1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-22 08:42:32 -05:00
Commit graph

39 commits

Author SHA1 Message Date
Gusted
dfe3ffc581 feat: harden localization against malicious HTML (#5703)
- Add a new script that proccess the localization files and verify that
they only contain HTML according to our strictly defined rules.
- This should make adding malicious HTML near-impossible.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5703
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2024-10-30 15:59:48 +00:00
Gusted
a0f47b8de7
[BUG] Escape editor.add_tmpl translation
- Previously translations were escaped, but now translations are
accepted as-is and will be rendered as HTML. Use `TrString` to escape
the translation value.
- Adds integration test.
- Regression of 65248945c9.
- Resolves #3260
2024-04-16 15:50:49 +02:00
silverwind
5016bc5d5c
Migrate gt-hidden to tw-hidden (#30046)
We have to define this one in helpers.css because tailwind only
generates a single class but certain things rely on this being
double-class. Command ran:

```sh
perl -p -i -e 's#gt-hidden#tw-hidden#g' web_src/js/**/* templates/**/* models/**/* web_src/css/**/*

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit ec3d467f15a683b305ac165c3eba6683628dcb25)

Conflicts:
	templates/install.tmpl
	templates/repo/diff/conversation.tmpl
	templates/repo/issue/view_content/conversation.tmpl
	templates/repo/issue/view_content/sidebar.tmpl
	templates/repo/issue/view_title.tmpl

	resolved by prefering Forgejo version and applying the
	commands to all files
2024-03-30 07:17:29 +01:00
silverwind
c82bef515e
Migrate margin and padding helpers to tailwind (#30043)
This will conclude the refactor of 1:1 class replacements to tailwind,
except `gt-hidden`. Commands ran:

```bash
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-0#tw-$1$2-0#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-1#tw-$1$2-0.5#g' {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-2#tw-$1$2-1#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-3#tw-$1$2-2#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-4#tw-$1$2-4#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-5#tw-$1$2-8#g'   {web_src/js,templates,routers,services}/**/*
```

(cherry picked from commit 68ec9b48592fe88765bcc3a73093d43c98b315de)

Conflicts:
	routers/web/repo/view.go
	templates/base/head_navbar.tmpl
	templates/repo/code/recently_pushed_new_branches.tmpl
	templates/repo/diff/box.tmpl
	templates/repo/diff/compare.tmpl
	templates/repo/diff/conversation.tmpl
	templates/repo/header.tmpl
	templates/repo/issue/filter_list.tmpl
	templates/repo/issue/view_content/conversation.tmpl
	templates/repo/issue/view_content/sidebar.tmpl
	templates/repo/settings/options.tmpl
	templates/repo/view_file.tmpl
	templates/shared/user/blocked_users.tmpl
	templates/status/500.tmpl
	web_src/js/components/DashboardRepoList.vue
	resolved by prefering Forgejo version and applying the
	commands to all files
2024-03-30 07:17:29 +01:00
Tim-Niclas Oelschläger
4662f4feac
enforce maxlength in frontend (#29389)
Set maxlength attribute in frontend

to long file-name

![image](https://github.com/go-gitea/gitea/assets/72873130/15111614-55ab-4583-acb2-15c25997601d)

![image](https://github.com/go-gitea/gitea/assets/72873130/4105ddd8-4973-4da8-b3ab-4cfae1b45554)
(same for branch-name and commit-summary)

(cherry picked from commit 756b952c52f1efbb137df36d5b97b370c8a45565)
2024-02-26 22:30:27 +01:00
wxiaoguang
70f3c32b91
Remove incorrect and unnecessary Escape from templates (#29394)
Follow #29165

* some of them are incorrect, which would lead to double escaping (eg:
`(print (Escape $.RepoLink)`)
* other of them are not necessary, because `Tr` handles strings&HTML
automatically

Suggest to review by "unified view":
https://github.com/go-gitea/gitea/pull/29394/files?diff=unified&w=0

(cherry picked from commit d2f6588b66549b33adf8bac7044d03c89d668470)

Conflicts:
	templates/code/searchcombo.tmpl
	templates/mail/auth/register_notify.tmpl
