $pageExportModel = $exportModel;
-            }
-
-            // Add the image to the export if it's accessible or just return the existing reference if already added
-            if (isset($this->images[$model->id]) || ($pageExportModel && $this->imageService->imageAccessible($model))) {
+            $pageExportModel = $this->pages[$page->id] ?? ($exportModel instanceof ZipExportPage ? $exportModel : null);
+            if (isset($this->images[$model->id]) || ($page && $pageExportModel && userCan(Permission::PageView, $page))) {
                 if (!isset($this->images[$model->id])) {
                     $exportImage = ZipExportImage::fromModel($model, $files);
                     $this->images[$model->id] = $exportImage;
@@ -153,7 +144,6 @@ class ZipExportReferences
                 }
                 return "[[bsexport:image:{$model->id}]]";
             }
-
             return null;
         }
 

app/Exports/ZipExports/ZipFileReferenceRule.php

@@ -13,6 +13,7 @@ class ZipFileReferenceRule implements ValidationRule
     ) {
     }
 
+
     /**
      * @inheritDoc
      */
@@ -22,13 +23,6 @@ class ZipFileReferenceRule implements ValidationRule
             $fail('validation.zip_file')->translate();
         }
 
-        if (!$this->context->zipReader->fileWithinSizeLimit($value)) {
-            $fail('validation.zip_file_size')->translate([
-                'attribute' => $value,
-                'size' => config('app.upload_limit'),
-            ]);
-        }
-
         if (!empty($this->acceptedMimes)) {
             $fileMime = $this->context->zipReader->sniffFileMime($value);
             if (!in_array($fileMime, $this->acceptedMimes)) {

app/Exports/ZipExports/ZipImportRunner.php

@@ -265,12 +265,6 @@ class ZipImportRunner
 
     protected function zipFileToUploadedFile(string $fileName, ZipExportReader $reader): UploadedFile
     {
-        if (!$reader->fileWithinSizeLimit($fileName)) {
-            throw new ZipImportException([
-                "File $fileName exceeds app upload limit."
-            ]);
-        }
-
         $tempPath = tempnam(sys_get_temp_dir(), 'bszipextract');
         $fileStream = $reader->streamFile($fileName);
         $tempStream = fopen($tempPath, 'wb');

app/Http/Controller.php

@@ -167,26 +167,14 @@ abstract class Controller extends BaseController
 
     /**
      * Redirect to the URL provided in the request as a '_return' parameter.
-     * Will check that the parameter leads to a URL under the same origin as the application.
+     * Will check that the parameter leads to a URL under the root path of the system.
      */
     protected function redirectToRequest(Request $request): RedirectResponse
     {
         $basePath = url('/');
         $returnUrl = $request->input('_return') ?? $basePath;
 
-        // Only allow use of _return on requests where we expect CSRF to be active
-        // to prevent it potentially being used as an open redirect
-        $allowedMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
-        if (!in_array($request->getMethod(), $allowedMethods)) {
-            return redirect($basePath);
-        }
-
-        $intendedUrl = parse_url($returnUrl);
-        $baseUrl = parse_url($basePath);
-        $isSameOrigin = ($intendedUrl['host'] ?? '') === ($baseUrl['host'] ?? '')
-            && ($intendedUrl['scheme'] ?? '') === ($baseUrl['scheme'] ?? '')
-            && ($intendedUrl['port'] ?? 0) === ($baseUrl['port'] ?? 0);
-        if (!$isSameOrigin) {
+        if (!str_starts_with($returnUrl, $basePath)) {
             return redirect($basePath);
         }
 

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken($request);
+        $this->ensureAuthorizedBySessionOrToken();
 
         return $next($request);
     }
@@ -28,28 +28,22 @@ class ApiAuthenticate
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(Request $request): void
+    protected function ensureAuthorizedBySessionOrToken(): void
     {
-        // Use the active user session already exists.
-        // This is to make it easy to explore API endpoints via the UI.
-        if (session()->isStarted()) {
-            // Ensure the user has API access permission
+        // Return if the user is already found to be signed in via session-based auth.
+        // This is to make it easy to browser the API via browser after just logging into the system.
+        if (!user()->isGuest() || session()->isStarted()) {
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
-            // Only allow GET requests for cookie-based API usage
-            if ($request->method() !== 'GET') {
-                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
-            }
-
             return;
         }
 
         // Set our api guard to be the default for this request lifecycle.
         auth()->shouldUse('api');
 
-        // Validate the token and its users API access
+        // Validate the token and it's users API access
         auth()->authenticate();
     }
 

app/Http/Middleware/StartSessionExtended.php

@@ -14,10 +14,7 @@ use Illuminate\Session\Middleware\StartSession as Middleware;
 class StartSessionExtended extends Middleware
 {
     protected static array $pathPrefixesExcludedFromHistory = [
-        'uploads/images/',
-        'dist/',
-        'manifest.json',
-        'opensearch.xml',
+        'uploads/images/'
     ];
 
     /**

app/References/ReferenceChangeContext.php

@@ -1,45 +0,0 @@
-<?php
-
-namespace BookStack\References;
-
-use BookStack\Entities\Models\Entity;
-
-class ReferenceChangeContext
-{
-    /**
-     * Entity pairs where the first is the old entity and the second is the new entity.
-     * @var array<array{0: Entity, 1: Entity}>
-     */
-    protected array $changes = [];
-
-    public function add(Entity $oldEntity, Entity $newEntity): void
-    {
-        $this->changes[] = [$oldEntity, $newEntity];
-    }
-
-    /**
-     * Get all the new entities from the changes.
-     */
-    public function getNewEntities(): array
-    {
-        return array_column($this->changes, 1);
-    }
-
-    /**
-     * Get all the old entities from the changes.
-     */
-    public function getOldEntities(): array
-    {
-        return array_column($this->changes, 0);
-    }
-
-    public function getNewForOld(Entity $oldEntity): ?Entity
-    {
-        foreach ($this->changes as [$old, $new]) {
-            if ($old->id === $oldEntity->id && $old->type === $oldEntity->type) {
-                return $new;
-            }
-        }
-        return null;
-    }
-}

app/References/ReferenceUpdater.php

@@ -5,6 +5,7 @@ namespace BookStack\References;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\HasDescriptionInterface;
 use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Models\EntityContainerData;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Repos\RevisionRepo;
 use BookStack\Util\HtmlDocument;
@@ -29,47 +30,6 @@ class ReferenceUpdater
         }
     }
 
-    /**
-     * Change existing references for a range of entities using the given context.
-     */
-    public function changeReferencesUsingContext(ReferenceChangeContext $context): void
-    {
-        $bindings = [];
-        foreach ($context->getOldEntities() as $old) {
-            $bindings[] = $old->getMorphClass();
-            $bindings[] = $old->id;
-        }
-
-        // No targets to update within the context, so no need to continue.
-        if (count($bindings) < 2) {
-            return;
-        }
-
-        $toReferenceQuery = '(to_type, to_id) IN (' . rtrim(str_repeat('(?,?),', count($bindings) / 2), ',') . ')';
-
-        // Cycle each new entity in the context
-        foreach ($context->getNewEntities() as $new) {
-            // For each, get all references from it which lead to other items within the context of the change
-            $newReferencesInContext = $new->referencesFrom()->whereRaw($toReferenceQuery, $bindings)->get();
-            // For each reference, update the URL and the reference entry
-            foreach ($newReferencesInContext as $reference) {
-                $oldToEntity = $reference->to;
-                $newToEntity = $context->getNewForOld($oldToEntity);
-                if ($newToEntity === null) {
-                    continue;
-                }
-
-                $this->updateReferencesWithinEntity($new, $oldToEntity->getUrl(), $newToEntity->getUrl());
-                if ($newToEntity instanceof Page && $oldToEntity instanceof Page) {
-                    $this->updateReferencesWithinEntity($new, $oldToEntity->getPermalink(), $newToEntity->getPermalink());
-                }
-                $reference->to_id = $newToEntity->id;
-                $reference->to_type = $newToEntity->getMorphClass();
-                $reference->save();
-            }
-        }
-    }
-
     /**
      * @return Reference[]
      */

app/Search/SearchController.php

@@ -25,12 +25,11 @@ class SearchController extends Controller
         $searchOpts = SearchOptions::fromRequest($request);
         $fullSearchString = $searchOpts->toString();
         $page = intval($request->get('page', '0')) ?: 1;
-        $count = setting()->getInteger('lists-page-count-search', 18, 1, 1000);
 
