Commit Graph

3261 Commits

Author SHA1 Message Date
El RIDO
3508989114
updated dompurify library 2024-05-04 16:18:43 +02:00
El RIDO
06fb606aa7
Merge branch 'master' into bootstrap 2024-05-04 16:15:07 +02:00
El RIDO
2b87bf3d13
update SRI hashes 2024-05-04 16:14:12 +02:00
El RIDO
125feec67c
Merge pull request #1299 from PrivateBin/chore/dompurify
chore: ugrade DOMPurify from v3.0.8 to 3.1.2
2024-05-04 16:13:19 +02:00
rugk
61259a2e60 chore: remove source map URL 2024-05-04 13:50:51 +00:00
rugk
3f1bcb5c5a
doc: add Chnagelog entry 2024-05-04 15:39:25 +02:00
rugk
7a738d6893
test: also update DOMPurify in tests 2024-05-04 15:38:04 +02:00
Andreas Schneider
4163c4f1d9
Merge pull request #1300 from PrivateBin/php-84-experimental
tolerate test failures in the PHP development release
2024-05-04 15:34:17 +02:00
El RIDO
3f5b6e0ce5
fix glitch introduced by e22da2e0d1 2024-05-04 13:53:21 +02:00
El RIDO
81fdf8ebfc
re-lax samesite cookie policy
As per discussion in code review:

> Cookies are always scoped in browsers. That's not the issue. SameSite attribute just protects against CSRF attacks. But Get requests (aka links) are also "protected" with Strict, which breaks it… and for users that is highly confusing when they (apparently arbitrarily) do not get the language they have set before when clicking a link.

https://github.com/PrivateBin/PrivateBin/pull/1287#discussion_r1589299210
2024-05-04 12:12:31 +02:00
El RIDO
5425ea79f8
Merge branch 'master' into bootstrap5 2024-05-04 12:08:10 +02:00
El RIDO
baf8c4a11d tolerate test failures in the PHP development release
at this time, guzzle, dependency of google cloud storage library, raises deprecation warnings in PHP 8.4, which caused the tests to be considered failed
2024-05-04 08:58:20 +02:00
El RIDO
1d755d8046
Merge pull request #1280 from PrivateBin/doc-n-test-mopup
Doc'n'test mopup
2024-05-04 08:38:12 +02:00
rugk
4500794980 chore: ugrade DOMPurify from v3.0.8 to 3.1.2
This incluces v3.1.1, which says:
> Note that this is a security release and should be upgraded to immediately.

https://github.com/cure53/DOMPurify/releases/tag/3.1.1

The release notes of the actual version itself are https://github.com/cure53/DOMPurify/releases/tag/3.1.2

I do not found more information on the vulnerability that apparently is in there.

* [x] manually tested and works
2024-05-03 15:55:53 +00:00
El RIDO
02e98826b3
Merge pull request #1296 from PrivateBin/crowdin-translation
New Crowdin updates
2024-05-03 07:25:50 +02:00
PrivateBin Translator Bot
22166c91d7 New translations en.json (Turkish) 2024-05-03 04:18:56 +02:00
El RIDO
c7226eedd7
Update tpl/bootstrap5.php
Co-authored-by: rugk <rugk+git@posteo.de>
2024-05-02 08:03:55 +02:00
El RIDO
8bfab7fd89
Update tpl/bootstrap5.php
Co-authored-by: rugk <rugk+git@posteo.de>
2024-05-02 08:01:37 +02:00
El RIDO
5c6bd3eba8
Update tpl/bootstrap5.php
Co-authored-by: rugk <rugk+git@posteo.de>
2024-04-23 23:09:21 +02:00
El RIDO
c66d3f05da
semantics 2024-04-23 22:11:58 +02:00
El RIDO
142a380bb2
undo simplification, here we actually check if it is a non-empty string 2024-04-23 22:02:41 +02:00
El RIDO
6273cc9a4c
extract shared common CSS into single file 2024-04-23 21:49:57 +02:00
El RIDO
e22da2e0d1
address "oneliner-hell" 2024-04-23 21:15:33 +02:00
El RIDO
f4e8e363cb
fix scrutinizer reported issue
empty only works with variables, not constants - here we want to error out if PATH either isn't defined or does not end in a directory separator, so we can concatenate onto it
2024-04-23 21:15:33 +02:00
El RIDO
ec02afca04
Merge pull request #1289 from PrivateBin/dependabot/github_actions/slsa-framework/slsa-github-generator-2.0.0
Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0
2024-04-23 18:27:24 +02:00
El RIDO
b6f90f903b
Merge pull request #1288 from smonesi/master
Fix weird Italian translation for burn-after-reading messages.
2024-04-23 18:19:46 +02:00
dependabot[bot]
ad19f8cfe6
Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.10.0 to 2.0.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.10.0...v2.0.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-23 11:43:14 +00:00
smonesi
2813dd2295
Another small translation fix 2024-04-23 11:43:30 +02:00
smonesi
0311b4f527
Fix silly translation for burn-after-reading messages. 2024-04-23 11:35:32 +02:00
El RIDO
8b3d66b8e2
Update css/bootstrap5/privatebin.css
Co-authored-by: rugk <rugk+git@posteo.de>
2024-04-23 06:38:45 +02:00
El RIDO
9bcb114a23
document changes 2024-04-21 11:46:46 +02:00
El RIDO
bdc9c307df
add "Dark Mode" to translation strings 2024-04-21 11:46:14 +02:00
El RIDO
658383e6d1
set lang cookie with strict SameSite property 2024-04-21 11:36:31 +02:00
El RIDO
15481290fb
fix tab alignment 2024-04-21 11:02:14 +02:00
El RIDO
545ba7506e
bootstrap 5 - fix password modal display 2024-04-21 11:01:40 +02:00
El RIDO
a7ea62fcd0
bootstrap 5 prettify dark theme support
current status:
- made prettify theme work with dark mode

