ep_hide_referrer 0.0.60 → 0.0.61

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -26,7 +26,7 @@ jobs:
26
26
  with:
27
27
  repository: ether/etherpad-lite
28
28
  path: etherpad-lite
29
- - uses: pnpm/action-setup@v3
29
+ - uses: pnpm/action-setup@v6
30
30
  name: Install pnpm
31
31
  with:
32
32
  version: 10
@@ -15,7 +15,7 @@ jobs:
15
15
  uses: actions/checkout@v6
16
16
  with:
17
17
  repository: ether/etherpad-lite
18
- - uses: pnpm/action-setup@v3
18
+ - uses: pnpm/action-setup@v6
19
19
  name: Install pnpm
20
20
  with:
21
21
  version: 10
@@ -31,7 +31,7 @@ jobs:
31
31
  uses: actions/checkout@v6
32
32
  with:
33
33
  repository: ether/etherpad-lite
34
- - uses: pnpm/action-setup@v5
34
+ - uses: pnpm/action-setup@v6
35
35
  name: Install pnpm
36
36
  with:
37
37
  version: 10
@@ -59,12 +59,20 @@ jobs:
59
59
  [ "${NEW_COMMITS}" -gt 0 ] || exit 0
60
60
  git config user.name 'github-actions[bot]'
61
61
  git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
62
- pnpm i
62
+ pnpm i --frozen-lockfile
63
63
  # `pnpm version patch` bumps package.json, makes a commit, and creates
64
64
  # a `v<new-version>` tag. Capture the new tag name from package.json
65
65
  # rather than parsing pnpm's output, which has historically varied.
66
- pnpm version patch
67
- NEW_TAG="v$(node -p "require('./package.json').version")"
66
+ # Bump the patch component directly with Node. pnpm/action-setup@v6
67
+ # sometimes installs pnpm 11 pre-releases even when version: 10.x is
68
+ # requested (pnpm/action-setup#225); those pre-releases either skip
69
+ # the git commit/tag or reject --no-git-tag-version as unknown.
70
+ # Doing the bump in Node sidesteps both failure modes.
71
+ NEW_VERSION=$(node -e "const fs=require('fs');const p=require('./package.json');const v=p.version.split('.');v[2]=String(Number(v[2])+1);p.version=v.join('.');fs.writeFileSync('./package.json',JSON.stringify(p,null,2)+'\n');console.log(p.version);")
72
+ NEW_TAG="v${NEW_VERSION}"
73
+ git add package.json
74
+ git commit -m "${NEW_TAG}"
75
+ git tag -a "${NEW_TAG}" -m "${NEW_TAG}"
68
76
  # CRITICAL: use --atomic so the branch update and the tag update
69
77
  # succeed (or fail) as a single transaction on the server. The old
70
78
  # `git push --follow-tags` was non-atomic per ref: if a concurrent
package/README.md CHANGED
@@ -1,3 +1,20 @@
1
1
  ![Publish Status](https://github.com/ether/ep_hide_referrer/workflows/Node.js%20Package/badge.svg) [![Backend Tests Status](https://github.com/ether/ep_hide_referrer/actions/workflows/test-and-release.yml/badge.svg)](https://github.com/ether/ep_hide_referrer/actions/workflows/test-and-release.yml)
2
2
 
3
3
  A patch to solve the [referrer leak issue](https://github.com/ether/etherpad-lite/issues/1603) (for applications where the pad id is should be confidential)
4
+
5
+ ## Installation
6
+
7
+ Install from the Etherpad admin UI (**Admin → Manage Plugins**,
8
+ search for `ep_hide_referrer` and click *Install*), or from the Etherpad
9
+ root directory:
10
+
11
+ ```sh
12
+ pnpm run plugins install ep_hide_referrer
13
+ ```
14
+
15
+ > ⚠️ Don't run `npm i` / `npm install` yourself from the Etherpad
16
+ > source tree — Etherpad tracks installed plugins through its own
17
+ > plugin-manager, and hand-editing `package.json` can leave the
18
+ > server unable to start.
19
+
20
+ After installing, restart Etherpad.
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "ep_hide_referrer",
3
3
  "description": "Don't pass the referring URL to third parties. This handles the security/privacy issue where you don't want the third party service to know your pad URL. Improves Privacy.",
4
- "version": "0.0.60",
4
+ "version": "0.0.61",
5
5
  "author": "johnyma22 (John McLear) <john@mclear.co.uk>",
6
6
  "contributors": [],
7
7
  "repository": {
@@ -17,8 +17,8 @@
17
17
  },
18
18
  "devDependencies": {
19
19
  "eslint": "^8.57.1",
20
- "eslint-config-etherpad": "^4.0.4",
21
- "typescript": "^6.0.2"
20
+ "eslint-config-etherpad": "^4.0.5",
21
+ "typescript": "^6.0.3"
22
22
  },
23
23
  "scripts": {
24
24
  "lint": "eslint .",
@@ -4,20 +4,20 @@ exports.postAceInit = (hook, context) => {
4
4
  const $inner =
5
5
  $('iframe[name="ace_outer"]').contents().find('iframe').contents().find('#innerdocbody');
6
6
  $inner.on('click', 'a', (e) => {
7
- window.open(`../redirect#${escape(e.currentTarget.href)}`);
7
+ window.open(`../redirect#${encodeURIComponent(e.currentTarget.href)}`);
8
8
  e.preventDefault();
9
9
  return false;
10
10
  });
11
11
 