-        $results = $this->searchRunner->searchEntities($searchOpts, 'all', $page, $count);
+        $results = $this->searchRunner->searchEntities($searchOpts, 'all', $page, 20);
         $formatter->format($results['results']->all(), $searchOpts);
-        $paginator = new LengthAwarePaginator($results['results'], $results['total'], $count, $page);
-        $paginator->setPath(url('/search'));
+        $paginator = new LengthAwarePaginator($results['results'], $results['total'], 20, $page);
+        $paginator->setPath('/search');
         $paginator->appends($request->except('page'));
 
         $this->setPageTitle(trans('entities.search_for_term', ['term' => $fullSearchString]));
@@ -78,9 +77,8 @@ class SearchController extends Controller
 
         // Search for entities otherwise show most popular
         if ($searchTerm !== false) {
-            $options = SearchOptions::fromString($searchTerm);
-            $options->setFilter('type', implode('|', $entityTypes));
-            $entities = $this->searchRunner->searchEntities($options, 'all', 1, 20)['results'];
+            $searchTerm .= ' {type:' . implode('|', $entityTypes) . '}';
+            $entities = $this->searchRunner->searchEntities(SearchOptions::fromString($searchTerm), 'all', 1, 20)['results'];
         } else {
             $entities = $queryPopular->run(20, 0, $entityTypes);
         }

app/Search/SearchIndex.php

@@ -126,7 +126,7 @@ class SearchIndex
         $termMap = $this->textToTermCountMap($text);
 
         foreach ($termMap as $term => $count) {
-            $termMap[$term] = intval($count * $scoreAdjustment);
+            $termMap[$term] = floor($count * $scoreAdjustment);
         }
 
         return $termMap;

app/Search/SearchOptionSet.php

@@ -82,12 +82,4 @@ class SearchOptionSet
         $values = array_values(array_filter($this->options, fn (SearchOption $option) => !$option->negated));
         return new self($values);
     }
-
-    /**
-     * @return self<T>
-     */
-    public function limit(int $limit): self
-    {
-        return new self(array_slice(array_values($this->options), 0, $limit));
-    }
 }

app/Search/SearchOptions.php

@@ -35,7 +35,6 @@ class SearchOptions
     {
         $instance = new self();
         $instance->addOptionsFromString($search);
-        $instance->limitOptions();
         return $instance;
     }
 
@@ -88,8 +87,6 @@ class SearchOptions
             $instance->filters = $instance->filters->merge($extras->filters);
         }
 
-        $instance->limitOptions();
-
         return $instance;
     }
 
@@ -150,25 +147,6 @@ class SearchOptions
         $this->filters = $this->filters->merge(new SearchOptionSet($terms['filters']));
     }
 
-    /**
-     * Limit the amount of search options to reasonable levels.
-     * Provides higher limits to logged-in users since that signals a slightly
-     * higher level of trust.
-     */
-    protected function limitOptions(): void
-    {
-        $userLoggedIn = !user()->isGuest();
-        $searchLimit = $userLoggedIn ? 10 : 5;
-        $exactLimit = $userLoggedIn ? 4 : 2;
-        $tagLimit = $userLoggedIn ? 8 : 4;
-        $filterLimit = $userLoggedIn ? 10 : 5;
-
-        $this->searches = $this->searches->limit($searchLimit);
-        $this->exacts = $this->exacts->limit($exactLimit);
-        $this->tags = $this->tags->limit($tagLimit);
-        $this->filters = $this->filters->limit($filterLimit);
-    }
-
     /**
      * Decode backslash escaping within the input string.
      */

app/Settings/AppSettingsStore.php

@@ -14,7 +14,7 @@ class AppSettingsStore
     ) {
     }
 
-    public function storeFromUpdateRequest(Request $request, string $category): void
+    public function storeFromUpdateRequest(Request $request, string $category)
     {
         $this->storeSimpleSettings($request);
         if ($category === 'customization') {
@@ -76,7 +76,7 @@ class AppSettingsStore
     protected function storeSimpleSettings(Request $request): void
     {
         foreach ($request->all() as $name => $value) {
-            if (!str_starts_with($name, 'setting-')) {
+            if (strpos($name, 'setting-') !== 0) {
                 continue;
             }
 
@@ -85,7 +85,7 @@ class AppSettingsStore
         }
     }
 
-    protected function destroyExistingSettingImage(string $settingKey): void
+    protected function destroyExistingSettingImage(string $settingKey)
     {
         $existingVal = setting()->get($settingKey);
         if ($existingVal) {

app/Settings/SettingService.php

@@ -28,21 +28,6 @@ class SettingService
         return $this->formatValue($value, $default);
     }
 
-    /**
-     * Get a setting from the database as an integer.
-     * Returns the default value if not found or not an integer, and clamps the value to the given min/max range.
-     */
-    public function getInteger(string $key, int $default, int $min = 0, int $max = PHP_INT_MAX): int
-    {
-        $value = $this->get($key, $default);
-        if (!is_numeric($value)) {
-            return $default;
-        }
-
-        $int = intval($value);
-        return max($min, min($max, $int));
-    }
-
     /**
      * Get a value from the session instead of the main store option.
      */

app/Settings/UserNotificationPreferences.php

@@ -26,14 +26,9 @@ class UserNotificationPreferences
         return $this->getNotificationSetting('comment-replies');
     }
 
-    public function notifyOnCommentMentions(): bool
-    {
-        return $this->getNotificationSetting('comment-mentions');
-    }
-
     public function updateFromSettingsArray(array $settings)
     {
-        $allowList = ['own-page-changes', 'own-page-comments', 'comment-replies', 'comment-mentions'];
+        $allowList = ['own-page-changes', 'own-page-comments', 'comment-replies'];
         foreach ($settings as $setting => $status) {
             if (!in_array($setting, $allowList)) {
                 continue;

app/Sorting/BookSorter.php

@@ -8,14 +8,12 @@ use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\EntityQueries;
-use BookStack\Entities\Tools\ParentChanger;
 use BookStack\Permissions\Permission;
 
 class BookSorter
 {
     public function __construct(
         protected EntityQueries $queries,
-        protected ParentChanger $parentChanger,
     ) {
     }
 
@@ -157,7 +155,7 @@ class BookSorter
 
         // Action the required changes
         if ($bookChanged) {
-            $this->parentChanger->changeBook($model, $newBook->id);
+            $model = $model->changeBook($newBook->id);
         }
 
         if ($model instanceof Page && $chapterChanged) {

app/Theming/CustomHtmlHeadContentProvider.php

@@ -4,16 +4,25 @@ namespace BookStack\Theming;
 
 use BookStack\Util\CspService;
 use BookStack\Util\HtmlContentFilter;
-use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlNonceApplicator;
 use Illuminate\Contracts\Cache\Repository as Cache;
 
 class CustomHtmlHeadContentProvider
 {
-    public function __construct(
-        protected CspService $cspService,
-        protected Cache $cache
-    ) {
+    /**
+     * @var CspService
+     */
+    protected $cspService;
+
+    /**
+     * @var Cache
+     */
+    protected $cache;
+
+    public function __construct(CspService $cspService, Cache $cache)
+    {
+        $this->cspService = $cspService;
+        $this->cache = $cache;
     }
 
