If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
Controls bar calculation needs to take the sidebar visibility into
account.
Recalculation is now triggered when sidebar is toggled, using a new
app-content event "appresized".
Tipsy also supported the `fallback` element which will now not work anymore. To enhance compatibility we shall also implement it in the shim.
Fixes https://github.com/owncloud/core/issues/17870
These should be used in the future instead of location.*.
It will make it possible to stub these methods for writing unit tests
and simulating different URL schemes.
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
This function is often used in a wrong and potential dangerous way... Thus we should escape the URL per default and offer developers to disable the automatic escaping via an option parameter if they really want that behaviour.
Might break some things, however, those things are then easy to fix and we really have a ton of bugs caused by this...
Fixes https://github.com/owncloud/core/issues/14228
* options for timeout in seconds and if it contains HTML
* if timeout is 0 it will show the message permanently
* removes the notification after a given (default: 5 seconds) timeframe
* based on work by @brantje
* provide JS unit tests for notifications
Moved search result type translations to search.js
Load JS translations earlier
Translations need to be loaded earlier to make sure that some JS files
like search.js get access to translations at this time.
This requires the template initialization to be moved to after session
initialization, because only after the session we have access to the
current language.
Added addTranslations and fixed de.js file
Fixed de.js to use OC.L10N.register() and use to correct expected
format.
Added JS unit tests for OC.L10N class
Include translations JS script for all apps
- Added setup checks in JavaScript
- Moved isWebDAVWorking to JS using SetupChecks
- Moved internet connection checks to an ajax call that goes through the
server
Now using a natural sort algorithm that is more consistent between JS
and PHP (although not perfect in some corner cases)
- added OC.Util.naturalSortComparator that uses the same algo that was
used for the user list
- changed user list and files list to use OC.Util.naturalSortComparator
- removed toLowerCase() and changed the comparator to use
String.localeCompare()
- added unit tests
- added OC_NaturalSort that is used by OCP\Util::naturalSortCompare()
When using big session timeout values, the interval value might
overflow and cause the setInterval() call to ping the server in a loop
without any delay.
This fix adds a maximum ping interval of 24 hours.
Forward port of 00ec5fc193 from stable6.
Snapper doesn't work at all for IE8 and IE9 and messes up with the main
container layout when enabled.
This commits disables snapper for these browsers.
Sometimes no icon file is passed to replaceSVGIcon(), it showed an error
in IE8 and broke the code flow.
This fix adds a check whether the file name is set.
- FileList is now an instantiable class
- FileActions is now in namespace
- added App class for trashbin app
- moved trashbin overrides into classes extending FileList
- replaced many static calls with "this." or "self." to make the classes
reusable/extendable
- new URL parameter "view" to specify which view is shown, for example
"files" or "trashbin"
- added OC.Util.History utility class in core for handling history
- moved URL handling/routing to OCA.Files.App
- popstate will correctly update the current view and notify the view of
the URL change so it can update the current dir
- added JS unitt tests for the trashbin app
- fixed public app to work with the new namespaces
- added new OCA.Files namespace for files classes
- the sidebar can now switch between views/containers
- the trashbin renders in its own container but currently doesn't work
due to overrides
- added app.js as entry point for JS code (ideally all other files should
only contain classes and not trigger anything)
- moved file selection code to FileList
- fix selection summary when all files are selected
- nextPage now auto-selects files if "select all" checkbox is checked
- fixed trashbin to use the same selection logic as FileList
- moved the summary code into a new class FileSummary
- FileSummary is calculated only once, then updated with add/remove
- added new OC.Util namespace for JS utility functions
Also used JSHint.com to find a few other issues.
-Strict comparisons (===)
-Fixed regex escaping errors
-Refactored OC.buildQueryString to use jQuery.map
-Missing semicolons
-Braces around if block
Left some of the mixed spaces/tabs as they are for alignment in comments.
- Moved code that replaces the "svg" extension for the given file to
core as OC.Util.replaceSVGIcon.
- Added unit test for OC.Util.replaceSVGIcon
- Moved "replaceSVG" to OC.Util.replaceSVG and deprecated the global
"replaceSVG" function.
- Added alias for SVGSupport() as OC.Util.hasSVGSupport() (for now)
Files app:
- removed file list template, now rendering list from JSON response
- FileList.addFile/addDir is now FileList.add() and takes a JS map with all required
arguments instead of having a long number of function arguments
- added unit tests for many FileList operations
- fixed newfile.php, newfolder.php and rename.php to return the file's
full JSON on success
- removed obsolete/unused undo code
- removed download_url / loading options, now using
Files.getDownloadUrl() for that
- server side now uses Helper::getFileInfo() to prepare file JSON response
- previews are now client-side only
Breadcrumbs are now JS only:
- Added BreadCrumb class to handle breadcrumb rendering and events
- Added unit test for BreadCrumb class
- Moved all relevant JS functions to the BreadCrumb class
Public page now uses ajax to load the file list:
- Added Helper class in sharing app to make it easier to authenticate
and retrieve the file's real path
- Added ajax/list.php to retrieve the file list
- Fixed FileActions and FileList to work with the ajax list
Core:
- Fixed file picker dialog to use the same list format as files app
- now correctly parse query strings with '+' signs
- empty values are now parsed either as null or empty string
- added unit test for parseQueryString()
The SVGSupport checkMimeType method was failing on my setup as the headers are all returned in lowercase. I have lowercase all the indexes and modified the if statement so that it doesn't matter what case the headers are returned in