closes https://github.com/TryGhost/Product/issues/4191
Without this patch, themes can read arbitrary files from your system and
expose them to the internet via the layout feature of express-hbs.
For example `{{!< ../../../../config.production.json}}` would spit out config,
which can contain secrets.
As theme upload is restricted to users with the Admin role, this mostly effects
hosting providers which use their own secret keys for e.g. mail or database config
refs https://github.com/TryGhost/DevOps/issues/3
refs b6d8e0192a
- see referenced commit for full context but this should improve the
theme check time for themes with a large number of files and partials
- locally, checking a particularly heavy theme goes from 5s to 1.7s with this
commit, and the improvement is larger on slower machines
fixes GRO-25
Updated @tryghost/nql to 0.12.0 and other packages that depend on it
1. SQLite: when a filter string contains /.
When we use a NQL contain/starts/endsWith filter that contains a slash,
underlyingly the whole filter will get converted to a MongoDB query, in
which we just use a regexp to represent the filter. In here we will
escape the slash: \/ as expected in a regexp. Later when we convert this
MongoDB query back to knex/SQL, we use a SQL LIKE query. Currently we
don't remove the escaping here for a normal slash. MySQL seems to ignore
this (kinda incorrect). SQLite doesn't like it, and this breaks queries
on SQLite that use slashes. The solution here is simple: remove the
backslash escaping when converting the regexp to LIKE, just like we do
with other special regexp characters.
2. We don't escape % and _, which have a special meaning in LIKE queries
Usage of % and _ is now as expected and doesn't have the special SQL
meaning anymore.
closes https://github.com/TryGhost/Product/issues/4133
- we were creating a new JSDOM instance every time we rendered a card which lowered performance because JSDOM instantiation is heavy
- updated Koenig packages to remove the need for passing in an external `createDocument` option method as they now re-use the renderer's internal single instance of JSDOM
fixes https://github.com/TryGhost/DevOps/issues/99
- this inlines the `monobundle` script into the monorepo from an
external repo in order to avoid some caching issues we've seen
- it also makes it easier to maintain because you can change the script
alongside changes in the monorepo
closes https://github.com/TryGhost/Koenig/pull/1038
- updated `<KoenigLexicalEditorInput>` to load `<EmojiPickerPlugin>` and compose it into the editor unless used with `<KoenigLexicalEditorInput @emojiPicker={{false}} />`
- bumped Koenig packages so `EmojiPickerPlugin` is available to import from `koenig-lexical`
no issue
- updates `@tryghost/koenig-lexical` with indent improvements
- prevents indents on paragraphs/headings etc which are not supported when rendering for front-end display
- improves indent behaviour for lists so <kbd>Tab</kbd> can be pressed anywhere in a list item to indent rather than only at the beginning of the list
closes https://github.com/TryGhost/Product/issues/4037
- bumps `@tryghost/kg-html-to-lexical` that includes better node normalization to handle `<br>` in top-level text nodes and after a nested block-level element
- also includes fix for button hrefs having `about:blank` prefixed to hash URLs
closes https://github.com/TryGhost/Ghost/issues/18448
- improved slash menu positioning when opening at the bottom of a post
- fixed backspace sometimes deleting a preceding card (e.g. backspace at end of link inside a paragraph preceded by a card)
- fixed `?source=html` issues
- images not rendering in front-end output after import
- images wrapped in links losing their link after import
- fixed inline styles in HTML card content not displaying in the editor
- fixed broken help link in the email card
refs: https://github.com/TryGhost/DevOps/issues/78
Re-introduce parallel browser tests
These were adding in a previous PR, but the difference between local
running tests and using CI introduced failures.
Added additional fixes to ensure the Stripe API key is used in the CLI when running in CI.
refs: https://github.com/TryGhost/DevOps/issues/78
Instead of running a single instance of Ghost, we now run an instance of Ghost for each test worker.
This has the unfortunate effect that a test failing will close and restart a new instance of Ghost, but in general will be multiple times faster than sequential execution of tests.
closes https://github.com/TryGhost/Product/issues/4008
- bumps all Koenig packages
- `kg-default-nodes` contains a rendering fix that avoids creating invalid class attributes from bad `backgroundColor` values
- `kg-converters` contains an update to avoid copying over bad `backgroundColor` values when converting from mobiledoc to lexical
closes https://github.com/TryGhost/Product/issues/4007
- bumps Koenig packages containing extended TextNode and HeadingNode with extra DOM parsing support for the non-semantic HTML generated by Word when copy/pasting
refs https://github.com/TryGhost/Product/issues/3969
- this now allows themes to have up to 20 custom theme settings
- also bumps `@tryghost/zip` to try and ensure it uses the version
without fs-extra
refs: https://github.com/TryGhost/Product/issues/3782
Latest version of request avoids using the OS-level name resolution system. This prevents long shutdowns from occuring where the OS is blocking the process from exiting cleanly.
The new version uses `got` 13, which has many breaking changes. Some of these are resolved within @tryghost/request (like response errors), but input parameters need to be changed.
refs https://ghost.slack.com/archives/C0568LN2CGJ/p1695149803260239
refs 290bc71d6a
- previous versions of `@tryghost/limit-service` did a full import of
lodash, which would bloat the bundle size, especially when we only use
a few of its functions
- I've since fixed that and this commit bumps Ghost to the smaller
version
refs https://github.com/TryGhost/Arch/issues/83
This allows endpoints to implement their own key generation, with access to the
frame object they can be smart about key generation and use only options and
context values that are appropriate.
closes https://github.com/TryGhost/Product/issues/3803
Previously when the beta editor was enabled, using `?source=html` to create posts via the API would create posts in the old editor rather than the beta. This change switches conversion over to the new editor format when the beta is enabled so the full flow can be tested.
- added `htmlToLexicalConverter` method to our lexical library
- updated post and page input serializers to add html-to-lexical conversion when the beta editor is enabled
- updated post model to handle the mobiledoc+lexical co-existing state
- this is a special case that is only valid for `?source=html` because providing both directly via the API is prohibited
- we need the extra check here because at the input serializer layer we don't have access to the model to check if we're updating a mobiledoc post or a lexical post so the serializer sets both formats on a `?source=html` request when the beta is enabled and lets the model handle choosing the correct one
closes https://github.com/TryGhost/Product/issues/3827
- links following a line break in the editor were being rendered before the line break when previewing/publishing
- bumps Koenig packages which includes relevant fix in `@tryghost/kg-lexical-html-renderer`