     /**
@@ -41,8 +50,7 @@ class CustomHtmlHeadContentProvider
         $hash = md5($content);
 
         return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
-            $config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
-            return (new HtmlContentFilter($config))->filterString($content);
+            return HtmlContentFilter::removeScriptsFromHtmlString($content);
         });
     }
 

app/Uploads/Image.php

@@ -13,14 +13,14 @@ use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 
 /**
- * @property int      $id
- * @property string   $name
- * @property string   $url
- * @property string   $path
- * @property string   $type
- * @property int|null $uploaded_to
- * @property int      $created_by
- * @property int      $updated_by
+ * @property int    $id
+ * @property string $name
+ * @property string $url
+ * @property string $path
+ * @property string $type
+ * @property int    $uploaded_to
+ * @property int    $created_by
+ * @property int    $updated_by
  */
 class Image extends Model implements OwnableInterface
 {

app/Uploads/ImageResizer.php

@@ -55,7 +55,7 @@ class ImageResizer
 
     /**
      * Get the thumbnail for an image.
-     * If $keepRatio is true, only the width will be used.
+     * If $keepRatio is true only the width will be used.
      * Checks the cache then storage to avoid creating / accessing the filesystem on every check.
      *
      * @throws Exception
@@ -84,7 +84,7 @@ class ImageResizer
             return $this->storage->getPublicUrl($cachedThumbPath);
         }
 
-        // If a thumbnail has already been generated, serve that and cache path
+        // If thumbnail has already been generated, serve that and cache path
         $disk = $this->storage->getDisk($image->type);
         if (!$shouldCreate && $disk->exists($thumbFilePath)) {
             Cache::put($thumbCacheKey, $thumbFilePath, static::THUMBNAIL_CACHE_TIME);
@@ -110,7 +110,7 @@ class ImageResizer
     }
 
     /**
-     * Resize the image of given data to the specified size and return the new image data.
+     * Resize the image of given data to the specified size, and return the new image data.
      * Format will remain the same as the input format, unless specified.
      *
      * @throws ImageUploadException
@@ -125,7 +125,6 @@ class ImageResizer
         try {
             $thumb = $this->interventionFromImageData($imageData, $format);
         } catch (Exception $e) {
-            Log::error('Failed to resize image with error:' . $e->getMessage());
             throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
         }
 
@@ -155,21 +154,17 @@ class ImageResizer
 
     /**
      * Create an intervention image instance from the given image data.
-     * Performs some manual library usage to ensure the image is specifically loaded
+     * Performs some manual library usage to ensure image is specifically loaded
      * from given binary data instead of data being misinterpreted.
      */
     protected function interventionFromImageData(string $imageData, ?string $fileType): InterventionImage
     {
-        if (!extension_loaded('gd')) {
-            throw new ImageUploadException('The PHP "gd" extension is required to resize images, but is missing.');
-        }
-
         $manager = new ImageManager(
             new Driver(),
             autoOrientation: false,
         );
 
-        // Ensure GIF images are decoded natively instead of deferring to intervention GIF
+        // Ensure gif images are decoded natively instead of deferring to intervention GIF
         // handling since we don't need the added animation support.
         $isGif = $fileType === 'gif';
         $decoder = $isGif ? NativeObjectDecoder::class : BinaryImageDecoder::class;
@@ -228,7 +223,7 @@ class ImageResizer
     }
 
     /**
-     * Checks if the image is a GIF. Returns true if it is, else false.
+     * Checks if the image is a gif. Returns true if it is, else false.
      */
     protected function isGif(Image $image): bool
     {
@@ -255,7 +250,7 @@ class ImageResizer
 
     /**
      * Check if the given avif image data represents an animated image.
-     * This is based upon the answer here: https://stackoverflow.com/a/79457313
+     * This is based up the answer here: https://stackoverflow.com/a/79457313
      */
     protected function isAnimatedAvifData(string &$imageData): bool
     {

app/Uploads/ImageService.php

@@ -148,7 +148,7 @@ class ImageService
     }
 
     /**
-     * Destroy an image along with its revisions, thumbnails, and remaining folders.
+     * Destroy an image along with its revisions, thumbnails and remaining folders.
      *
      * @throws Exception
      */
@@ -252,7 +252,16 @@ class ImageService
     {
         $disk = $this->storage->getDisk('gallery');
 
-        return $disk->usingSecureImages() && $this->pathAccessible($imagePath);
+        if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
+            return false;
+        }
+
+        // Check local_secure is active
+        return $disk->usingSecureImages()
+            // Check the image file exists
+            && $disk->exists($imagePath)
+            // Check the file is likely an image file
+            && str_starts_with($disk->mimeType($imagePath), 'image/');
     }
 
     /**
@@ -260,51 +269,16 @@ class ImageService
      */
     public function pathAccessible(string $imagePath): bool
     {
+        $disk = $this->storage->getDisk('gallery');
+
         if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
             return false;
         }
 
-        if ($this->blockedBySecureImages()) {
-            return false;
-        }
-
-        return $this->imageFileExists($imagePath, 'gallery');
-    }
-
-    /**
-     * Check if the given image should be accessible to the current user.
-     */
-    public function imageAccessible(Image $image): bool
-    {
-        if ($this->storage->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImage($image)) {
-            return false;
-        }
-
-        if ($this->blockedBySecureImages()) {
-            return false;
-        }
-
-        return $this->imageFileExists($image->path, $image->type);
-    }
-
-    /**
-     * Check if the current user should be blocked from accessing images based on if secure images are enabled
-     * and if public access is enabled for the application.
-     */
-    protected function blockedBySecureImages(): bool
-    {
-        $enforced = $this->storage->usingSecureImages() && !setting('app-public');
-
-        return $enforced && user()->isGuest();
-    }
-
-    /**
-     * Check if the given image path exists for the given image type and that it is likely an image file.
-     */
-    protected function imageFileExists(string $imagePath, string $imageType): bool
-    {
-        $disk = $this->storage->getDisk($imageType);
-        return $disk->exists($imagePath) && str_starts_with($disk->mimeType($imagePath), 'image/');
+        // Check local_secure is active
+        return $disk->exists($imagePath)
+            // Check the file is likely an image file
+            && str_starts_with($disk->mimeType($imagePath), 'image/');
     }
 
     /**
@@ -333,11 +307,6 @@ class ImageService
             return false;
         }
 
-        return $this->checkUserHasAccessToRelationOfImage($image);
-    }
-
-    protected function checkUserHasAccessToRelationOfImage(Image $image): bool
-    {
         $imageType = $image->type;
 
         // Allow user or system (logo) images

app/Uploads/ImageStorage.php

@@ -34,15 +34,6 @@ class ImageStorage
         return config('filesystems.images') === 'local_secure_restricted';
     }
 
-    /**
-     * Check if "local secure" (Fetched behind auth, either with or without permissions enforced)
-     * is currently active in the instance.
-     */
-    public function usingSecureImages(): bool
-    {
-        return config('filesystems.images') === 'local_secure' || $this->usingSecureRestrictedImages();
-    }
-
     /**
      * Clean up an image file name to be both URL and storage safe.
      */
@@ -74,7 +65,7 @@ class ImageStorage
             return 'local';
         }
 
