This has no effect on our use of executeJavaScript, and will become
the default in Electron 12, but for now it silences a warning in
development mode.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
Also fix various variable names to consistently indicate which strings
contain HTML.
Some of these changes close cross-site scripting vulnerabilities, and
others are for consistency. It’s important to be meticulously
consistent about escaping so that changes that would introduce
vulnerabilities stand out as obviously wrong.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
Currently, there are two dialog boxes shown while downloading files (in Ubuntu). One by default behavior of electron and other by the dialog box for save as feature.
This PR fixes this issue by using electron's save as dialog box.
Fixes: #947.
This reverts commit 49b29bfed6 (#863).
The design of this feature is still under discussion; we expect it to
return after the security release.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
Zulip servers in production are designed to only serve content over
HTTPS. And a development environment's root page will be served over
HTTP.
So there is no purpose in enabling allowInsecureContent, even
conditionally for use against Zulip development environments; we should
just remove the setting.
And enable the import/unambiguous ESLint rule as a check on our
partition between scripts and modules. After this commit, if you add
a new file and get this error:
✖ 1:1 This module could be parsed as a valid script. import/unambiguous
* For a module, add an `import` or `export` declaration to make the
file unambiguously a module (the empty `export {};` declaration
suffices).
* For a script, add the file to the xo overrides section of
package.json that marks it "sourceType": "script", and add a 'use
strict' declaration.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
The changes are mostly done via `xo --fix`; the other changes are
either trivial or disabling new linter rules that we plan to address
in future commits.
The changes here are mostly straightforward; the one exception is
removing a zulipdev.org hack.
We disable some lint rules we'll want to address later (E.g. we want
to switch to using async/await rather than .then()). But those are
out of scope for this commit.
Moves the social login to browser since there
was no way to verify the authencity of the
auth process for a custom server and to
prevent phishing attacks.
Fixes#849.
Co-authored-by: Kanishk Kakar <kanishk.kakar@gmail.com>
