Commit Graph

7854 Commits

Author SHA1 Message Date
Hypolite Petovan 5c5d7eb04f
Fix several vulnerabilities (#13927)
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
2024-02-22 06:53:52 +01:00
Michael Vogel d5c0f086bd
Disallow mail addresses for registration (#13920)
* Disallow mail addresses for registration

* Order for allow/disallow has been changed
2024-02-19 09:33:20 +01:00
Michael Vogel f12276eff8
New channel "quiet sharers" for posts from lesser frequent posters (#13913) 2024-02-18 15:54:21 +01:00
Michael Vogel 14e5b06029
Image handling reworked, new image formats added (#13900)
* Image handling reworked, new image formats added

* Updated messages.po

* The dot is now part of the file extension

* Added WebP in install documentation

* Handle unhandled mime types

* Fixed animated picture detected
2024-02-17 07:45:41 +01:00
Tobias Diekershoff 1ea8a4042d bump version to 2024.03-rc 2024-02-14 08:24:41 +01:00
Michael Vogel fad55e0948
Prevent users from following relay accounts (#13894) 2024-02-13 06:50:46 +01:00
Michael Vogel 2cc8fcc4aa
Merge pull request #13880 from MrPetovan/bug/13878-deprecate-star-list
Deprecate use of [*] BBCode tag for list items in favor of [li]
2024-02-11 03:13:28 +01:00
Michael 7dc9a812f6 Updated messages.po 2024-02-10 11:46:42 +00:00
Michael Vogel 52825cb4c4
User setting to disable blurring of sensitive pictures (#13883) 2024-02-10 09:50:49 +01:00
Tobias Diekershoff 84043abbda update translations 2024-02-10 08:57:19 +01:00
Hypolite Petovan 5b5c9ddc74 Deprecate use of [*] BBCode tag for list items in favor of [li]
- It is conflicting with Markdown syntax
2024-02-09 20:33:42 -05:00
Michael 7924085c94 Issue 13844: User defined channels based on the network 2024-02-04 07:14:57 +00:00
Michael b77a5c3eb4 Merge remote-tracking branch 'upstream/develop' into channel-reshare-privat 2024-02-01 19:41:35 +00:00
Michael Vogel 6a6e2cd2a2
Avoid duplicated post button on the contact conversation page (#13867)
* Avoid duplicated post button on the contact conversation page

* Updated messages.po
2024-02-01 19:47:43 +01:00
Michael 01c04fe2c2 messages.po updated 2024-02-01 16:10:14 +00:00
Michael Vogel 665316c14d
Issue 13859: Posts to a group in "Vier" is now possible (#13864) 2024-01-31 19:09:57 +01:00
Michael c8087a7827 Merge remote-tracking branch 'upstream/develop' into size 2024-01-30 15:24:38 +00:00
Raroun d2f935df1d Updated messages.po 2024-01-30 15:32:27 +01:00
Michael d6632bb0ea Updated messages.po 2024-01-30 10:14:03 +00:00
Michael 3fe4991fcf Filter user defined channels by size 2024-01-30 10:05:05 +00:00
Michael 820674a7ad Use plural 2024-01-29 06:50:46 +00:00
Michael 9bd8d974b3 Account type relay / fix missing baseurl for own contacts 2024-01-29 06:28:43 +00:00
Michael f1173853f3 Merge remote-tracking branch 'upstream/develop' into discover 2024-01-26 13:54:25 +00:00
Michael Vogel 09edf251ee
Anti spam measures against hashtag spam (#13855) 2024-01-25 19:41:07 +01:00
Michael 08ee1e1f63 New channel option "discover" 2024-01-25 10:50:28 +00:00
Michael 8f9de98c35 Updated messages.po 2024-01-23 22:11:34 +00:00
Michael 6389133575 Expiry post search index entries 2024-01-21 16:24:59 +00:00
Michael Vogel 75b37fe376
Merge pull request #13834 from MrPetovan/task/remove-delete-rotator
[frio] Move item deletion rotator to button
2024-01-17 18:00:31 +01:00
Michael 23b247d1c3 Merge remote-tracking branch 'upstream/develop' into channel-relay 2024-01-15 19:41:26 +00:00
Michael a60910be69 Updated messages.po 2024-01-15 16:53:24 +00:00
Hypolite Petovan 0b93270d7b [frio] Move item deletion rotator to button 2024-01-15 10:22:37 -05:00
Hypolite Petovan 886e231091 Exclude Apple keyboard Meta key from the Pause shortcut 2024-01-15 09:55:46 -05:00
Michael 7a13d8b8ac Merge remote-tracking branch 'upstream/develop' into channel-relay 2024-01-15 06:14:55 +00:00
Michael Vogel 02123bda98
Issue 13828: Use the alias as profile link if present (#13829)
* Issue 13828: Use the alias as profile link if present

* Updated messages.po
2024-01-14 10:08:00 +01:00
Hannes Heute 60e1427ffe remove a superfluous '01' that appeared next to checkboxes from template file 2024-01-10 17:41:53 +01:00
Dr. Tobias Quathamer 6fd057fd00 Use double quotes where possible 2024-01-07 21:48:22 +01:00
Dr. Tobias Quathamer e6036b8266 Clean up smarty templates.
This simplifies some logic in if-conditions, because
smarty just returns an empty string for undefined
variables.

Also, this commit removes unnecessary values from
HTML input attributes.
2024-01-07 21:40:01 +01:00
Michael 7e8aee61ba Updated messages.po 2024-01-07 19:57:53 +00:00
Michael d2a74d1936 New option to disallow 2024-01-07 19:22:56 +00:00
Michael c4b85ef25a New field "publish" for channels 2024-01-07 18:36:47 +00:00
Michael 6e830f7774 Improved handling for undeterminded languages 2024-01-07 10:11:52 +00:00
Michael 4aedf7f650 Improved code / updated messages.po 2024-01-06 22:04:30 +00:00
Michael 811a9f01bc New user account type "Channel Relay" 2024-01-06 17:27:42 +00:00
Dr. Tobias Quathamer 26f4532d47 Enable HTML attributes in all form fields.
Closes #13804
2024-01-06 16:28:48 +01:00
Michael 4e1263c1f8 Fixed indentation 2024-01-03 19:22:53 +00:00
Michael 93dd1b5973 Updated messages.po / database.sql 2024-01-03 19:20:56 +00:00
Michael 31b88da9d5 Merge remote-tracking branch 'upstream/develop' into channel-languages 2024-01-03 19:17:58 +00:00
Michael da3d390187 User defined channels can now have got individual language definitions 2024-01-03 19:17:14 +00:00
Hypolite Petovan 4132e7a468
Merge pull request #13798 from annando/unkmail2
The "unkmail" functionality is removed
2024-01-03 10:02:31 -05:00
Michael 7ecf143e4c The "unkmail" functionality is removed 2024-01-03 10:23:11 +00:00