-        // Rename local_secure options to get our image-specific storage driver, which
+        // Rename local_secure options to get our image specific storage driver which
         // is scoped to the relevant image directories.
         if ($localSecureInUse) {
             return 'local_secure_images';

app/Users/Controllers/UserSearchController.php

@@ -5,7 +5,6 @@ namespace BookStack\Users\Controllers;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\Users\Models\User;
-use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 
 class UserSearchController extends Controller
@@ -35,43 +34,8 @@ class UserSearchController extends Controller
             $query->where('name', 'like', '%' . $search . '%');
         }
 
-        /** @var Collection<User> $users */
-        $users = $query->get();
-
         return view('form.user-select-list', [
-            'users' => $users,
-        ]);
-    }
-
-    /**
-     * Search users in the system, with the response formatted
-     * for use in a list of mentions.
-     */
-    public function forMentions(Request $request)
-    {
-        $hasPermission = !user()->isGuest() && (
-                userCan(Permission::CommentCreateAll)
-                || userCan(Permission::CommentUpdate)
-            );
-
-        if (!$hasPermission) {
-            $this->showPermissionError();
-        }
-
-        $search = $request->get('search', '');
-        $query = User::query()
-            ->orderBy('name', 'asc')
-            ->take(20);
-
-        if (!empty($search)) {
-            $query->where('name', 'like', '%' . $search . '%');
-        }
-
-        /** @var Collection<User> $users */
-        $users = $query->get();
-
-        return view('form.user-mention-list', [
-            'users' => $users,
+            'users' => $query->get(),
         ]);
     }
 }

app/Users/Models/User.php

@@ -11,6 +11,7 @@ use BookStack\Activity\Models\Watch;
 use BookStack\Api\ApiToken;
 use BookStack\App\Model;
 use BookStack\App\SluggableInterface;
+use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Permissions\Permission;
 use BookStack\Translation\LocaleDefinition;
 use BookStack\Translation\LocaleManager;
@@ -357,4 +358,14 @@ class User extends Model implements AuthenticatableContract, CanResetPasswordCon
     {
         return "({$this->id}) {$this->name}";
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function refreshSlug(): string
+    {
+        $this->slug = app()->make(SlugGenerator::class)->generate($this, $this->name);
+
+        return $this->slug;
+    }
 }

app/Users/UserRepo.php

@@ -5,7 +5,6 @@ namespace BookStack\Users;
 use BookStack\Access\UserInviteException;
 use BookStack\Access\UserInviteService;
 use BookStack\Activity\ActivityType;
-use BookStack\Entities\Tools\SlugGenerator;
 use BookStack\Exceptions\NotifyException;
 use BookStack\Exceptions\UserUpdateException;
 use BookStack\Facades\Activity;
@@ -22,8 +21,7 @@ class UserRepo
 {
     public function __construct(
         protected UserAvatars $userAvatar,
-        protected UserInviteService $inviteService,
-        protected SlugGenerator $slugGenerator,
+        protected UserInviteService $inviteService
     ) {
     }
 
@@ -65,7 +63,7 @@ class UserRepo
         $user->email_confirmed = $emailConfirmed;
         $user->external_auth_id = $data['external_auth_id'] ?? '';
 
-        $this->slugGenerator->regenerateForUser($user);
+        $user->refreshSlug();
         $user->save();
 
         if (!empty($data['language'])) {
@@ -111,7 +109,7 @@ class UserRepo
     {
         if (!empty($data['name'])) {
             $user->name = $data['name'];
-            $this->slugGenerator->regenerateForUser($user);
+            $user->refreshSlug();
         }
 
         if (!empty($data['email']) && $manageUsersAllowed) {

app/Util/ConfiguredHtmlPurifier.php

@@ -1,158 +0,0 @@
-<?php
-
-namespace BookStack\Util;
-
-use BookStack\App\AppVersion;
-use HTMLPurifier;
-use HTMLPurifier_Config;
-use HTMLPurifier_DefinitionCache_Serializer;
-use HTMLPurifier_HTML5Config;
-use HTMLPurifier_HTMLDefinition;
-
-/**
- * Provides a configured HTML Purifier instance.
- * https://github.com/ezyang/htmlpurifier
- * Also uses this to extend support to HTML5 elements:
- * https://github.com/xemlock/htmlpurifier-html5
- */
-class ConfiguredHtmlPurifier
-{
-    protected HTMLPurifier $purifier;
-    protected static bool $cachedChecked = false;
-
-    public function __construct()
-    {
-        // This is done by the web-server at run-time, with the existing
-        // storage/framework/cache folder to ensure we're using a server-writable folder.
-        $cachePath = storage_path('framework/cache/purifier');
-        $this->createCacheFolderIfNeeded($cachePath);
-
-        $config = HTMLPurifier_HTML5Config::createDefault();
-        $this->setConfig($config, $cachePath);
-        $this->resetCacheIfNeeded($config);
-
-        $htmlDef = $config->getDefinition('HTML', true, true);
-        if ($htmlDef instanceof HTMLPurifier_HTMLDefinition) {
-            $this->configureDefinition($htmlDef);
-        }
-
-        $this->purifier = new HTMLPurifier($config);
-    }
-
-    protected function createCacheFolderIfNeeded(string $cachePath): void
-    {
-        if (!file_exists($cachePath)) {
-            mkdir($cachePath, 0777, true);
-        }
-    }
-
-    protected function resetCacheIfNeeded(HTMLPurifier_Config $config): void
-    {
-        if (self::$cachedChecked) {
-            return;
-        }
-
-        $cachedForVersion = cache('htmlpurifier::cache-version');
-        $appVersion = AppVersion::get();
-        if ($cachedForVersion !== $appVersion) {
-            foreach (['HTML', 'CSS', 'URI'] as $name) {
-                $cache = new HTMLPurifier_DefinitionCache_Serializer($name);
-                $cache->flush($config);
-            }
-            cache()->set('htmlpurifier::cache-version', $appVersion);
-        }
-
-        self::$cachedChecked = true;
-    }
-
-    protected function setConfig(HTMLPurifier_Config $config, string $cachePath): void
-    {
-        $config->set('Cache.SerializerPath', $cachePath);
-        $config->set('Core.AllowHostnameUnderscore', true);
-        $config->set('CSS.AllowTricky', true);
-        $config->set('HTML.SafeIframe', true);
-        $config->set('HTML.TargetNoopener', false);
-        $config->set('HTML.TargetNoreferrer', false);
-        $config->set('Attr.EnableID', true);
-        $config->set('Attr.ID.HTML5', true);
-        $config->set('Output.FixInnerHTML', false);
-        $config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
-        $config->set('URI.AllowedSchemes', [
-            'http' => true,
-            'https' => true,
-            'mailto' => true,
-            'ftp' => true,
-            'nntp' => true,
-            'news' => true,
-            'tel' => true,
-            'file' => true,
-        ]);
-
-         // $config->set('Cache.DefinitionImpl', null); // Disable cache during testing
-    }
-
-    public function configureDefinition(HTMLPurifier_HTMLDefinition $definition): void
-    {
-        // Allow the object element
-        $definition->addElement(
-            'object',
-            'Inline',
-            'Flow',
-            'Common',
-            [
-                'data'   => 'URI',
-                'type'   => 'Text',
-                'width'  => 'Length',
-                'height' => 'Length',
-            ]
-        );
-
-        // Allow the embed element
-        $definition->addElement(
-            'embed',
-            'Inline',
-            'Empty',
-            'Common',
-            [
-                'src'   => 'URI',
-                'type'   => 'Text',
-                'width'  => 'Length',
-                'height' => 'Length',
-            ]
-        );
-
-        // Allow checkbox inputs
-        $definition->addElement(
-            'input',
-            'Formctrl',
-            'Empty',
-            'Common',
-            [
-                'checked' => 'Bool#checked',
-                'disabled' => 'Bool#disabled',
-                'name' => 'Text',
-                'readonly' => 'Bool#readonly',
-                'type' => 'Enum#checkbox',
-                'value' => 'Text',
-            ]
-        );
-
-        // Allow the drawio-diagram attribute on div elements
-        $definition->addAttribute(
-            'div',
-            'drawio-diagram',
-            'Number',
-        );
-
-        // Allow target="_blank" on links
-        $definition->addAttribute('a', 'target', 'Enum#_blank');
-
-        // Allow mention-ids on links
-        $definition->addAttribute('a', 'data-mention-user-id', 'Number');
-    }
-
-    public function purify(string $html): string
-    {
-        return $this->purifier->purify($html);
-    }
-}

