paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 21:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f055a7d133ed6a4060485b4abea295210fbe1af0
zulip/static/js
History
Tim Abbott f055a7d133 CVE-2018-9987: Fix XSS issue with muting notifications. 
This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.

We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.

Thanks to Suhas Sunil Gaikwad for reporting this issue.
2018-04-10 13:05:27 -07:00
..
portico
form: During realm creation give option to install in root domain.
2017-10-19 16:10:14 -07:00
stats
lint: Ban two spaces after comma in JS code.
2017-10-18 10:22:18 -07:00
.eslintrc.json
activity.js
presence: Avoid checking activity when reloading.
2017-10-11 20:39:28 -07:00
admin_sections.js
Restructure organization settings and permissions.
2017-08-28 17:20:13 -07:00
admin.js
Restructure organization settings and permissions.
2017-08-28 17:20:13 -07:00
alert_words_ui.js
urls: Change the method for adding alert words from PUT to POST.
2017-09-26 14:00:51 -07:00
alert_words.js
Highlight alert words in mentions you send to yourself.
2017-10-12 14:03:36 -07:00
attachments_ui.js
settings: Enable sorting on uploads table.
2017-09-28 16:16:16 -07:00
avatar.js
blueslip.js
urls: Move the report endpoints to be API-style routes.
2017-10-17 22:05:56 -07:00
bot_data.js
bots: Add UI to view bot types of existing bots in "Your bots".
2017-06-15 10:08:31 -07:00
channel.js
middleware: Use a proper error code on CSRF failure.
2017-07-25 14:02:12 -07:00
click_handlers.js
Remove selection on longtap.
2017-09-25 12:31:07 -07:00
colorspace.js
common.js
passwords: Express the quality threshold as guesses required.
2017-10-08 15:48:44 -07:00
components.js
settings: Remove intermediate hash change.
2017-08-01 15:38:17 -07:00
compose_actions.js
compose_actions.js: Allow compose to empty narrow.
2017-06-27 14:06:59 -04:00
compose_fade.js
compose_state.js
compose_state.js: Extract focus_in_empty_compose().
2017-09-19 19:07:30 -07:00
compose_ui.js
compose.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
composebox_typeahead.js
composebox_typeahead: Start emoji typeahead with single letter.
2017-10-17 16:06:13 -07:00
condense.js
hotkeys: Add uncondense/collapse/uncollapse message functionality.
2017-09-06 08:53:39 -07:00
copy_and_paste.js
Remove instances of deprecated jQuery "bind".
2017-07-24 10:47:16 -07:00
custom_markdown.js
Remove deprecated jQuery "delegate" function.
2017-07-24 10:47:16 -07:00
debug.js
desktop_notifications_panel.js
notification-banner: Check if mobile before displaying.
2017-10-20 13:07:40 -07:00
dict.js
drafts.js
drafts: Automatically delete misbehaving drafts while formatting.
2017-10-11 17:44:03 -07:00
dynamic_text.js
echo.js
Highlight alert words in mentions you send to yourself.
2017-10-12 14:03:36 -07:00
emoji_picker.js
emoji-picker: Do not change scroll on emoji hover.
2017-10-05 15:51:06 -07:00
emoji.js
emoji_picker: Update emoji showcase on mouse hover.
2017-09-29 21:10:03 +00:00
favicon.js
lint: Ban two spaces after comma in JS code.
2017-10-18 10:22:18 -07:00
feature_flags.js
Inline feature_flags.use_server_topic_history.
2017-09-26 13:58:54 -07:00
fenced_code.js
Support special characters for code block languages.
2017-06-19 06:53:25 -04:00
filter.js
filter: Improve group-pm-with descriptions.
2017-10-24 13:19:24 -07:00
floating_recipient_bar.js
Fix outerHeight to OR with 0 to not produce NaN.
2017-07-27 14:16:57 -07:00
gear_menu.js
hash_util.js
lint: Ban two spaces after comma in JS code.
2017-10-18 10:22:18 -07:00
hashchange.js
narrow: Remove redundant from_reload option.
2017-06-15 12:16:27 -07:00
hotkey.js
hotkey: Rename : from 'open_reactions' to 'toggle_reactions_popover'.
2017-10-05 19:05:27 +05:30
hotspots.js
hotspots.js: Fix timeout millisecond conversion.
2017-09-15 04:14:52 -07:00
integration_bot_widget.js
bots: Add a widget file to directly create bot from integration pages.
