Non-markdown tags weren't being escaped in chat excerpts. This could be
triggered by editing a chat message containing a tag (self XSS), or by
replying to a chat message with a tag (XSS).
Co-authored-by: Jan Cernik <jancernik12@gmail.com>
When a category has default_list_filter=none, there were a number of issues which this commit resolves:
1. When using the breadcrumbs to navigate a `default_list_filter=none` category, adding a tag filter would not apply the no-subcategories filter, but the subcategories dropdown would still say 'none'. This commit adjusts `getCategoryAndTagUrl` so that `/none` is added to the URL
2. When landing on `/tags/c/{slug}/{id}/{tag}`, for a default_list_filter=none category, it would include subcategories. This commit introduces a client-side redirect to match the behavior of `/c/{slug}/{id}`
3. When directly navigating to `/c/{slug}/{id}`, it was correctly redirecting to `/c/{slug}/{id}/none`, BUT it was still using the preloaded data for the old route. This has been happening since e7a84948. Prior to that, the preloaded data was discarded and a new JSON request was made to the server. This commit restores that discarding behavior. In future we may want to look into making this more efficient.
System specs are introduced to provide end-end testing of this functionality
Steps to reproduce:
1. Create a post with a mention of a user that has user status with an end date
2. Try to load the topic with that post as an anonymous user
You'll see a topic with blank content.
It's important to keep our core log output as clean as possible to avoid 'crying wolf', and so that any deprecations triggered by plugin/theme tests are indeed caused by that theme/plugin, and not core.
This commit will make the core test suite fail if any deprecations are triggered. If a new deprecation is introduced (e.g. as part of a dependency update) and we need more time to resolve it it can be silenced via ember-deprecation-workflow.
This does not affect plugin/theme test runs.
Currently, if a user has opted into the new new experiment (introduced in a509441) and they click on the "See # new or updated topics" banner (screenshot below) at the top of the /new topics list, only new topics are loaded even if there are tracked topics with new replies.
This is unexpected in the new new view experiment because /new in this experiment is supposed to show both new and unread topics so it should listen for both new topics and new replies for existing/tracked topics. This PR addresses this inconsistency and makes it so that clicking the banner load all new and updated topics.
If you set a category to `default_list_filter` none. Information
was not passed to the tag route and routing was incorrect.
This patch fails, cause on reload route does not point to the right place.
```
-- a/app/assets/javascripts/discourse/app/routes/tag-show.js
+++ b/app/assets/javascripts/discourse/app/routes/tag-show.js
@@ -89,6 +89,8 @@ export default DiscourseRoute.extend(FilterModeMixin, {
filter = `tag/${tagId}/l/${topicFilter}`;
}
const list = await findTopicList(
this.store,
this.topicTrackingState,
@@ -123,7 +125,7 @@ export default DiscourseRoute.extend(FilterModeMixin, {
},
setupController(controller, model) {
- const noSubcategories =
+ this.noSubcategories =
this.noSubcategories === undefined
? model.category?.default_list_filter === NONE
: this.noSubcategories;
@@ -133,7 +135,7 @@ export default DiscourseRoute.extend(FilterModeMixin, {
...model,
period: model.list.for_period,
navMode: this.navMode,
- noSubcategories,
+ noSubcategories: this.noSubcategories,
loading: false,
});
```
Long term we don't want to hide this logic from the routing (even in
the category case) it just cause unneeded confusion and fragility.
Navigating to the topic template tab on a new category form resulted in
exceptions because the `form_template_ids` property was undefined.
This fix sets the `form_template_ids` property on new category records.
This reverts commit f6063c684b.
Videos on sites with a cdn enabled aren't playing w/ a default cdn
config. They are showing a "CORS request did not succeed" error.
* DEV: Add crossOrigin to video tag
This is a follow-up commit to f144c64e13
which enables the ability to generate thumbnail images for video
uploads.
In order for the html5 canvas element to create an image or blob the
source video element needs to to have the crossOrigin attribute set to
"anonymous" because a cdn is likely being used in production
environments.
We are already doing something similar in
e292c45924/app/assets/javascripts/discourse/app/lib/update-tab-count.js (L63)
Attaching required tag groups to new categories failed because
`required_tag_group` was undefined on the new category records
This fix sets an empty `required_tag_group` property on the new category
records.
Currently, the global search context suggestion("in all posts and topics") which
also doubles as the default context on pressing Enter is displayed as
the second item in the initial search options suggested.
This changes makes it the first item in the suggested options.
What is the problem?
When constructing the "Messages" section in Sidebar, we call
startTracking() on the pm-topic-tracking-state service in order to
get the counts for new/unread for the private message inboxes for each
user. However, this is unnecessary because the inboxes are in a
collapsed state by default in the sidebar and are only expanded when the
current route correspond to the inbox's route. Therefore, we can avoid
calling startTracking() on the pm-topic-tracking-state service until
an inbox's route is loaded. This allows us to cut out one extra request
to the server on page load and defer it until it is necessarily.
As reported on Meta, the relative time pickers for configuring slow-mode and auto-close durations in category settings are initially showing a "mins" option, which then disappears after you select any other timescale.