app/Util/CspService.php

@@ -65,7 +65,7 @@ class CspService
      */
     protected function getScriptSrc(): string
     {
-        if ($this->scriptFilteringDisabled()) {
+        if (config('app.allow_content_scripts')) {
             return '';
         }
 
@@ -108,7 +108,7 @@ class CspService
      */
     protected function getObjectSrc(): string
     {
-        if ($this->scriptFilteringDisabled()) {
+        if (config('app.allow_content_scripts')) {
             return '';
         }
 
@@ -124,11 +124,6 @@ class CspService
         return "base-uri 'self'";
     }
 
-    protected function scriptFilteringDisabled(): bool
-    {
-        return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
-    }
-
     protected function getAllowedIframeHosts(): array
     {
         $hosts = config('app.iframe_hosts') ?? '';

app/Util/HtmlContentFilter.php

@@ -8,46 +8,10 @@ use DOMNodeList;
 
 class HtmlContentFilter
 {
-    public function __construct(
-        protected HtmlContentFilterConfig $config
-    ) {
-    }
-
-    public function filterDocument(HtmlDocument $doc): string
-    {
-        if ($this->config->filterOutJavaScript) {
-            $this->filterOutScriptsFromDocument($doc);
-        }
-        if ($this->config->filterOutFormElements) {
-            $this->filterOutFormElementsFromDocument($doc);
-        }
-        if ($this->config->filterOutBadHtmlElements) {
-            $this->filterOutBadHtmlElementsFromDocument($doc);
-        }
-        if ($this->config->filterOutNonContentElements) {
-            $this->filterOutNonContentElementsFromDocument($doc);
-        }
-
-        $filtered = $doc->getBodyInnerHtml();
-        if ($this->config->useAllowListFilter) {
-            $filtered = $this->applyAllowListFiltering($filtered);
-        }
-
-        return $filtered;
-    }
-
-    public function filterString(string $html): string
-    {
-        return $this->filterDocument(new HtmlDocument($html));
-    }
-
-    protected function applyAllowListFiltering(string $html): string
-    {
-        $purifier = new ConfiguredHtmlPurifier();
-        return $purifier->purify($html);
-    }
-
-    protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
+    /**
+     * Remove all the script elements from the given HTML document.
+     */
+    public static function removeScriptsFromDocument(HtmlDocument $doc)
     {
         // Remove standard script tags
         $scriptElems = $doc->queryXPath('//script');
@@ -57,21 +21,21 @@ class HtmlContentFilter
         $badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');
         static::removeNodes($badLinks);
 
-        // Remove elements with form-like attributes with calls to JavaScript URI
+        // Remove forms with calls to JavaScript URI
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
-        // Remove data or JavaScript iFrames & embeds
+        // Remove meta tag to prevent external redirects
+        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
+        static::removeNodes($metaTags);
+
+        // Remove data or JavaScript iFrames
         $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
-        // Remove data or JavaScript objects
-        $badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
-        static::removeNodes($badObjects);
-
         // Remove attributes, within svg children, hiding JavaScript or data uris.
         // A bunch of svg element and attribute combinations expose xss possibilities.
-        // For example, SVG animate tag can exploit JavaScript in values.
+        // For example, SVG animate tag can exploit javascript in values.
         $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
         static::removeAttributes($badValuesAttrs);
 
@@ -85,52 +49,23 @@ class HtmlContentFilter
         static::removeAttributes($onAttributes);
     }
 
-    protected function filterOutFormElementsFromDocument(HtmlDocument $doc): void
+    /**
+     * Remove scripts from the given HTML string.
+     */
+    public static function removeScriptsFromHtmlString(string $html): string
     {
-        // Remove form elements
-        $formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
-        foreach ($formElements as $formElement) {
-            $matchingFormElements = $doc->queryXPath('//' . $formElement);
-            static::removeNodes($matchingFormElements);
+        if (empty($html)) {
+            return $html;
         }
 
-        // Remove non-checkbox inputs
-        $inputsToRemove = $doc->queryXPath('//input');
-        /** @var DOMElement $input */
-        foreach ($inputsToRemove as $input) {
-            $type = strtolower($input->getAttribute('type'));
-            if ($type !== 'checkbox') {
-                $input->parentNode->removeChild($input);
-            }
-        }
+        $doc = new HtmlDocument($html);
+        static::removeScriptsFromDocument($doc);
 
-        // Remove form attributes
-        $formAttrs = ['form', 'formaction', 'formmethod', 'formtarget'];
-        foreach ($formAttrs as $formAttr) {
-            $matchingFormAttrs = $doc->queryXPath('//@' . $formAttr);
-            static::removeAttributes($matchingFormAttrs);
-        }
-    }
-
-    protected function filterOutBadHtmlElementsFromDocument(HtmlDocument $doc): void
-    {
-        // Remove meta tag to prevent external redirects
-        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
-        static::removeNodes($metaTags);
-    }
-
-    protected function filterOutNonContentElementsFromDocument(HtmlDocument $doc): void
-    {
-        // Remove non-content elements
-        $formElements = ['link', 'style', 'meta', 'title', 'template'];
-        foreach ($formElements as $formElement) {
-            $matchingFormElements = $doc->queryXPath('//' . $formElement);
-            static::removeNodes($matchingFormElements);
-        }
+        return $doc->getBodyInnerHtml();
     }
 
     /**
-     * Create an x-path 'contains' statement with a translation automatically built within
+     * Create a xpath contains statement with a translation automatically built within
      * to affectively search in a cases-insensitive manner.
      */
     protected static function xpathContains(string $property, string $value): string
@@ -164,34 +99,4 @@ class HtmlContentFilter
             $parentNode->removeAttribute($attrName);
         }
     }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use filterDocument instead.
-     */
-    public static function removeScriptsFromDocument(HtmlDocument $doc): void
-    {
-        $config = new HtmlContentFilterConfig(
-            filterOutNonContentElements: false,
-            useAllowListFilter: false,
-        );
-        $filter = new self($config);
-        $filter->filterDocument($doc);
-    }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use filterString instead.
-     */
-    public static function removeScriptsFromHtmlString(string $html): string
-    {
-        $config = new HtmlContentFilterConfig(
-            filterOutNonContentElements: false,
-            useAllowListFilter: false,
-        );
-        $filter = new self($config);
-        return $filter->filterString($html);
-    }
 }