	templates/mail/issue/default.tmpl
	templates/repo/code/recently_pushed_new_branches.tmpl
	templates/repo/search.tmpl
	templates/repo/settings/protected_branch.tmpl
	templates/user/auth/activate.tmpl
	templates/user/auth/forgot_passwd.tmpl
	templates/user/dashboard/feeds.tmpl
	context
2024-02-26 22:30:27 +01:00
wxiaoguang
60447a7097
Remove unnecessary "Safe" modifier from templates (#29318)
Follow #29165

(cherry picked from commit 7a1557d2cc893030ae900c4333eeb12d84b891dc)

Conflicts:
	templates/package/content/alpine.tmpl
	templates/package/content/cargo.tmpl
	templates/package/content/chef.tmpl
	templates/package/content/composer.tmpl
	templates/package/content/conan.tmpl
	templates/package/content/conda.tmpl
	templates/package/content/container.tmpl
	templates/package/content/cran.tmpl
	templates/package/content/debian.tmpl
	templates/package/content/generic.tmpl
	templates/package/content/go.tmpl
	templates/package/content/helm.tmpl
	templates/package/content/maven.tmpl
	templates/package/content/npm.tmpl
	templates/package/content/nuget.tmpl
	templates/package/content/pub.tmpl
	templates/package/content/pypi.tmpl
	templates/package/content/rpm.tmpl
	templates/package/content/rubygems.tmpl
	templates/package/content/swift.tmpl
	templates/package/content/vagrant.tmpl
	templates/package/shared/cargo.tmpl
	templates/package/shared/list.tmpl
	templates/repo/code/recently_pushed_new_branches.tmpl
	templates/repo/issue/view_content/comments.tmpl
	templates/status/404.tmpl
	templates/user/settings/packages.tmpl
	context
2024-02-26 22:30:26 +01:00
Gusted
75ce1e2ac1
[GITEA] Allow user to select email for file operations in Web UI
- Add a dropdown to the web interface for changing files to select which
Email should be used for the commit. It only shows (and verifies) that a
activated mail can be used, while this isn't necessary, it's better to
have this already in place.
- Added integration testing.
- Resolves https://codeberg.org/forgejo/forgejo/issues/281

(cherry picked from commit 564e701f40)
(cherry picked from commit de8f2e03cc)
(cherry picked from commit 0182cff12e)
(cherry picked from commit 9c74254d46)
(cherry picked from commit 2f0b68f821)
(cherry picked from commit 079b995d49)
(cherry picked from commit 6952ea6ee3)
(cherry picked from commit 6c7d5a5d14)
(cherry picked from commit 49c39f0ed5)
(cherry picked from commit a8f9727388)
2024-02-05 16:09:41 +01:00
wxiaoguang
93bd4351bf
Fix more "locale" usages (#27259) 2023-09-25 20:42:40 +08:00
delvh
7960ba7e2b
Always use ctx.Locale.Tr inside templates (#27231) 2023-09-25 08:56:50 +00:00
silverwind
8099238618
Change green buttons to primary color (#27099)
I think it's better if the primary actions have primary color instead of
green which fits better into the overall single-color UI design. This PR
currently replaces every green button with primary:

<img width="141" alt="Screenshot 2023-09-16 at 14 07 59"
src="https://github.com/go-gitea/gitea/assets/115237/843c1e50-4fb2-4ec6-84ba-0efb9472dcbe">
<img width="161" alt="Screenshot 2023-09-16 at 14 07 51"
src="https://github.com/go-gitea/gitea/assets/115237/9442195a-a3b2-4a42-b262-8377d6f5c0d1">

Modal actions now use uncolored/primary instead of previous green/red
colors. I also removed the box-shadow on all basic buttons:

<img width="259" alt="Screenshot 2023-09-16 at 14 16 39"
src="https://github.com/go-gitea/gitea/assets/115237/5beea529-127a-44b0-8d4c-afa7b034a490">
<img width="261" alt="Screenshot 2023-09-16 at 14 17 42"
src="https://github.com/go-gitea/gitea/assets/115237/4757f7b2-4d46-49bc-a797-38bb28437b88">

The change currently includes the "Merge PR" button, for which we might
want to make an exception to match the icon color there:

<img width="442" alt="Screenshot 2023-09-16 at 14 33 53"
src="https://github.com/go-gitea/gitea/assets/115237/993ac1a5-c94d-4895-b76c-0d872181a70b">
2023-09-18 22:05:31 +00:00
wxiaoguang
4fdb09de58
Fix incorrect "tabindex" attributes (#26733)
Fix #26731

Almost all "tabindex" in code are incorrect.

