delta/gitlab/gitlab-ce.git/spec/lib/banzai, branch docs/https-many-docs-links gitlab.com: gitlab-org/gitlab-ce.git Allow emoji in label and milestone references 2019-06-07T09:05:57+00:00 Sean McGivern sean@gitlab.com 2019-06-06T16:49:08+00:00 1617aa27562c6c92c981cadf13f0fb999558e1cc If we put the emoji filter before the reference filters, each emoji will have a wrapper element that prevents the reference filter from detecting the presence of the emoji. As the emoji filter now runs after the reference filters, references must contain a literal emoji, not the GitLab Flavored Markdown versions (:100`, for example). A weird side-effect is that if you have a label with the 100 emoji, and a label named :100:, then trying to reference the latter will work (link to the correct label), but will render with the 100 emoji. I'm comfortable with that edge case, I think. 
If we put the emoji filter before the reference filters, each emoji will
have a wrapper element that prevents the reference filter from detecting
the presence of the emoji.

As the emoji filter now runs after the reference filters, references
must contain a literal emoji, not the GitLab Flavored Markdown
versions (:100`, for example).

A weird side-effect is that if you have a label with the 100 emoji, and
a label named :100:, then trying to reference the latter will work (link
to the correct label), but will render with the 100 emoji. I'm
comfortable with that edge case, I think.
Merge branch 'fix/allow-lower-case-issue-ids' into 'master' 2019-06-06T14:40:07+00:00 Sean McGivern sean@gitlab.com 2019-06-06T14:40:07+00:00 c50eed5400d97c9f566b25f76eb8d0057f910a11 Allow lowercase prefix for Youtrack issue ids Closes #62661 See merge request gitlab-org/gitlab-ce!29057 
Allow lowercase prefix for Youtrack issue ids

Closes #62661

See merge request gitlab-org/gitlab-ce!29057
 Use Redis for CacheMarkDownField on non AR models 2019-06-05T05:19:59+00:00 Patrick Bajao ebajao@gitlab.com 2019-06-05T04:59:48+00:00 2eecfd8f9d111c6518930b818a16daea8263b37f This allows using `CacheMarkdownField` for models that are not backed by ActiveRecord. When the including class inherits `ActiveRecord::Base` we include `Gitlab::MarkdownCache::ActiveRecord::Extension`. This will cause the markdown fields to be rendered and the generated HTML stored in a `<field>_html` attribute on the record. We also store the version used for generating the markdown. All other classes that include this model will include the `Gitlab::MarkdownCache::Redis::Extension`. This add the `<field>_html` attributes to that model and will generate the html in them. The generated HTML will be cached in redis under the key `markdown_cache:<class>:<id>`. The class this included in must therefore respond to `id`. 
This allows using `CacheMarkdownField` for models that are not backed
by ActiveRecord.

When the including class inherits `ActiveRecord::Base` we include
`Gitlab::MarkdownCache::ActiveRecord::Extension`. This will cause the
markdown fields to be rendered and the generated HTML stored in a
`<field>_html` attribute on the record. We also store the version
used for generating the markdown.

All other classes that include this model will include the
`Gitlab::MarkdownCache::Redis::Extension`. This add the `<field>_html`
attributes to that model and will generate the html in them. The
generated HTML will be cached in redis under the key
`markdown_cache:<class>:<id>`. The class this included in must
therefore respond to `id`.
Merge branch 'security-60143-address-xss-issue-master' into 'master' 2019-06-03T17:01:25+00:00 Robert Speicher rspeicher@gmail.com 2019-06-03T17:01:25+00:00 5906fb2e45f352b8fc02f0e98a6148d0c0b2db59 Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3108 
Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3108
 Allow lowercase prefix for Youtrack issue ids 2019-06-03T14:05:20+00:00 Matthias Baur m.baur@syseleven.de 2019-06-03T12:52:54+00:00 e8683efea5aaed0c8c4b6efc75395372a3a3662b Relates to #42595. Fixes #62661. 
Relates to #42595.
Fixes #62661.
Merge branch 'security-fix-project-existence-disclosure-master' into 'master' 2019-06-03T12:33:57+00:00 GitLab Release Tools Bot robert+release-tools@gitlab.com 2019-06-03T12:33:57+00:00 c45c64ce298fab6eca6c54142ab5844a4b2c5c63 Fix url redaction for issue links See merge request gitlab/gitlabhq!3091 
Fix url redaction for issue links

See merge request gitlab/gitlabhq!3091
 Reject slug+uri concat if slug is deemed unsafe 2019-05-24T19:33:24+00:00 Kerri Miller kerrizor@kerrizor.com 2019-05-20T20:24:22+00:00 a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2 First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug. 
First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.
Fix milestone references with HTML entities in the name 2019-05-24T09:07:21+00:00 Sean McGivern sean@gitlab.com 2019-05-23T14:28:55+00:00 17b97bf029a7085f6b726071a15f5d231510f1b6 When a milestone name contained an HTML entity that would be escaped (&, <, >), then it wasn't possible to refer to this milestone by name, or use it in a quick action. This already worked for labels, but not for milestones. We take care to re-escape un-matched milestones, too. 
When a milestone name contained an HTML entity that would be escaped (&,
<, >), then it wasn't possible to refer to this milestone by name, or
use it in a quick action.

This already worked for labels, but not for milestones. We take care to
re-escape un-matched milestones, too.
Fix typos in the whole gitlab-ce project 2019-05-20T14:11:44+00:00 Yoginth me@yoginth.com 2019-05-20T14:11:44+00:00 2f6a20ce665de6a23fe2c1cc28cc6398afcb1b71 






Merge branch 'patch-49' into 'master'
2019-05-06T07:41:10+00:00

Sean McGivern
sean@gitlab.com

2019-05-06T07:41:10+00:00

ff64584cfaddb170cfa3a5c647ee4783cdb6058e

No leading/trailing spaces when generating heading ids (Fixes #57528)

Closes #57528

See merge request gitlab-org/gitlab-ce!27025




No leading/trailing spaces when generating heading ids (Fixes #57528)

Closes #57528

See merge request gitlab-org/gitlab-ce!27025