app/Util/HtmlContentFilterConfig.php

@@ -1,31 +0,0 @@
-<?php
-
-namespace BookStack\Util;
-
-readonly class HtmlContentFilterConfig
-{
-    public function __construct(
-        public bool $filterOutJavaScript = true,
-        public bool $filterOutBadHtmlElements = true,
-        public bool $filterOutFormElements = true,
-        public bool $filterOutNonContentElements = true,
-        public bool $useAllowListFilter = true,
-    ) {
-    }
-
-    /**
-     * Create an instance from a config string, where the string
-     * is a combination of characters to enable filters.
-     */
-    public static function fromConfigString(string $config): self
-    {
-        $config = strtolower($config);
-        return new self(
-            filterOutJavaScript: str_contains($config, 'j'),
-            filterOutBadHtmlElements: str_contains($config, 'h'),
-            filterOutFormElements: str_contains($config, 'f'),
-            filterOutNonContentElements: str_contains($config, 'h'),
-            useAllowListFilter: str_contains($config, 'a'),
-        );
-    }
-}

app/Util/HtmlDescriptionFilter.php

@@ -19,7 +19,7 @@ class HtmlDescriptionFilter
      */
     protected static array $allowedAttrsByElements = [
         'p' => [],
-        'a' => ['href', 'title', 'target', 'data-mention-user-id'],
+        'a' => ['href', 'title', 'target'],
         'ol' => [],
         'ul' => [],
         'li' => [],

app/Util/HtmlDocument.php

@@ -103,13 +103,7 @@ class HtmlDocument
      */
     public function getBody(): DOMNode
     {
-        $bodies = $this->document->getElementsByTagName('body');
-
-        if ($bodies->length === 0) {
-            return new DOMElement('body', '');
-        }
-
-        return $bodies[0];
+        return $this->document->getElementsByTagName('body')[0];
     }
 
     /**

composer.json

@@ -19,7 +19,6 @@
         "ext-zip": "*",
         "bacon/bacon-qr-code": "^3.0",
         "dompdf/dompdf": "^3.1",
-        "ezyang/htmlpurifier": "^4.19",
         "guzzlehttp/guzzle": "^7.4",
         "intervention/image": "^3.5",
         "knplabs/knp-snappy": "^1.5",
@@ -30,17 +29,16 @@
         "league/flysystem-aws-s3-v3": "^3.0",
         "league/html-to-markdown": "^5.0.0",
         "league/oauth2-client": "^2.6",
-        "onelogin/php-saml": "^4.3.1",
+        "onelogin/php-saml": "^4.0",
         "phpseclib/phpseclib": "^3.0",
-        "pragmarx/google2fa": "^9.0",
+        "pragmarx/google2fa": "^8.0",
         "predis/predis": "^3.2",
         "socialiteproviders/discord": "^4.1",
         "socialiteproviders/gitlab": "^4.1",
         "socialiteproviders/microsoft-azure": "^5.1",
         "socialiteproviders/okta": "^4.2",
         "socialiteproviders/twitch": "^5.3",
-        "ssddanbrown/htmldiff": "^2.0.0",
-        "xemlock/htmlpurifier-html5": "^0.1.12"
+        "ssddanbrown/htmldiff": "^2.0.0"
     },
     "require-dev": {
         "fakerphp/faker": "^1.21",
@@ -49,7 +47,7 @@
         "nunomaduro/collision": "^8.6",
         "larastan/larastan": "^v3.0",
         "phpunit/phpunit": "^11.5",
-        "squizlabs/php_codesniffer": "^4.0.1",
+        "squizlabs/php_codesniffer": "^3.7",
         "ssddanbrown/asserthtml": "^3.1"
     },
     "autoload": {
@@ -95,7 +93,6 @@
             "@php artisan view:clear"
         ],
         "refresh-test-database": [
-            "@putenv APP_TIMEZONE=UTC",
             "@php artisan migrate:refresh --database=mysql_testing",
             "@php artisan db:seed --class=DummyContentSeeder --database=mysql_testing"
         ]

crowdin.yml

@@ -1,4 +1,3 @@
-project_id: "377219"
 project_identifier: bookstack
 base_path: .
 preserve_hierarchy: false

database/factories/Entities/Models/SlugHistoryFactory.php

@@ -1,29 +0,0 @@
-<?php
-
-namespace Database\Factories\Entities\Models;
-
-use BookStack\Entities\Models\Book;
-use Illuminate\Database\Eloquent\Factories\Factory;
-
-/**
- * @extends \Illuminate\Database\Eloquent\Factories\Factory<\BookStack\Entities\Models\SlugHistory>
- */
-class SlugHistoryFactory extends Factory
-{
-    protected $model = \BookStack\Entities\Models\SlugHistory::class;
-
-    /**
-     * Define the model's default state.
-     *
-     * @return array<string, mixed>
-     */
-    public function definition(): array
-    {
-        return [
-            'sluggable_id' => Book::factory(),
-            'sluggable_type' => 'book',
-            'slug' => $this->faker->slug(),
-            'parent_slug' => null,
-        ];
-    }
-}

database/migrations/2025_11_23_161812_create_slug_history_table.php

@@ -1,51 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\DB;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        // Create the table for storing slug history
-        Schema::create('slug_history', function (Blueprint $table) {
-            $table->increments('id');
-            $table->string('sluggable_type', 10)->index();
-            $table->unsignedBigInteger('sluggable_id')->index();
-            $table->string('slug')->index();
-            $table->string('parent_slug')->nullable()->index();
-            $table->timestamps();
-        });
-
-        // Migrate in slugs from page revisions
-        $revisionSlugQuery = DB::table('page_revisions')
-            ->select([
-                DB::raw('\'page\' as sluggable_type'),
-                'page_id as sluggable_id',
-                'slug',
-                'book_slug as parent_slug',
-                DB::raw('min(created_at) as created_at'),
-                DB::raw('min(updated_at) as updated_at'),
-            ])
-            ->where('type', '=', 'version')
-            ->groupBy(['sluggable_id', 'slug', 'parent_slug']);
-
-        DB::table('slug_history')->insertUsing(
-            ['sluggable_type', 'sluggable_id', 'slug', 'parent_slug', 'created_at', 'updated_at'],
-            $revisionSlugQuery,
-        );
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::dropIfExists('slug_history');
-    }
-};

database/migrations/2025_12_15_140219_create_mention_history_table.php

@@ -1,31 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        Schema::create('mention_history', function (Blueprint $table) {
-            $table->increments('id');
-            $table->string('mentionable_type', 50)->index();
-            $table->unsignedBigInteger('mentionable_id')->index();
-            $table->unsignedInteger('from_user_id');
-            $table->unsignedInteger('to_user_id');
-            $table->timestamps();
-        });
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::dropIfExists('mention_history');
-    }
-};

database/migrations/2025_12_19_103417_add_views_viewable_type_index.php

@@ -1,28 +0,0 @@
-<?php
-
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
-
-return new class extends Migration
-{
-    /**
-     * Run the migrations.
-     */
-    public function up(): void
-    {
-        Schema::table('views', function (Blueprint $table) {
-            $table->index('viewable_type', 'views_viewable_type_index');
-        });
-    }
-
-    /**
-     * Reverse the migrations.
-     */
-    public function down(): void
-    {
-        Schema::table('views', function (Blueprint $table) {
-            $table->dropIndex('views_viewable_type_index');
-        });
-    }
-};

database/seeders/DummyContentSeeder.php

@@ -13,6 +13,7 @@ use BookStack\Search\SearchIndex;
 use BookStack\Users\Models\Role;
 use BookStack\Users\Models\User;
 use Illuminate\Database\Eloquent\Relations\HasMany;
+use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Database\Seeder;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Hash;
@@ -22,8 +23,10 @@ class DummyContentSeeder extends Seeder
 {
     /**
      * Run the database seeds.
+     *
+     * @return void
      */
-    public function run(): void
+    public function run()
     {
         // Create an editor user
         $editorUser = User::factory()->create();

dev/build/esbuild.js

@@ -1,15 +1,12 @@
 #!/usr/bin/env node
 
-import * as esbuild from 'esbuild';
-import * as path from 'node:path';
-import * as fs from 'node:fs';
-import * as process from "node:process";
+const esbuild = require('esbuild');
+const path = require('path');
+const fs = require('fs');
 