1. All "input/button" by default are focusable, so no need to use "tabindex=0"
2. All "div/span" by default are not focusable, so no need to use "tabindex=-1"
3. All "dropdown" are focusable by framework, so no need to use "tabindex"
4. Some tabindex values are incorrect (eg: `new_form.tmpl`), so remove them

Co-authored-by: Giteabot <teabot@gitea.io>
2023-08-26 10:44:00 +08:00
wxiaoguang
a370efc13f
Use template context function for avatar rendering (#26385)
Introduce `AvatarUtils`, no need to pass `$.Context` to every
sub-template, and simplify the template helper functions.
2023-08-10 11:19:39 +08:00
Brecht Van Lommel
1bfa37ada2
Create pull request for base after editing file, if not enabled on fork (#24841)
Currently if pull requests are disabled on a fork but enabled on a base
repo, creating/editing/deleting files does not offer the option to
create a pull request. This change enables creating a pull request for
the base repo in that case.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-24 21:36:02 +00:00
wxiaoguang
e422342eeb
Allow adding new files to an empty repo (#24164)
![image](https://user-images.githubusercontent.com/2114189/232561612-2bfcfd0a-fc04-47ba-965f-5d0bcea46c54.png)
2023-04-19 21:40:42 +08:00
yp05327
0945bf63d3
Fix missed .hide class (#23208)
https://github.com/go-gitea/gitea/pull/22950 removed `hide` class, and
use `gt-hidden`
But there are some missed `hide`....

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-03-02 12:22:04 +08:00
yp05327
ed954b070d
Fix commit name in Apply Patch page (#23086)
Fixes
https://github.com/go-gitea/gitea/issues/22621#issuecomment-1439309200
2023-02-23 15:14:07 -06:00
Lunny Xiao
bd820aa9c5
Add context cache as a request level cache (#22294)
To avoid duplicated load of the same data in an HTTP request, we can set
a context cache to do that. i.e. Some pages may load a user from a
database with the same id in different areas on the same page. But the
code is hidden in two different deep logic. How should we share the
user? As a result of this PR, now if both entry functions accept
`context.Context` as the first parameter and we just need to refactor
`GetUserByID` to reuse the user from the context cache. Then it will not
be loaded twice on an HTTP request.

But of course, sometimes we would like to reload an object from the
database, that's why `RemoveContextData` is also exposed.

The core context cache is here. It defines a new context
```go
type cacheContext struct {
	ctx  context.Context
	data map[any]map[any]any
        lock sync.RWMutex
}

var cacheContextKey = struct{}{}

func WithCacheContext(ctx context.Context) context.Context {
	return context.WithValue(ctx, cacheContextKey, &cacheContext{
		ctx:  ctx,
		data: make(map[any]map[any]any),
	})
}
```

Then you can use the below 4 methods to read/write/del the data within
the same context.

```go
func GetContextData(ctx context.Context, tp, key any) any
func SetContextData(ctx context.Context, tp, key, value any)
func RemoveContextData(ctx context.Context, tp, key any)
func GetWithContextCache[T any](ctx context.Context, cacheGroupKey string, cacheTargetID any, f func() (T, error)) (T, error)
```

Then let's take a look at how `system.GetString` implement it.

