This allows better Prettier integration: Prettier recognizes and
reformats tagged template literals with a tag named ‘html’.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This has no effect on our use of executeJavaScript, and will become
the default in Electron 12, but for now it silences a warning in
development mode.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
Also fix various variable names to consistently indicate which strings
contain HTML.
Some of these changes close cross-site scripting vulnerabilities, and
others are for consistency. It’s important to be meticulously
consistent about escaping so that changes that would introduce
vulnerabilities stand out as obviously wrong.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This reverts commit 49b29bfed6 (#863).
The design of this feature is still under discussion; we expect it to
return after the security release.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
Zulip servers in production are designed to only serve content over
HTTPS. And a development environment's root page will be served over
HTTP.
So there is no purpose in enabling allowInsecureContent, even
conditionally for use against Zulip development environments; we should
just remove the setting.
And enable the import/unambiguous ESLint rule as a check on our
partition between scripts and modules. After this commit, if you add
a new file and get this error:
✖ 1:1 This module could be parsed as a valid script. import/unambiguous
* For a module, add an `import` or `export` declaration to make the
file unambiguously a module (the empty `export {};` declaration
suffices).
* For a script, add the file to the xo overrides section of
package.json that marks it "sourceType": "script", and add a 'use
strict' declaration.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
The changes here are mostly straightforward; the one exception is
removing a zulipdev.org hack.
We disable some lint rules we'll want to address later (E.g. we want
to switch to using async/await rather than .then()). But those are
out of scope for this commit.
Moves the social login to browser since there
was no way to verify the authencity of the
auth process for a custom server and to
prevent phishing attacks.
Fixes#849.
Co-authored-by: Kanishk Kakar <kanishk.kakar@gmail.com>
Few changes -
* webview: Show connection failure per server.
* network: Try to reconnect diff servers.
* Fixes concern that some proxy networks may allow only specific servers
to be reachable.
* domains: Show network error on server invalidation.
* webview: Handle network errors in preload script.
Fixes: #591, #312.
Using `import * as` import syntax causes some problem if the
module exports a class or function. Because the whole point of
star import is to import every property the module exports. It turns
out we have been using it incorrectly in many places which this commit
fixes.
Then we fix a linting error by adding a eslint disable rule to solve
it along with a TODO because the way we currently do it is wrong.
Finally, to conclude this cleanup, we merge all the .gitignore paths
into once now that we can.
The change in this commits are pretty involved but cannot be split
into small commits. The main changes in this commits are:
* Remove declare module * now that we don't need it
* Normalize import paths so typescript is happy
Previously, we were using wrong import paths and so typescript couldn't
really provide full types information for imports. The wrong paths isn't
a bug because it was done to make sure it work when it was imported via a
script tag; we fix this by using require inside the script tag in main.html.
Also, did audit to make sure we correctly use __dirname not that it's
value will be diffrent, it won't be js/ but will be respective to the file
path of the module.