 // Check if we're building for production
 // (Set via passing `production` as first argument)
-const mode = process.argv[2];
-const isProd = mode === 'production';
-const __dirname = import.meta.dirname;
+const isProd = process.argv[2] === 'production';
 
 // Gather our input files
 const entryPoints = {
@@ -20,16 +17,11 @@ const entryPoints = {
     wysiwyg: path.join(__dirname, '../../resources/js/wysiwyg/index.ts'),
 };
 
-// Watch styles so we can reload on change
-if (mode === 'watch') {
-    entryPoints['styles-dummy'] = path.join(__dirname, '../../public/dist/styles.css');
-}
-
 // Locate our output directory
 const outdir = path.join(__dirname, '../../public/dist');
 
-// Define the options for esbuild
-const options = {
+// Build via esbuild
+esbuild.build({
     bundle: true,
     metafile: true,
     entryPoints,
@@ -41,7 +33,6 @@ const options = {
     minify: isProd,
     logLevel: 'info',
     loader: {
-        '.html': 'copy',
         '.svg': 'text',
     },
     absWorkingDir: path.join(__dirname, '../..'),
@@ -54,34 +45,6 @@ const options = {
         js: '// See the "/licenses" URI for full package license details',
         css: '/* See the "/licenses" URI for full package license details */',
     },
-};
-
-if (mode === 'watch') {
-    options.inject = [
-        path.join(__dirname, './livereload.js'),
-    ];
-}
-
-const ctx = await esbuild.context(options);
-
-if (mode === 'watch') {
-    // Watch for changes and rebuild on change
-    ctx.watch({});
-    let {hosts, port} = await ctx.serve({
-        servedir: path.join(__dirname, '../../public'),
-        cors: {
-            origin: '*',
-        }
-    });
-} else {
-    // Build with meta output for analysis
-    const result = await ctx.rebuild();
-    const outputs = result.metafile.outputs;
-    const files = Object.keys(outputs);
-    for (const file of files) {
-        const output = outputs[file];
-        console.log(`Written: ${file} @ ${Math.round(output.bytes / 1000)}kB`);
-    }
+}).then(result => {
     fs.writeFileSync('esbuild-meta.json', JSON.stringify(result.metafile));
-    process.exit(0);
-}
+}).catch(() => process.exit(1));

dev/build/livereload.js

@@ -1,35 +0,0 @@
-if (!window.__dev_reload_listening) {
-    listen();
-    window.__dev_reload_listening = true;
-}
-
-
-function listen() {
-    console.log('Listening for livereload events...');
-    new EventSource("http://127.0.0.1:8000/esbuild").addEventListener('change', e => {
-        const { added, removed, updated } = JSON.parse(e.data);
-
-        if (!added.length && !removed.length && updated.length > 0) {
-            const updatedPath = updated.filter(path => path.endsWith('.css'))[0]
-            if (!updatedPath) return;
-
-            const links = [...document.querySelectorAll("link[rel='stylesheet']")];
-            for (const link of links) {
-                const url = new URL(link.href);
-                const name = updatedPath.replace('-dummy', '');
-
-                if (url.pathname.endsWith(name)) {
-                    const next = link.cloneNode();
-                    next.href = name + '?version=' + Math.random().toString(36).slice(2);
-                    next.onload = function() {
-                        link.remove();
-                    };
-                    link.after(next);
-                    return
-                }
-            }
-        }
-
-        location.reload()
-    });
-}

dev/checksums/vendor

@@ -1 +1 @@
-e2acb4ea1edce1e2c9af0d7598a3de9ae1d44ff9e647f018f4f732ab5f560f9d
+22e02ee72d21ff719c1073abbec8302f8e2096ba6d072e133051064ed24b45b1

dev/docker/Dockerfile

@@ -14,9 +14,6 @@ RUN apt-get update && \
         wait-for-it && \
     rm -rf /var/lib/apt/lists/*
 
-# Mark /app as safe for Git >= 2.35.2
-RUN git config --system --add safe.directory /app
-
 # Install PHP extensions
 RUN docker-php-ext-configure ldap --with-libdir="lib/$(gcc -dumpmachine)" && \
     docker-php-ext-configure gd --with-freetype --with-jpeg && \

dev/docker/db-testing/Dockerfile

@@ -1,30 +0,0 @@
-FROM ubuntu:24.04
-
-# Install additional dependencies
-RUN apt-get update && \
-    apt-get install -y \
-        git \
-		wget \
-        zip \
-        unzip \
-		php \
-		php-bcmath php-curl php-mbstring php-gd php-xml php-zip php-mysql php-ldap \
-       && \
-    rm -rf /var/lib/apt/lists/*
-
-# Take branch as an argument so we can choose which BookStack
-# branch to test against
-ARG BRANCH=development
-
-# Download BookStack & install PHP deps
-RUN mkdir -p /var/www && \
-    git clone https://github.com/bookstackapp/bookstack.git --branch "$BRANCH" --single-branch /var/www/bookstack && \
-    cd /var/www/bookstack && \
-    wget https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer -O - -q | php -- --quiet --filename=composer && \
-    php composer install
-
-# Set the BookStack dir as the default working dir
-WORKDIR /var/www/bookstack
-
-# Set the default action as running php
-ENTRYPOINT ["/bin/php"]

dev/docker/db-testing/readme.md

@@ -1,32 +0,0 @@
-# Database Testing Suite
-
-This docker setup is designed to run BookStack's test suite against each major database version we support
-across MySQL and MariaDB to ensure compatibility and highlight any potential issues before a release.
-This is a fairly slow and heavy process, so is designed to just be run manually before a release which
-makes changes to the database schema, or a release which makes significant changes to database queries.
-
-### Running
-
-Everything is ran via the `run.sh` script. This will:
-
-- Optionally, accept a branch of BookStack to use for testing.
-- Build the docker image from the `Dockerfile`.
-  - This will include a built-in copy of the chosen BookStack branch. 
-- Cycle through each major supported database version:
-  - Migrate and seed the database.
-  - Run the full PHP test suite.
-
-If there's a failure for a database version, the script will prompt if you'd like to continue or stop testing.
-
-This script should be ran from this `db-testing` directory:
-
-```bash
-# Enter this directory
-cd dev/docker/db-testing
-
-# Runs for the 'development' branch by default
-./run.sh
-
-# Run for a specific branch
-./run.sh v25-11
-```