```go
func GetSetting(ctx context.Context, key string) (string, error) {
	return cache.GetWithContextCache(ctx, contextCacheKey, key, func() (string, error) {
		return cache.GetString(genSettingCacheKey(key), func() (string, error) {
			res, err := GetSettingNoCache(ctx, key)
			if err != nil {
				return "", err
			}
			return res.SettingValue, nil
		})
	})
}
```

First, it will check if context data include the setting object with the
key. If not, it will query from the global cache which may be memory or
a Redis cache. If not, it will get the object from the database. In the
end, if the object gets from the global cache or database, it will be
set into the context cache.

An object stored in the context cache will only be destroyed after the
context disappeared.
2023-02-15 21:37:34 +08:00
zeripath
51383ec084
Move helpers to be prefixed with gt- (#22879)
As discussed in #22847 the helpers in helpers.less need to have a
separate prefix as they are causing conflicts with fomantic styles

This will allow us to have the `.gt-hidden { display:none !important; }`
style that is needed to for the reverted PR.

Of note in doing this I have noticed that there was already a conflict
with at least one chroma style which this PR now avoids.

I've also added in the `gt-hidden` style that matches the tailwind one
and switched the code that needed it to use that.

Signed-off-by: Andrew Thornton <art27@cantab.net>

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-02-13 17:59:59 +00:00
wxiaoguang
eb5e1bcd21
Remove Fomantic-UI's .hidden CSS class for checkbox elements (#22851)
Fomantic-UI's `.hidden` CSS class is badly designed.

* Checkbox elements do not need it in HTML, so this PR removes it (JS
adds the `.hidden` class back by `$('.ui.checkbox').checkbox()`)
* `menu transaction hidden` is still needed, and it should be the only
usage for the `.hidden` from now on (until they get refactored properly)

Co-authored-by: zeripath <art27@cantab.net>
2023-02-13 11:16:59 +08:00
Felipe Leopoldo Sologuren Gutiérrez
7fd5d38860
Improve checkbox accessibility a bit by adding the title attribute (#22593)
EDIT: The main change of this PR was resolved by #22599. This
complements that PR for some cases without label and complicated layout
to be added.

NOTE: Contributed by @Forgejo.
2023-02-01 01:43:06 +00:00
Lunny Xiao
68704532c2
Rename almost all Ctx functions (#22071) 2022-12-10 10:46:31 +08:00
Gusted
d55a0b7238
Refactor i18n to locale (#20153)
* Refactor `i18n` to `locale`

- Currently we're using the `i18n` variable naming for the `locale`
struct. This contains locale's specific information and cannot be used
for general i18n purpose, therefore refactoring it to `locale` makes
more sense.
- Ref: https://github.com/go-gitea/gitea/pull/20096#discussion_r906699200

* Update routers/install/install.go
2022-06-27 15:58:46 -05:00
zeripath
bbffcc3aec
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
    
This is an extensive PR attempting to fix these issues.

1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-16 18:18:25 +00:00
a1012112796
f19da14c34
enhancement: add signoff option in commit form (#14516)
Signed-off-by: a1012112796 <1012112796@qq.com>
2021-01-29 16:57:45 +08:00
silverwind
9269a038a4
Direct avatar rendering (#13649)
* Direct avatar rendering

This adds new template helpers for avatar rendering which output image
elements with direct links to avatars which makes them cacheable by the
browsers.

This should be a major performance improvment for pages with many avatars.