2017-06-22 11:07:30 -04:00
invite.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
lightbox_canvas.js
lightbox_canvas: Fix use of unsupported const.
2017-08-05 16:47:11 -07:00
lightbox.js
lightbox: Fix repeated code in exports.open.
2017-09-10 00:40:03 -07:00
list_render.js
list_render: Return data if no arguments present.
2017-10-12 10:42:06 -07:00
list_util.js
loading.js
localstorage.js
markdown.js
emoji: Migrate bugdown emoji to use sprite sheets.
2017-09-29 11:14:34 -07:00
message_edit.js
compose: Enable mention syntax when editing messages.
2017-10-12 18:08:32 -07:00
message_events.js
message_edit: Fix red highlighting for messages mentioning you.
2017-10-23 11:02:30 -07:00
message_fetch.js
tutorial: Remove is_running and defer logic.
2017-08-01 22:38:22 -07:00
message_flags.js
Remove dead code: messages.flags.send_force_collapse.
2017-08-04 13:31:26 -07:00
message_list_view.js
message_edit: Fix red highlighting for messages mentioning you.
2017-10-23 11:02:30 -07:00
message_list.js
scrolling: Fix out-of-order bug in the message list.
2017-10-11 15:57:11 -07:00
message_live_update.js
message_store.js
markdown: Remove is_me_message UserMessage flags.
2017-08-27 09:34:24 -07:00
message_util.js
sending messages: Extract sent_messages.js.
2017-08-01 08:58:56 -07:00
message_viewport.js
lint: Ban two spaces after comma in JS code.
2017-10-18 10:22:18 -07:00
muting_ui.js
CVE-2018-9987: Fix XSS issue with muting notifications.
2018-04-10 13:05:27 -07:00
muting.js
narrow_state.js
narrow.js: Create narrowed_by_stream_reply().
2017-06-27 14:06:59 -04:00
narrow.js
urls: Move the report endpoints to be API-style routes.
2017-10-17 22:05:56 -07:00
navigate.js
Have home key go to actual first message in the list.
2017-10-03 11:28:28 -07:00
notifications.js
notifications: If "Notification" is undefined, just return "denied".
2017-10-23 21:29:42 -07:00
overlays.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
people.js
popovers: Don't show bots as deactivated in user popovers.
2017-10-24 15:59:51 -07:00
pm_conversations.js
pm_list.js
js: Remove a few spurious arguments.
2017-08-22 09:37:17 -07:00
pointer.js
Add explicit message field for locally_echoed.
2017-07-21 11:38:25 -07:00
popovers.js
popovers: Don't show bots as deactivated in user popovers.
2017-10-24 15:59:51 -07:00
presence.js
presence: Change "unknown" to "offline".
2017-10-12 10:42:06 -07:00
reactions.js
reactions.js: Fix the conditional check for sending reaction request.
2017-10-09 11:31:21 -07:00
realm_icon.js
recent_senders.js
recent_senders: Add sort by stream message recency.
2017-09-14 07:20:52 -07:00
reload.js
presence: Avoid checking activity when reloading.
2017-10-11 20:39:28 -07:00
resize.js
panels: Make them mobile responsive.
2017-10-18 21:55:43 -07:00
rows.js
js: Remove a few spurious arguments.
2017-08-22 09:37:17 -07:00
rtl.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
scroll_bar.js
Rewrite scrollbar width check to not use jQuery.
2017-08-22 12:50:54 -07:00
search_suggestion.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
search.js
eslint: Add and enforce space-in-parens lint rule.
2017-10-06 12:36:59 -07:00
sent_messages.js
urls: Move the report endpoints to be API-style routes.
2017-10-17 22:05:56 -07:00
server_events_dispatch.js
Fix deleting stream from the sidebar.
2017-08-27 19:11:43 -07:00
server_events.js
presence: Avoid checking activity when reloading.
2017-10-11 20:39:28 -07:00
settings_account.js
frontend: Show info on /emails only in dev env.
2017-10-04 14:45:08 -07:00
settings_bots.js
bot settings: Properly hide bot_table_error.
2017-09-06 13:44:02 -07:00
settings_display.js
modals: Implement new modal methods.
2017-09-06 09:35:16 -07:00
settings_emoji.js
emoji: Merge the two semantically same tips on the Custom emoji page.
2017-07-21 13:29:27 -07:00
settings_filters.js
Change from deprecated $.parseJSON to JSON.parse.
2017-07-27 14:16:57 -07:00
settings_lab.js
settings: Remove save changes button from "UI settings" section.