dev/docker/db-testing/run.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-BRANCH=${1:-development}
-
-# Build the container with a known name
-docker build --no-cache --build-arg BRANCH="$BRANCH" -t bookstack:db-testing .
-if [ $? -eq 1 ]; then
-  echo "Failed to build app container for testing"
-  exit 1
-fi
-
-# List of database containers to test against
-containers=(
-  "mysql:8.0"
-  "mysql:8.4"
-  "mysql:9.5"
-  "mariadb:10.6"
-  "mariadb:10.11"
-  "mariadb:11.4"
-  "mariadb:11.8"
-  "mariadb:12.0"
-)
-
-# Pre-clean-up from prior runs
-docker stop bs-dbtest-db
-docker network rm bs-dbtest-net
-
-# Cycle over each database image
-for img in "${containers[@]}"; do
-  echo "Starting tests with $img..."
-  docker network create bs-dbtest-net
-  docker run -d --rm --name "bs-dbtest-db" \
-    -e MYSQL_DATABASE=bookstack-test \
-    -e MYSQL_USER=bookstack \
-    -e MYSQL_PASSWORD=bookstack \
-    -e MYSQL_ROOT_PASSWORD=password \
-	  --network=bs-dbtest-net \
-    "$img"
-  sleep 20
-  APP_RUN='docker run -it --rm --network=bs-dbtest-net -e TEST_DATABASE_URL="mysql://bookstack:bookstack@bs-dbtest-db:3306" bookstack:db-testing'
-  $APP_RUN artisan migrate --force --database=mysql_testing
-  $APP_RUN artisan db:seed --force --class=DummyContentSeeder --database=mysql_testing
-  $APP_RUN vendor/bin/phpunit
-  if [ $? -eq 0 ]; then
-    echo "$img - Success"
-  else
-    echo "$img - Error"
-    read -p "Stop script? [y/N] " ans
-    [[ $ans == [yY] ]] && exit 0
-  fi
-
-  docker stop "bs-dbtest-db"
-  docker network rm bs-dbtest-net
-done
-

dev/docs/development.md

@@ -3,11 +3,11 @@
 All development on BookStack is currently done on the `development` branch. 
 When it's time for a release the `development` branch is merged into release with built & minified CSS & JS then tagged at its version. Here are the current development requirements:
 
-* [Node.js](https://nodejs.org/en/) v22.0+
+* [Node.js](https://nodejs.org/en/) v20.0+
 
 ## Building CSS & JavaScript Assets
 
-This project uses SASS for CSS development which is built, along with the JavaScript, using a range of npm scripts. The below npm commands can be used to install the dependencies & run the build tasks:
+This project uses SASS for CSS development and this is built, along with the JavaScript, using a range of npm scripts. The below npm commands can be used to install the dependencies & run the build tasks:
 
 ``` bash
 # Install NPM Dependencies
@@ -113,4 +113,4 @@ docker-compose run app php vendor/bin/phpunit
 ### Debugging
 
 The docker-compose setup ships with Xdebug, which you can listen to on port 9090.
-NB: For some editors like Visual Studio Code, you might need to map your workspace folder to the /app folder within the docker container for this to work.
+NB : For some editors like Visual Studio Code, you might need to map your workspace folder to the /app folder within the docker container for this to work.

dev/docs/javascript-code.md

@@ -161,7 +161,3 @@ window.$components.firstOnElement(element, name);
 There are a range of available events that are emitted as part of a public & supported API for accessing or extending JavaScript libraries & components used in the system.
 
 Details on these events can be found in the [JavaScript Public Events file](javascript-public-events.md).
-
-## WYSIWYG Editor API
-
-Details on the API for our custom-built WYSIWYG editor can be found in the [WYSIWYG JavaScript API file](./wysiwyg-js-api.md).

dev/docs/javascript-public-events.md

@@ -60,7 +60,7 @@ This event is called when the markdown editor loads, post configuration but befo
 
 #### Event Data
 
-- `markdownIt` - A reference to the [MarkdownIt](https://markdown-it.github.io/markdown-it/#MarkdownIt) instance used to render markdown to HTML (Just for the preview).
+- `markdownIt` - A references to the [MarkdownIt](https://markdown-it.github.io/markdown-it/#MarkdownIt) instance used to render markdown to HTML (Just for the preview).
 - `displayEl` - The IFrame Element that wraps the HTML preview display.
 - `cmEditorView` - The CodeMirror [EditorView](https://codemirror.net/docs/ref/#view.EditorView) instance used for the markdown input editor.
 
@@ -79,7 +79,7 @@ window.addEventListener('editor-markdown::setup', event => {
 This event is called as the embedded diagrams.net drawing editor loads, to allow configuration of the diagrams.net interface.
 See [this diagrams.net page](https://www.diagrams.net/doc/faq/configure-diagram-editor) for details on the available options for the configure event.
 
-If using a custom diagrams.net instance, via the `DRAWIO` option, you will need to ensure your DRAWIO option URL has the `configure=1` query parameter.
+If using a custom diagrams.net instance, via the `DRAWIO` option, you will need to ensure  your DRAWIO option URL has the `configure=1` query parameter.
 
 #### Event Data
 
@@ -134,47 +134,6 @@ window.addEventListener('editor-tinymce::setup', event => {
 });
 ```
 
-### `editor-wysiwyg::post-init`
-
-This is called after the (new custom-built Lexical-based) WYSIWYG editor has been initialised.
-
-#### Event Data
-
-- `usage` - A string label to identify the usage type of the WYSIWYG editor in BookStack.
-- `api` - An instance to the WYSIWYG editor API, as documented in the [WYSIWYG JavaScript API file](./wysiwyg-js-api.md).
-
-##### Example
-
-The below example shows how you'd use this API to create a button, with that button added to the main toolbar of the page editor, which inserts bold "Hello!" text on press:
-
-<details>
-<summary>Show Example</summary>
-
-```javascript
-window.addEventListener('editor-wysiwyg::post-init', event => {
-    const {usage, api} = event.detail;
-    // Check that it's the page editor which is being loaded
-    if (usage !== 'page-editor') {
-        return;
-    }
-    
-    // Create a custom button which inserts bold hello text on press
-    const button = api.ui.createButton({
-        label: 'Greet',
-        action: () => {
-            api.content.insertHtml(`<strong>Hello!</strong>`);
-        }
-    });
-    
-    // Add the button to the start of the first section within the main toolbar
-    const toolbar = api.ui.getMainToolbar();
-    if (toolbar) {
-      toolbar.getSections()[0]?.addButton(button, 0);   
-    }
-});
-```
-</details>
-
 ### `library-cm6::configure-theme`
 
 This event is called whenever a CodeMirror instance is loaded, as a method to configure the theme used by CodeMirror. This applies to all CodeMirror instances including in-page code blocks, editors using in BookStack settings, and the Page markdown editor.
@@ -183,7 +142,7 @@ This event is called whenever a CodeMirror instance is loaded, as a method to co
 
 - `darkModeActive` - A boolean to indicate if the current view/page is being loaded with dark mode active.
 - `registerViewTheme(builder)` - A method that can be called to register a new view (CodeMirror UI) theme.
-  - `builder` - A function that will return an object that will be passed into the CodeMirror [EditorView.theme()](https://codemirror.net/docs/ref/#view.EditorView^theme) function as a StyleSpec.
+  - `builder` - A function that will return  an object that will be passed into the CodeMirror [EditorView.theme()](https://codemirror.net/docs/ref/#view.EditorView^theme) function as a StyleSpec.
 - `registerHighlightStyle(builder)` - A method that can be called to register a new HighlightStyle (code highlighting) theme.
   - `builder` - A function, that receives a reference to [Tag.tags](https://lezer.codemirror.net/docs/ref/#highlight.tags) and returns an array of [TagStyle](https://codemirror.net/docs/ref/#language.TagStyle) objects.
 
@@ -342,7 +301,7 @@ This event is called just after any CodeMirror instances are initialised so that
 
 ##### Example
 
-The below example shows how you'd prepend some default text to all content (page) code blocks.
+The below shows how you'd prepend some default text to all content (page) code blocks.
 
 <details>
 <summary>Show Example</summary>
@@ -359,4 +318,4 @@ window.addEventListener('library-cm6::post-init', event => {
     }
 });
 ```
-</details>
+</details>