| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| | |
Reject slug+uri concat if slug is deemed unsafe
See merge request gitlab/gitlabhq!3108
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First reported:
https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.
|
|\ \
| |/
|/|
| |
| | |
Fix url redaction for issue links
See merge request gitlab/gitlabhq!3091
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add changelog entry
Add missing href to all redactor specs and removed href assignment
Remove obsolete spec
If original_content is given, it should be used for link content
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a milestone name contained an HTML entity that would be escaped (&,
<, >), then it wasn't possible to refer to this milestone by name, or
use it in a quick action.
This already worked for labels, but not for milestones. We take care to
re-escape un-matched milestones, too.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
No leading/trailing spaces when generating heading ids (Fixes #57528)
Closes #57528
See merge request gitlab-org/gitlab-ce!27025
|
| | |
| | |
| | | |
Change based on comments in MR #27025
|
| | |
| | |
| | | |
Update based on comments in MR #27025
|
| | | |
|
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| | |
When rendering a label we want to check 'scoped_label' feature
availability on a project/group where label is being used. For
this reason a label presenter is used in UI and information about
context project/group is passed to this presenter.
|
| |
| |
| |
| | |
That's a straightforward feature flag code removal for 11.10
|
|\ \
| | |
| | |
| | |
| | | |
Update comments about N + 1 Gitaly calls
See merge request gitlab-org/gitlab-ce!27178
|
| | |
| | |
| | |
| | |
| | | |
To make sure all known issues are linked to the correct epic, I've gone
through the code base, and updated the comments where required.
|
|/ /
| |
| |
| |
| | |
Backports https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/10161
(code out of ee/ folder).
|
|\ \
| | |
| | |
| | |
| | | |
[CE] Add mutually exclusive labels
See merge request gitlab-org/gitlab-ce!26804
|
| | |
| | |
| | |
| | | |
Scoped labels in EE require additional changes in CE code.
|
| |/
|/|
| |
| |
| | |
Replaces blockquote fences with \n,
keeping the line numbering intact.
|
|/
|
|
|
| |
- added suggestions to mock data
- fixed props to be not required
|
|
|
|
|
|
| |
Adds the groundwork needed in order to persist multi-line suggestions,
while providing the parsing strategy which will be reused for the
**Preview** as well.
|
|\
| |
| |
| |
| |
| |
| | |
Resolve "Extended tooltip for merge request links"
Closes #54916
See merge request gitlab-org/gitlab-ce!25221
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Show pipeline status, title, MR Status and project path
- Popover attached to gitlab flavored markdown everywhere, including:
+ MR/Issue Title
+ MR/Issue description
+ MR/Issue comments
+ Rendered markdown files
|
|/
|
|
|
| |
Implements the filtering logic for
`suggestion:-x+y` syntax.
|
| |
|
|
|
|
|
|
|
|
|
| |
Prior to this change, 35 Gitaly RPCs were allowed. But recently there's
been a renewed interest in performance. By lowering the number of
calls new N + 1's will pop up.
Later commits will add blocks to ignore the raised errors, followed by
an issue for each to be fixed.
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Remove Redcarpet markdown engine
Closes #51374
See merge request gitlab-org/gitlab-ce!24819
|
| |
| |
| |
| |
| | |
This engine was replaced with CommonMarker in 11.4, it was deprecated
since then.
|
|/ |
|
|
|
|
|
|
|
| |
Such as those with IDN homographs or embedded
right-to-left (RTLO) characters.
Autolinked hrefs should be escaped
|
|\
| |
| |
| |
| | |
Enable CommonMark source line position information
See merge request gitlab-org/gitlab-ce!23971
|
| |
| |
| |
| |
| |
| | |
including refactoring, disabling sourcepos for pipelines that
don't need it, and minimizing spec changes by disabling
sourcepos when not testing for it explicitly.
|
| |
| |
| |
| |
| |
| | |
This adds 'data-sourcepos' to tags, indicating which
line of markdown it came from. Sets the stage for
intelligently manipulating specific lines of markdown.
|
| |
| |
| |
| |
| | |
Supports both suggestions transformed from GFM to HTML and from GFM to
HTML to Vue component.
|
|\ \
| | |
| | |
| | |
| | | |
Reimplement Copy-as-GFM using the prosemirror document model
See merge request gitlab-org/gitlab-ce!22797
|
| |/
| |
| |
| |
| | |
The spec needed to be updated because in some cases the resulting
Markdown is slightly different, though equally valid.
|
|/
|
|
|
|
|
|
|
| |
Personal snippet uploads have neither a group nor a project. If a GitLab
instance were configured with a relative URL root (e.g. `/gitlab`), then
the Markdown filter would not include this root in the generated path.
We fix this by adding this root if there is no group or project.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56280
|
|\
| |
| |
| |
| |
| |
| | |
Markdown footnotes not working
Closes #26375
See merge request gitlab-org/gitlab-ce!24168
|
| |
| |
| |
| | |
and additional spec
|
| | |
|
| |
| |
| |
| |
| | |
All the ids and classes were stripped. Add them back in
and make ids unique
|
|/
|
|
|
|
|
| |
Instead of querying relations into ids we just pass them to the model
scope because the scope supports it now.
Also changes other calls to `Milestone.for_projects_and_groups`
|
|\
| |
| |
| |
| | |
[master] Escape html entities when no label found
See merge request gitlab/gitlabhq!2706
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
[master] Set URL rel attribute for broken URLs
See merge request gitlab/gitlabhq!2695
|
| |/
| |
| |
| |
| |
| | |
It's possible that URI fails to parse a link, but browsers
still recognize given URL as a link, we should make sure
that 'rel' attribute is set also in this case.
|
| | |
|
|/ |
|
| |
|
|
|
|
| |
languages
|