Our `RelativeTimePicker` component wasn't equipped to handle `null` values as the initial input. This caused it to go into a code path that set the selected timescale to "mins", even if that is not an allowed option.
There are two things being done here:
1. Add support for `null` input values to `RelativeTimePicker`. This fixes the auto-close setting.
2. Allow minutes for the slow-mode setting. (The user in Meta mentioned they usually set 15-30 minutes to cool down hot topics.
If the whitespace isn't trimmed from the input field the email is
considered invalid, and the button remains greyed out. We should handle
removing any trailing whitespace and not rely on the user trying to see
it themselves.
Follow up to a509441148
This commit makes category and tag link in the sidebar consistent with the Everything link when the new New view experiment is enabled. In particular:
1. Category and tag links navigate to the per-category (or tag) `/new` view if there's at least one topic, and to `/latest` if there are no topics
2. Category and tag links only show the count of topics in `/new` without text
3. The Everything link navigates to the global `/new` view if there's at least one topic there, and to `/latest` if there are no topics in `/new`.
Internal topic: t/77234.
The implementation previously generated a descriptor with an `initializer()`, and bound the function to the `this` context of the initializer. In native class syntax, the initializer of a descriptor is only called once, with a `this` context of the constructor, not the instance.
This commit updates the implementation so that it generates the bound function on-demand using a getter. This is the same strategy employed by ember's built-in `@action` decorator.
Unfortunately, this use of a getter means that the `@observes` decorator does not support being directly chained to `@debounce`. It throws the error "`observer must be provided a function or an observer definition`". The workaround is to put the observer on its own function, which then calls the debounced function. Given that we're aiming to reduce our usage of `@observes`, we've accepted the need for this workaround rather than spending the time to patch the implementation of `@observes`.
* UX: add type tag and design update
* UX: clarify status copy in reviewQ
* DEV: switch to selectKit
* UX: color approve/reject buttons in RQ
* DEV: regroup actions
* UX: add type tag and design update
* UX: clarify status copy in reviewQ
* Join questions for flagged post with "or" with new I18n function
* Move ReviewableScores component out of context
* Add CSS classes to reviewable-item based on human type
* UX: add table header for scoring
* UX: don't display % score
* UX: prefix modifier class with dash
* UX: reviewQ flag table styling
* UX: consistent use of ignore icon
* DEV: only show context question on pending status
* UX: only show table headers on pending status
* DEV: reviewQ regroup actions for hidden posts
* UX: reviewQ > approve/reject buttons
* UX: reviewQ add fadeout
* UX: reviewQ styling
* DEV: move scores back into component
* UX: reviewQ mobile styling
* UX: score table on mobile
* UX: reviewQ > move meta info outside table
* UX: reviewQ > score layout fixes
* DEV: readd `agree_and_keep` and fix the spec tests.
* Fix the spec tests
* fix the quint test
* DEV: readd deleting replies
* UX: reviewQ copy tweaks
* DEV: readd test for ignore + delete replies
* Remove old
* FIX: Add perform_ignore back in for backwards compat
* DEV: add an action alias `ignore` for `ignore_and_do_nothing`.
---------
Co-authored-by: Martin Brennan <martin@discourse.org>
Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
Original solution to use `description` instead of `text_description` was wrong: https://github.com/discourse/discourse/pull/20436
Problem is that we have to escape HTML tags.
However, we would like to use escape method which is keep `/` intact. Expected behavior is given by ERB::Util.html_escape instead of Rack::Utils.escape_html
/t/92015
We were only supporting the main name of each HighlightJS language. So, by default, you could not use `js` or `jsx` to highlight Javascript, given they are aliases for `javascript`.
This PR adds a list of aliases as a constant to core (built via a rake task), and then checks against the `highlighted_languages` site settings plus the list of aliases when processing a code block.
Regular users should be redirected to the homepage after the topic is
no longer accessible by them (only staff members can view deleted
topics). There was a problem with permission checking for category
moderators which stopped the redirect from happening.
Using Javascript to read and recalculate sizing is prone to causing 'forced reflows', which are very expensive, especially on slower devices. This PR refactors the slide-in menus so that all of the height calculation is done using CSS. This is made possible by the new dvh (dynamic view height) units and env(safe-area-inset-bottom), both of which are supported on all of our target browsers.
In tests on a moto g50, on a sidebar with 16 categories, 15 tags, and 2 chat channels, this improves the sidebar opening time by around 50ms (6%).
Since 359dc1c532, support for the old user
profile navigation menu has been dropped. This commit seeks to remove
code from the client side that still relies on the `currentUser.redesigned_user_page_nav_enabled` prop.
Since 359dc1c532, support for the old user
profile navigation menu has been dropped. This commit seeks to remove
code from the client side that still relies on the `currentUser.redesigned_user_page_nav_enabled` prop.
Why this change?
Prior to this change, we placed the identifier for the tag using
CSS classes like `sidebar-section-link-<tag name>`. However, we found that it wasn't obvious
that an identifier for the tag exists since it is first buried in
the CSS classes and second there isn't a way to describe what the
identifier is. Using data attributes, it makes it more obvious that an
identifier exists and what the identifier represents.
Follow-up to 53eb49de72
