Commit graph

4782 commits

Author SHA1 Message Date
rugk
89e5853197 fix: merge error missing %s in right place catched by tests 2026-07-11 17:41:25 +00:00
rugk
1db5205de3 Merge branch 'js/removeJQuery' of https://github.com/PrivateBin/PrivateBin into js/removeJQuery 2026-07-11 17:36:11 +00:00
rugk
36bccbca22 docs: merge in changelog 2026-07-11 17:35:18 +00:00
rugk
7e8a3a60ec Merge remote-tracking branch 'origin/master' into js/removeJQuery 2026-07-11 17:34:27 +00:00
El RIDO
8504c3157c
Merge pull request #1876 from PrivateBin/dependabot/npm_and_yarn/js/ws-8.21.0
chore(deps): bump ws from 8.20.1 to 8.21.0 in /js
2026-07-11 12:25:07 +02:00
El RIDO
c03cd8f278
chore: prepare for next release 2026-07-11 11:47:08 +02:00
dependabot[bot]
f71fd1be95
chore(deps): bump ws from 8.20.1 to 8.21.0 in /js
Bumps [ws](https://github.com/websockets/ws) from 8.20.1 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.20.1...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-11 08:25:54 +00:00
El RIDO
3035d6e5d3
incrementing version 2026-07-11 10:19:40 +02:00
El RIDO
75f056dcda
Merge commit from fork
insert only base path in JSON API responses
2026-07-11 10:12:52 +02:00
El RIDO
bd63b434c9
Merge remote-tracking branch 'upstream/master' into advisory-fix-1 2026-07-11 10:11:29 +02:00
El RIDO
e0dd4c025c
Merge commit from fork
fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
2026-07-11 10:04:56 +02:00
El RIDO
a364596586
Merge branch 'master' into newtab-sanitize 2026-07-11 10:04:14 +02:00
El RIDO
8238a1492a
Merge pull request #1873 from PrivateBin/docs/security
docs: favour GitHub security form over mail
2026-07-01 07:45:04 +02:00
rugk
fcebc6e114
docs: favour GitHub security form over mail
IMHO, the GitHub process nowadays provides a sleek workflow and is better than sending mails back-and-forth.

It's okay for me to leave that way open (especially if reporters really want to report high sensitive stuff and e.g. PGP-encrypt them), but I guess we should slightly suggest/favor the GitHub form for ease of maintenance.

@elrido what do you think?
2026-06-30 09:40:48 +02:00
El RIDO
9a75c15437
Merge pull request #1871 from PrivateBin/dependabot/github_actions/actions/cache-6
chore(deps): bump actions/cache from 5 to 6
2026-06-24 17:53:13 +02:00
dependabot[bot]
f67d507fae
chore(deps): bump actions/cache from 5 to 6
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 11:52:25 +00:00
El RIDO
f904eaf020
Merge pull request #1855 from PrivateBin/os-copy-hotkey
feat: Show OS-specific copy hotkey hint
2026-06-21 11:48:43 +02:00
El RIDO
caca8655ed
Merge pull request #1867 from PrivateBin/dependabot/github_actions/actions/checkout-7
chore(deps): bump actions/checkout from 6 to 7
2026-06-21 11:31:31 +02:00
Ribas160
233e3e2399
Merge remote-tracking branch 'upstream/master' into os-copy-hotkey
# Conflicts:
#	i18n/zh.json
#	lib/Configuration.php
2026-06-19 20:03:38 +03:00
Ribas160
2219039a0a
feat: add i18n keys for Cmd and Ctrl keyboard labels 2026-06-19 19:58:29 +03:00
dependabot[bot]
13350e71a1
chore(deps): bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-19 11:52:19 +00:00
rugk
eceab240a9 fix: remove old now removed bootstrap from configuration-test-generator 2026-06-16 16:46:52 +02:00
rugk
47ffa12b17 Merge remote-tracking branch 'origin/js/removeJQuery' into js/removeJQuery
# Conflicts:
#	js/test/Prompt.js
2026-06-16 16:36:46 +02:00
rugk
af31b1c7df style: beautify HTML
Co-authored-by: Copilot <copilot@github.com>
2026-06-16 14:32:48 +00:00
rugk
c44e7dfa39 style: beautify HTML
Co-authored-by: Copilot <copilot@github.com>
2026-06-16 14:29:46 +00:00
rugk
795df42b31 test: turn meaningless Prompt test into something actually useful
Previously it did not even call the SUT, but just asserted that a value was written intoi a code it had itself generated.
2026-06-16 14:25:26 +00:00
rugk
1a881f4c62 style: remove unused parameter 2026-06-16 14:16:12 +00:00
rugk
f56c0d1f3b chore: remove not required manual centering of bootstrap dialogs 2026-06-16 14:14:33 +00:00
rugk
e70acfb50b style: fix another JSDoc error 2026-06-16 13:56:50 +00:00
rugk
5b5072f08a chore: remove mentions of old Bootstrap templazte in config 2026-06-16 12:50:57 +00:00
rugk
f3e969474b style: remove wrong/useless PHP interpreter-style HTML in JS test 2026-06-16 12:43:45 +00:00
rugk
08fea41f6c chore: remove bootstrap(-page/-dark) etc. tests 2026-06-16 12:03:23 +00:00
rugk
54d3d00339 chore: remove nmot requires SRI hash for Bootstrap 3 2026-06-16 11:44:19 +00:00
rugk
2dfb69a697 chore: remove support for Bootstrap 3
It requires jQuery and thus does not work anymore.
2026-06-16 11:42:38 +00:00
rugk
acb7e4e55e chore: also remove jQuery in bootstrap5 template 2026-06-16 11:42:01 +00:00
rugk
ef3d5977cc docs: add Changelog entries 2026-06-16 11:39:30 +00:00
rugk
df04d3692e chore: remove jQuery library 2026-06-16 11:38:56 +00:00
rugk
47b246914a fix: regenerate SRI hashes 2026-06-16 08:01:48 +00:00
El RIDO
164c839c39
insert only base path in JSON API responses, without GET parameters 2026-06-15 23:12:52 +02:00
El RIDO
e3041700cf
add test to catch URL path extraction not removing query 2026-06-15 23:06:35 +02:00
rugk
cdbade05f5 fix: resolve ESLint errors after jQuery removal
- Replace optional chaining (?.) with explicit null check — ecmaVersion
  is 2018, optional chaining requires ES2020
- Extract TopNav event binding into bindEvents() — init() had 70
  statements exceeding the max-statements limit of 60