2017-09-30 09:11:18 -07:00
settings_muting.js
settings_notifications.js
user settings: Make "Mobile push notifications always" a subsetting.
2017-09-29 17:58:41 -07:00
settings_org.js
settings: Fix "Notifications stream" list scrolling.
2017-09-27 18:46:19 -07:00
settings_sections.js
settings_streams.js
settings: Convert tables to use perfectScrollbar.
2017-09-26 22:54:20 -07:00
settings_users.js
settings: Display "Never" over "Invalid Date" for inactive users.
2017-10-23 13:57:11 -07:00
settings.js
settings: Show upload quota and total uploads size in uploaded files page.
2017-09-27 17:50:22 -07:00
setup.js
Fix outerHeight to OR with 0 to not produce NaN.
2017-07-27 14:16:57 -07:00
socket.js
local echo: Remove buggy restart-related code.
2017-07-18 12:03:16 -07:00
stream_color.js
Make recipient bar styling more compact and clean.
2017-09-06 18:49:54 -07:00
stream_create.js
streams: Add "Create Stream" button to right side.
2017-10-11 16:17:36 -07:00
stream_data.js
Use user_ids, not emails, for bulk stream operations.
2017-10-08 12:31:12 -07:00
stream_edit.js
streams: Re-render subscriber list on sub/unsub.
2017-10-18 11:45:07 -07:00
stream_events.js
subs: Don't try to update stream settings UI when closed.
2017-10-23 22:44:27 -07:00
stream_list.js
left sidebar: Prevent closing in responsive mode.
2017-09-08 11:20:36 -07:00
stream_muting.js
stream_popover.js
stream_list: Use data-topic-name for topic names.
2017-08-16 18:03:44 -07:00
stream_sort.js
Fix issues with left-sidebar stream search and multiple words.
2017-09-15 00:22:59 -07:00
subs.js
subs: Fix exception with streams overlay open but no active stream.
2017-10-23 22:56:14 -07:00
tab_bar.js
frontend: Add ability to search by "group-pm-with" search operator.
2017-09-24 11:58:48 -04:00
templates.js
templates: Fix typo in error message.
2017-06-26 19:33:25 -04:00
timerender.js
i18n: Do not concatenate i18n strings.
2017-09-06 07:01:43 -07:00
top_left_corner.js
Extract top_left_corner.js.
2017-08-14 13:03:57 -07:00
topic_data.js
Add topic_data.get_server_history().
2017-08-08 17:07:09 -04:00
topic_generator.js
hotkeys: Fix "n" key to work inside a muted stream.
2017-08-17 09:01:49 -07:00
topic_list.js
lint: Ban two spaces after comma in JS code.
2017-10-18 10:22:18 -07:00
translations.js
Revert "i18n: Only load active language."
2017-10-20 10:08:17 -07:00
tutorial.js
urls: Move the json/tutorial_status endpoint to be an API-style route.
2017-10-09 15:13:33 -07:00
typeahead_helper.js
emoji: Migrate bugdown emoji to use sprite sheets.
2017-09-29 11:14:34 -07:00
typing_data.js
docs: Add typing-indicators.md.
2017-09-26 13:42:14 -07:00
typing_events.js
docs: Add typing-indicators.md.
2017-09-26 13:42:14 -07:00
typing_status.js
docs: Add typing-indicators.md.
2017-09-26 13:42:14 -07:00
typing.js
docs: Add typing-indicators.md.
2017-09-26 13:42:14 -07:00
ui_init.js
notifications: Prompt user to enable desktop notifications.
2017-10-18 21:55:43 -07:00
ui_report.js
Display an error for the ZulipDesktop unsupported platform.
2017-09-16 03:01:51 -07:00
ui_util.js
ui.js
notifications: Fix realm emojis not appearing in desktop notifications.
2017-10-17 22:03:33 -07:00
unread_ops.js
unread: Convert mark_topic_as_read to use stream IDs.
2017-08-15 10:40:02 -07:00
unread_ui.js
bug: Show the count in the bankruptcy modal.
2017-08-17 23:30:41 -04:00
unread.js
Revert "Get unread messages from the server in the web app."
2017-09-22 10:20:19 -07:00
upload_widget.js
upload_widget: Remove a spurious argument.
2017-08-22 23:48:55 -07:00
user_events.js
user_events: Fix buggy-looking logging code.
2017-08-16 16:23:41 -07:00
util.js
util: Remove execute_early.
2017-07-04 13:54:33 -07:00
zulip.js