- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
(cherry picked from commit bb448f3dc2)
- Ensure that all filters are set in the issue filters links, thus
becoming persistent.
- Adds integration test
- Resolves#4843
(cherry picked from commit 192177fc88)
- If you have the external issue setting enabled, any reference would
have been rendered as an external issue, however this shouldn't be
happening to references that refer to issues in other repositories.
- Unit test added.
(cherry picked from commit 05e163aaf3)
- Adjust the counting of the number of lines of a file to match the
amount of rendered lines. This simply means that a file with the content
of `a\n` will be shown as having `1 line` rather than `2 lines`. This
matches with the amount of lines that are being rendered (the last empty
line is never rendered) and matches more with the expecation of the
user (a trailing EOL is a technical detail).
- In the case there's no EOL, the reason why it was counting
'incorrectly' was to show if there was a trailing EOL or not, but now
text is shown to tell the user this.
- Integration test added.
- ResolvesCodeberg/Community#1612
(cherry picked from commit 5cf976739c)
- Follows 595e8abd68
- Add the reaction hover background color variable, slightly lighter
than the active background color.
(cherry picked from commit cc11b3027c)
- Adjust the `RepoRefByType` middleware to allow for commit SHAs that
are as short as 4 characters (the minium that Git requires).
- Integration test added.
- Follow up to 4d76bbeda7
- Resolves#4781
(cherry picked from commit b967fce25d)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4452
## Regexp fixes
This fixes#4431 by adjusting the related regular expressions. Also it allows to have multiple spaces between `-` or `*` and the following brackets.
Related is the following gitea PR: https://github.com/go-gitea/gitea/pull/3296. I wonder a bit why the author stated
> Also fixed the requirement for one character after the blank of - [ ] .
I don't see a reason why
```
- [x]
some task
```
shall not be a valid checkbox without any character after the `]`. E.g., this would render to
- [x]
some task
The third commit fixes this issue.
### Comments
- I wonder a bit why the regexp is written in such complicated way and if
```diff
- (^\s*[-*]\s*\[[\sxX]\])|(
\s*[-*]\s*\[[\sxX]\])
+ (^|
)\s*[-*]\s*\[[\sxX]\]
```
would work the same way. Edit: I tried and indeed the second regex works as expected.
- ~~Why it is actually matching the `\s` and not just the space (` `)? (but OK, no big issue)~~ Edit: `[\t]` is also allowed. Keep it!
- Check boxes in code blocks are counted as well, but I think that this is an edge case which is not a big issue as well.
### Before
![before](https://codeberg.org/attachments/cb4f879d-cdd2-4814-aed2-5de8b5437fb2)
### After
![after](https://codeberg.org/attachments/5d54648f-dd73-4577-9a80-729016219093)
## Javascript fixes
Additionally, while testing I figured out, that currently checkboxes with capital `X` like
```
- [X] another task
```
- [X] another task
cannot be unchecked. Thus, the second commit fixes that issue as well.
## Checklist
The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4735
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
The PATCH if issue & pull request switched to use the service
functions instead. However, the service function changing the state is
not idempotent. Instead of doing nothing which changing from open to
open or close to close, it will fail with an error like:
Issue [2472] 0 was already closed
Regression of: 6a4bc0289d
Fixes: https://codeberg.org/forgejo/forgejo/issues/4686
(cherry picked from commit e9e3b8c0f3)
- `elkjs` is a library that's imported by `mermaid`, although they have
seperated this package to it's own mermaid
package (https://github.com/mermaid-js/mermaid/pull/5654), the stable
version doesn't have this patch.
- `elkjs` is licensed under the EPL-2.0 license (copyleft), which isn't
compatible with GPL unless the license author explcitly allow this via a
so called "secondary license". At the end of the day it cannot be
released under a MIT or GPL license.
- Use webpack's `externals` option to avoid bundling `elkjs` and instead
leave it as a `require` code.
- This is a 'dirty' way to ensure elkjs isn't bundled and has to be
tested manually to ensure this for every release (via the
`webpack-bundle-analyzer` plugin). If someone tries to use the elkjs
render, it will result in a non-descriptive error being shown.
(cherry picked from commit 510cbe2c92)
**Backport: #4638**
This PR reserves the devtest username. This is because /devtest is used
for testing various elements and layouts of the UI, and creating a user
or organisation with that name may cause problems and conflicts if the
RUN_MODE is set to dev