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 19:14:13 +02:00
rugk
e5b3940e37 fix: use Object.prototype.hasOwnProperty.call for null-prototype translations object
Object.create(null) objects don't inherit hasOwnProperty, so the direct
call throws. Use the safe form instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 19:03:30 +02:00
rugk
4744841af5 test: fix CopyToClipboard tests broken by bad merge conflict resolution
The merge of master into js/removeJQuery incorrectly kept old jsverify
code in the Keyboard shortcut hint tests instead of the fast-check
versions from this branch. Also updates the copy-document DOM fixture
to match the current CopyToClipboard.init() which binds #copyShortcutHintBtn.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 18:58:29 +02:00
rugk
706b0325dc fix: use null-prototype object for I18n translations lookup table
Object.create(null) ensures keys like '__proto__', 'constructor', and
'toString' are stored and retrieved as plain string keys rather than
shadowing Object prototype properties.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 18:58:19 +02:00
rugk
55639c70fb Merge branch 'master' into js/removeJQuery
# Conflicts:
#	js/privatebin.js
#	js/test/CopyToClipboard.js
#	lib/Configuration.php
2026-06-15 18:45:59 +02:00
rugk
5aee5b5a2c chore: update package.lock 2026-06-15 18:29:42 +02:00
rugk
3942e546b6 refactor: simplify cleanup() and document why module reload is required
Remove defensive checks that are guaranteed by jsdom-global (window and
document are always set), the jQuery alias for PrivateBin (unused after
jQuery removal), and the conditional re-export block.

The module reload (delete require.cache + re-require) is intentional and
necessary: modules like CopyToClipboard hold DOM element references in
closure variables and schedule setTimeout callbacks. Without a reload,
those callbacks fire against elements from a now-dead jsdom window after
cleanup(), causing cross-test interference. Document this clearly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 18:26:26 +02:00
rugk
9252f65ae1 test: fix ServerInteraction crypto setup and PasteViewer test stability
ServerInteraction: window.crypto is read-only in jsdom; use
Object.defineProperty (matching the pattern in CryptTool tests).
Also install Buffer-based atob/btoa overrides (common.atob/btoa) to
avoid jsdom's strict btoa rejecting binary ciphertext bytes.

PasteViewer: the 'displays text according to format' test was already
correct — the real fix was clearing 'prettyprinted' in parsePaste().
No test change needed beyond the fix in privatebin.js.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 17:32:52 +02:00
rugk
eb58717657 fix: clear prettyprinted class when re-rendering as plaintext/markdown
prettyPrint() adds the 'prettyprinted' marker class to signal it has
processed the element. When the viewer is re-used (e.g. clone flow or
same-page re-render) and the format changes away from syntaxhighlighting,
parsePaste() was removing 'prettyprint' (the styling class) but not
'prettyprinted' (the processed marker), leaving isPrettyPrinted()
returning true stale. This also caused the PasteViewer fast-check test
to fail across iterations when syntaxhighlighting ran before plaintext.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 17:32:19 +02:00
rugk
936a81e055 fix: guard null href in urls2links after jQuery removal
DOMPurify can strip the href from anchors created by the URL regex
(e.g. script-injection attempts), leaving <a> elements with no href
attribute. getAttribute('href') returns null in that case; the previous
.match() call on null crashed with TypeError.

jQuery's .attr('href') returned undefined and .match() was never
called, so the bug was silently hidden.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 17:32:01 +02:00