to be done:
- fix password modal display
- add "Dark Mode" to translation strings
- check tab alignment in HTML source
2024-04-19 14:00:49 +02:00
El RIDO
491ed9a521
bootstrap 5 template function complete
current status:
- got expiration and format selections to work
- fixed modals (password, QR-code, etc.)
- replaced glyphicons with Bootstrap icons (needs CSP relaxation to work)
- tested the different settings and combinations
- got editor tabs to change active status

to be done:
- add "Dark Mode" to translation strings
- figure out how to change prettify theme when dark mode gets selected
- check tab alignment in HTML source
2024-04-18 21:36:43 +02:00
El RIDO
7526856570
Merge pull request #1281 from PrivateBin/dependabot/composer/phpunit/phpunit-9.6.19
Bump phpunit/phpunit from 9.6.18 to 9.6.19
2024-04-09 04:07:33 +02:00
dependabot[bot]
027462a872
Bump phpunit/phpunit from 9.6.18 to 9.6.19
Bumps [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) from 9.6.18 to 9.6.19.
- [Release notes](https://github.com/sebastianbergmann/phpunit/releases)
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/9.6.19/ChangeLog-9.6.md)
- [Commits](https://github.com/sebastianbergmann/phpunit/compare/9.6.18...9.6.19)

---
updated-dependencies:
- dependency-name: phpunit/phpunit
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-05 11:06:39 +00:00
El RIDO
7565be8ed5
initial work on a bootstrap 5 template
current status:
- renders without PHP errors & passes unit tests
- displays pastes
- responsive navbar
- right-to-left support
- auto dark mode with toggle

to be done:
- add "Dark Mode" to translation strings
- get expiration and format selections to work
- fix modals (password, QR-code, etc.)
- replace glyphicons with Bootstrap Icons (no longer included)
- test all the different settings and combinations
- check tab alignment in HTML source
2024-04-01 18:59:28 +02:00
El RIDO
6bcef2fa24
handle PHP 8.2 deprecation
PHP 8.2 deprecates implicit conversion from float to int if it loses precision, hence the explicit conversion.

PHP 8.1 deprecates the (optional since PHP 8.0) 3rd parameter of imagefilledpolygon(), but 7.3 & 7.4 require it.
2024-04-01 14:50:16 +02:00
El RIDO
b9a9e7c324
bump versions of optional cloud storage dependencies 2024-04-01 14:35:16 +02:00
El RIDO
aae3ea7cbf
update documentation
- clarify all template options & link to previews
- document new ctype extension requirement
2024-04-01 14:34:23 +02:00
El RIDO
3bc09ed561
Merge pull request #1275 from PrivateBin/legacy-php-cleanup
input sanitation & removing some obsolete version checks
2024-03-26 06:33:57 +01:00
El RIDO
b75aee6834
Merge pull request #1277 from Zwyx/add-header
Add response header `X-Uncompressed-Content-Length` for JSON API
2024-03-24 18:58:01 +01:00
Zwyx
6130547ca6
Add response header X-Uncompressed-Content-Length for JSON API
Because the response from the API is PHP output, the usual `Content-Length` header is absent.

This [custom header technique](https://stackoverflow.com/questions/15097712/how-can-i-use-deflated-gzipped-content-with-an-xhr-onprogress-function/32799706#32799706) allows the client to know the total length of the data being received, in order to display a progress indicator.

Here's a code example with `XMLHttpRequest`:


```
xhr.addEventListener("progress", (e) => {
	if (e.lengthComputable) {
		onDownloadProgress({
			loaded: e.loaded,
			total: e.total,
		});
	} else {
		const uncompressedContentLength = xhr.getResponseHeader(
			"X-Uncompressed-Content-Length",
		);

		if (uncompressedContentLength) {
			onDownloadProgress({
				loaded: e.loaded,
				total: Number(uncompressedContentLength),
			});
		}
	}
});
```

Notes:
- `Fetch` can be used as well (only reason I use `XMLHttpRequest` is because `fetch` doesn't allow to track the progress of uploaded data (when creating a paste); whereas `XMLHttpRequest` does).
- `e.loaded` can be different between browsers; Firefox reports the length of the compressed data, Chrome reports the length of uncompressed data (see https://github.com/whatwg/xhr/issues/388). A workaround for this is to manually set our progress indicator to 100% when the request finishes.
2024-03-24 19:40:50 +08:00
El RIDO
776030c08a
Merge pull request #1273 from PrivateBin/crowdin-translation
New Crowdin updates
2024-03-23 11:33:02 +01:00
El RIDO
65a626f940 inputs sanitation & remove some obsolete version checks
using filter_vars instead of filter_input, because our unit tests depend on manipulating global arrays, which are not used by filter_input - we would have to mock the function in the unit testing, it therefore is cleaner to use the same code paths in testing as in production

some inputs in I18n and TrafficLimiter remain unfiltered, since we already validate them by other means (IP lib and/or preg_match)

our minimum PHP version is 7.3, so we can drop the two < 5.6 fallback checks
2024-03-23 11:27:25 +01:00
PrivateBin Translator Bot
8ec1fc626b New translations en.json (Chinese Simplified) 2024-03-23 09:24:14 +01:00
PrivateBin Translator Bot
59eb6570ee New translations en.json (Ukrainian) 2024-03-23 09:24:13 +01:00