paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 13:03:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
25,376 Commits 30 Branches 160 Tags
65b9d9e0f32fbaad722435726ec3b4afae14f8a7
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead. 
Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:54 -07:00
.circleci
install-node: Upgrade node, yarn, and nvm.
2018-04-09 13:56:48 -07:00
.github
github: Suggest GIFs too in PR template.
2018-02-16 09:59:22 -08:00
.tx
translation: Add configuration for a zulip-test Transifex project.
2018-02-15 13:38:09 -08:00
analytics
mypy: Annotate stream_data in populate_analytics_db.py handle function.
2018-03-25 08:59:08 -07:00
confirmation
create_realm: Refactor to deal ASAP with key record, not string.
2018-02-05 12:59:12 -08:00
corporate
corporate: Remove unused imports (F401).
2017-11-07 16:37:04 -08:00
docs
docs: Fix typo in production docs.
2018-04-12 09:19:26 -07:00
frontend_tests
CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
2018-04-12 09:46:54 -07:00
pgroonga
py3: Remove all from __future__ import unicode_literals.
2017-10-17 23:07:42 -07:00
puppet
puppet: Add Content-Security-Policy for user avatars.
2018-04-10 14:43:08 -07:00
requirements
requirements: Downgrade pika to 0.11.0.
2018-04-11 09:31:10 -07:00
scripts
scripts: Remove the depreciated script 'postgres-reset-sequences'.
2018-04-10 13:07:14 -07:00
static
CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
2018-04-12 09:46:54 -07:00
templates
help: Remove follow-steps doc macro.
2018-04-11 16:44:08 -07:00
tools
browser-support: Add string.prototype.endswith polyfill.
2018-04-11 15:40:57 -07:00
zerver
CVE-2018-9986: Fix XSS issues with frontend markdown processor.
2018-04-12 09:46:37 -07:00
zilencer
profile: Remove integer and float fields.
2018-04-02 09:46:21 -07:00
zproject
cleanup: Remove the legacy Dropbox file upload integration.
2018-04-11 11:39:48 -07:00
zthumbor
mypy: Rewrite sign_is_valid in zthumbor helpers.py for None secret_key.
2018-03-25 08:59:08 -07:00
.codecov.yml
Try to avoid codecov spam.
2017-12-29 07:23:26 -05:00
.editorconfig
Editing (minor): Add .pyi to .editorconfig.
2017-12-18 07:35:58 -05:00
.eslintignore
zulip_ops: Delete the long-disused stats1.zulip.net config and its dependencies.
2017-08-15 17:30:31 -07:00
.eslintrc.json
cleanup: Remove the legacy Dropbox file upload integration.
2018-04-11 11:39:48 -07:00
.gitattributes
gitattributes: Mark yarn.lock as "binary", i.e. suppress diffs.
2018-02-01 13:37:19 -08:00
.gitignore
gitignore: Ignore a Transifex secrets file.
2018-02-15 13:38:09 -08:00
.gitlint
lint: Allow revert commit messages in gitlint.
2018-02-13 09:21:01 -08:00
.isort.cfg
python: Add settings for isort.
2017-11-14 12:31:14 -08:00
.npmignore
.travis.yml
travis: Disable most suites in favor of CircleCI!
2018-01-31 11:10:03 -08:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md
doc: Add blog link to CONTRIBUTING.
2018-02-09 12:04:28 -08:00
Dockerfile-dev
Move Dockerfile to Dockerfile-dev.
2017-09-25 12:32:33 -07:00
LICENSE
docs: Move license declaration from README.md to LICENSE.
2017-11-14 16:04:23 -08:00
manage.py
Remove from __future__ import absolute_import.
2017-10-17 22:59:42 -07:00
mypy.ini
tools/mypy: Enforce a more explicit checking of Optional.
2018-03-28 12:31:51 -07:00
package.json
browser-support: Add string.prototype.endswith polyfill.
2018-04-11 15:40:57 -07:00
README.md
README: Include CircleCI build status badge.
2018-02-08 18:24:43 -08:00
Vagrantfile
vagrant: Fix link to testing docs in motd.
2018-04-05 14:41:38 -07:00
version.py
browser-support: Add string.prototype.endswith polyfill.
2018-04-11 15:40:57 -07:00
yarn.lock
browser-support: Add string.prototype.endswith polyfill.
2018-04-11 15:40:57 -07:00

README.md

Zulip overview

Zulip is a powerful, open source group chat application that combines the immediacy of real-time chat with the productivity benefits of threaded conversations. Zulip is used by open source projects, Fortune 500 companies, large standards bodies, and others who need a real-time chat system that allows users to easily process hundreds or thousands of messages a day. With over 300 contributors merging over 500 commits a month, Zulip is also the largest and fastest growing open source group chat project.

CircleCI Build Status Travis Build Status Coverage Status Mypy coverage docs Zulip chat Twitter

Getting started

Click on the appropriate link below. If nothing seems to apply, join us on the Zulip community server and tell us what's up!

You might be interested in:

You may also be interested in reading our blog or following us on twitter. Zulip is distributed under the Apache 2.0 license.

Reference in New Issue View Git Blame Copy Permalink
Description
Zulip server and web application. Open-source team chat that helps teams stay productive and focused.
apachechatcollaborationelectronfossfreejavascriptpythonpython3react-nativeslackzulip
Readme Apache-2.0 856 MiB
Languages
Python 58.5%
TypeScript 18.1%
JavaScript 9.1%
CSS 3.9%
HTML 3.6%
Other 6.6%