12
12
  $inner.on('contextmenu', 'a', function (e) {
13
- $(this).attr('href', `../redirect#${escape(e.currentTarget.href)}`);
13
+ $(this).attr('href', `../redirect#${encodeURIComponent(e.currentTarget.href)}`);
14
14
  });
15
15
 
16
16
  $('#chattext').on('click', 'a', function (e) {
17
17
  if ($(this).hasClass('no-referrer')) {
18
18
  window.open(e.currentTarget.href);
19
19
  } else {
20
- window.open(`../redirect#${escape(e.currentTarget.href)}`);
20
+ window.open(`../redirect#${encodeURIComponent(e.currentTarget.href)}`);
21
21
  }
22
22
  e.preventDefault();
23
23
  return false;
@@ -27,14 +27,14 @@ exports.postAceInit = (hook, context) => {
27
27
  if (!$(this).hasClass('no-referrer')) {
28
28
  $(this).attr('rel', 'noreferrer');
29
29
  $(this).addClass('no-referrer');
30
- $(this).attr('href', `../redirect#${escape(e.currentTarget.href)}`);
30
+ $(this).attr('href', `../redirect#${encodeURIComponent(e.currentTarget.href)}`);
31
31
  }
32
32
  });
33
33
  };
34
34
 
35
35
  exports.postTimesliderInit = (hook, context) => {
36
36
  $('#padcontent').on('click', 'a', (e) => {
37
- window.open(`../../redirect#${escape(e.currentTarget.href)}`);
37
+ window.open(`../../redirect#${encodeURIComponent(e.currentTarget.href)}`);
38
38
  e.preventDefault();
39
39
  return false;
40
40
  });
@@ -0,0 +1,51 @@
1
+ 'use strict';
2
+
3
+ const assert = require('assert').strict;
4
+ const fs = require('fs');
5
+ const path = require('path');
6
+ const common = require('ep_etherpad-lite/tests/backend/common');
7
+
8
+ let agent;
9
+
10
+ describe(__filename, function () {
11
+ before(async function () {
12
+ agent = await common.init();
13
+ });
14
+
15
+ describe('GET /redirect', function () {
16
+ it('serves the redirect template (regression for #80: no double-decode)', async function () {
17
+ const res = await agent.get('/redirect').expect(200).expect('Content-Type', /html/);
18
+ const html = res.text;
19
+ // The fix removes unescape() and decodes exactly once. If somebody
20
+ // re-introduces unescape() or a second decodeURIComponent(), we want
21
+ // the test to fail before users hit broken Google Maps Plus Code URLs
22
+ // again.
23
+ assert(!/\bunescape\s*\(/.test(html), 'redirect template must not use unescape()');
24
+ const decodeCount = (html.match(/decodeURIComponent\s*\(/g) || []).length;
25
+ assert.equal(decodeCount, 1,
26
+ `redirect template must call decodeURIComponent exactly once (found ${decodeCount})`);
27
+ });
28
+ });
29
+
30
+ describe('encode/decode round-trip', function () {
31
+ // The plugin's static/js/index.js wraps the target href with
32
+ // encodeURIComponent and the redirect template decodes once. This test
33
+ // pins down the property the fix relies on: round-tripping must be
34
+ // lossless for URLs containing percent-encoded characters that would
35
+ // otherwise be reinterpreted by a second decode pass.
36
+ const cases = [
37
+ // Issue #80 — Google Maps Plus Code (the original bug report).
38
+ 'https://www.google.com/maps/place/G98H%2BG38%20Berlin%2C%20Deutschland',
39
+ // Common URL forms with reserved chars.
40
+ 'https://example.com/path?q=a%20b&x=1%2B2',
41
+ 'https://example.com/path/with%2Fslash',
42
+ 'mailto:user@example.com?subject=Hello%20World',
43
+ ];
44
+ for (const url of cases) {
45
+ it(`preserves: ${url}`, function () {
46
+ const round = decodeURIComponent(encodeURIComponent(url));
47
+ assert.equal(round, url);
48
+ });
49
+ }
50
+ });
51
+ });
@@ -7,13 +7,22 @@
7
7
  <script type="text/javascript">
8
8
  window.redir_onload = function() {
9
9
  var urlhash = location.hash.substr(1);
10
- if (urlhash.search(':') < 0) {
11
- urlhash = unescape(urlhash);
12
- }
13
10
 
14
11
  var the_content = document.getElementById('content');
15
12
  if (urlhash) {
16
- urlhash = decodeURIComponent(urlhash);
13
+ // The link generator (static/js/index.js) wraps the target URL with
14
+ // encodeURIComponent, so a single decode restores it. Decoding twice
15
+ // (the previous behavior — see git history of issue #80) breaks any
16
+ // URL whose path or query contains percent-encoded characters that
17
+ // should stay encoded, e.g. Plus Codes like G98H%2BG38 in Google
18
+ // Maps URLs.
19
+ try {
20
+ urlhash = decodeURIComponent(urlhash);
21
+ } catch (e) {
22
+ // Malformed percent-sequence (e.g. manually-crafted URL). Fall
23
+ // through with the raw hash; the safe-scheme check below still
24
+ // protects against unknown schemes.
25
+ }
17
26
 
18
27
  // whitelist "safe" URL and URI schemes, and warn for others
19
28
  safe_regexp = /^(ftps?|https?):\/\/|(about|geo|mailto):/i;