* fix avatars of other user's profile pages

* fix top border on user avatar name

* uncircle avatars

* remove old incomplete avatar selector

* use title attribute for name and add it back on blame

* minor refactor

* tweak comments

* fix url path join and adjust test to new result

* dedupe functions
2020-12-03 19:46:11 +01:00
silverwind
b2de034278
CSS navbar and color tweaks (#13609)
* CSS and color tweaks

- Unify navbar-style menus
- Fix admin bar overlapping menu bar
- Fixes file edit comment box
- Fix double border on review box
- Fix review timeline icons

* Many fixes to new-menu and navbar layout enhancements

* misc settings fixes

* navbar tweak

* fix pr tabs

* branch tag and arc color tweaks
2020-11-26 19:33:28 +00:00
silverwind
ffddf3f8a6
Make SVG size argument optional (#12814)
Now defaults to 16 on both frontend and backend.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-09-11 16:19:00 -04:00
John Olheiser
86fdba177a
Add Octicon SVG spritemap (#10107)
* Add octicon SVG sprite

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Static prefix

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* SVG for all repo icons

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* make vendor

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Swap out octicons

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Move octicons to top of less imports

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Fix JS

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Definitely not a search/replace

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Missed regex

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Move to more generic calls and webpack

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* make svg -> make webpack

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Remove svg-sprite

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Update tests

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Missed a test

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Remove svg from makefile

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Suggestions

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Attempt to fix test

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Update tests

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Revert timetracking test

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Swap .octicon for .svg in less

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add aria-hidden

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Replace mega-octicon

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Fix webpack globbing on Windows

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Revert

Co-Authored-By: silverwind <me@silverwind.io>

* Fix octions from upstream

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Fix Vue and missed JS function

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add JS helper and PWA

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Preload SVG

Signed-off-by: jolheiser <john.olheiser@gmail.com>

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: techknowlogick <matti@mdranta.net>
2020-02-11 12:02:41 -05:00
zeripath
66ee9b87f9 Add require signed commit for protected branch (#9708)
* Add require signed commit for protected branch

* Fix fmt

* Make editor show if they will be signed

* bugfix

* Add basic merge check and better information for CRUD

* linting comment

* Add descriptors to merge signing

* Slight refactor

* Slight improvement to appearances

* Handle Merge API

* manage CRUD API

* Move error to error.go

* Remove fix to delete.go

* prep for merge

* need to tolerate \r\n in message

* check protected branch before trying to load it

* Apply suggestions from code review

Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>

* fix commit-reader

Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-01-15 09:32:57 +01:00
guillep2k
fb7c23f911 Fix editor commit to new branch if PR disabled (#8375) 2019-10-05 10:09:19 +08:00
Richard Mahn
5d3e351864 Fixes #7474 - Handles all redirects for Web UI File CRUD (#7478)
* Fixes #7474 - Handles all redirects for Web UI File CRUD

* Fixes lint errors

* Typo fix

* Adds unit tests for a few helper functions

* Fixes per review

* Fix for new branch creation and to unit test

* Fixes the template used for errors on delete
2019-07-17 14:40:28 -04:00
Richard Mahn
2262811e40 Fixes 4762 - Content API for Creating, Updating, Deleting Files (#6314) 2019-04-17 12:06:35 -04:00
Bwko
38a9cda4bb Remove unnecessary Safe tags (#3778) 2018-04-10 06:43:37 +03:00
Lunny Xiao
219ca5cadb
some fixes 2017-10-25 13:26:14 +08:00
Lauris BH
0144817971 Do not allow commiting to protected branch from online editor (#1502)
* Do not allow commiting to protected branch from online editor

* Add editor integration tests for adding new file and not allowing to add new file to protected branch
2017-05-02 08:49:55 +08:00
Unknwon
c50d59874d
#3577 incorrect URL produced by AvatarLink 2016-09-01 12:36:26 -04:00
Unknwon
643142acab Web editor: support upload files 2016-08-30 05:23:59 -07:00
Unknwon
0114fdcba4 Web editor: improve delete file process 2016-08-28 01:41:44 -07:00