npm - ghost - Versions diffs - 5.82.12 → 5.84.0 - Mend

ghost 5.82.12 → 5.84.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (186) hide show

package/core/built/admin/index.html CHANGED Viewed

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.82%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22ember-websockets%22%3A%7B%22socketIO%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%223eace8808c%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%226b30648e0d%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22d91284430d%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%22c4fe53c34a%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.84%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22ember-websockets%22%3A%7B%22socketIO%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%2255764a8e22%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%222de5d3a326%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%2274637d0e3a%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%22c4fe53c34a%22%7D" />
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -37,7 +37,7 @@
     </style>
     <link integrity="" rel="stylesheet" href="assets/vendor-0ede59da8efb5e28fa929557f7ff7154.css">
-    <link integrity="" rel="stylesheet" href="assets/ghost-67652794f5902e84ccb0c67948563c1e.css" title="light">
+    <link integrity="" rel="stylesheet" href="assets/ghost-da719d2c50388e7f72e596e1a8b99e80.css" title="light">
 </head>
@@ -57,8 +57,8 @@
     <div id="ember-basic-dropdown-wormhole"></div>
     <script src="assets/vendor-0d51bbe51e0393cca143d7b52d073d8a.js"></script>
-<script src="assets/chunk.300.07bd40373843db34827c.js"></script>
-<script src="assets/chunk.524.d0e760b5fbf40755f861.js"></script>
-    <script src="assets/ghost-6f45467fa855b0c1da51c5f6c31f4744.js"></script>
+<script src="assets/chunk.509.d6d53e741bc279357eaf.js"></script>
+<script src="assets/chunk.524.dd2adb7618502394b0fa.js"></script>
+    <script src="assets/ghost-2bb48a3a355571aa30056b2bb30b9c2a.js"></script>
 </body>
 </html>

package/core/server/api/endpoints/utils/serializers/input/posts.js CHANGED Viewed

@@ -92,18 +92,11 @@ function defaultRelations(frame) {
 }
 function setDefaultOrder(frame) {
-    let includesOrderedRelations = false;
-    if (frame.options.withRelated) {
-        const orderedRelations = ['author', 'authors', 'tag', 'tags'];
-        includesOrderedRelations = _.intersection(orderedRelations, frame.options.withRelated).length > 0;
-    }
-    if (!frame.options.order && !includesOrderedRelations && frame.options.filter) {
+    if (!frame.options.order && frame.options.filter) {
         frame.options.autoOrder = slugFilterOrder('posts', frame.options.filter);
     }
-    if (!frame.options.order && !frame.options.autoOrder && !includesOrderedRelations) {
+    if (!frame.options.order && !frame.options.autoOrder) {
         frame.options.order = 'published_at desc';
     }
 }

package/core/server/data/migrations/versions/5.83/2024-05-28-02-20-55-add-show-subhead-column-newsletters.js ADDED Viewed

@@ -0,0 +1,9 @@
+// For information on writing migrations, see https://www.notion.so/ghost/Database-migrations-eb5b78c435d741d2b34a582d57c24253
+const {createAddColumnMigration} = require('../../utils');
+module.exports = createAddColumnMigration('newsletters', 'show_subhead', {
+    type: 'boolean',
+    nullable: false,
+    defaultTo: false
+});

package/core/server/data/migrations/versions/5.84/2024-06-04-09-13-33-rename-newsletters-show-subhead.js ADDED Viewed

@@ -0,0 +1,3 @@
+const {createRenameColumnMigration} = require('../../utils');
+module.exports = createRenameColumnMigration('newsletters', 'show_subhead', 'show_subtitle');

package/core/server/data/migrations/versions/5.84/2024-06-04-11-10-37-add-custom-excerpt-to-post-revisions.js ADDED Viewed

@@ -0,0 +1,7 @@
+const {createAddColumnMigration} = require('../../utils');
+module.exports = createAddColumnMigration('post_revisions', 'custom_excerpt', {
+    type: 'string',
+    maxlength: 2000,
+    nullable: true
+});

package/core/server/data/migrations/versions/5.84/2024-06-05-08-42-34-populate-post-revisions-custom-excerpt.js ADDED Viewed

@@ -0,0 +1,32 @@
+const logging = require('@tryghost/logging');
+const {createTransactionalMigration} = require('../../utils');
+const DatabaseInfo = require('@tryghost/database-info');
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        logging.info('Populating post_revisions.custom_excerpt with post.excerpt');
+        if (DatabaseInfo.isSQLite(knex)) {
+            // SQLite doesn't support JOINs in UPDATE queries
+            await knex.raw(`
+                UPDATE post_revisions
+                SET custom_excerpt = (
+                    SELECT posts.custom_excerpt
+                    FROM posts
+                    WHERE post_revisions.post_id = posts.id
+                )
+            `);
+        } else {
+            await knex.raw(`
+                UPDATE post_revisions
+                JOIN posts ON post_revisions.post_id = posts.id
+                SET post_revisions.custom_excerpt = posts.custom_excerpt
+            `);
+        }
+        logging.info('Finished populating post_revisions.custom_excerpt');
+    },
+    async function down() {
+        // Not required
+    }
+);

package/core/server/data/migrations/versions/5.84/2024-06-05-13-48-35-rename-newsletters-show-subtitle.js ADDED Viewed

@@ -0,0 +1,3 @@
+const {createRenameColumnMigration} = require('../../utils');
+module.exports = createRenameColumnMigration('newsletters', 'show_subtitle', 'show_excerpt');

package/core/server/data/schema/schema.js CHANGED Viewed

@@ -30,6 +30,7 @@ module.exports = {
         header_image: {type: 'string', maxlength: 2000, nullable: true},
         show_header_icon: {type: 'boolean', nullable: false, defaultTo: true},
         show_header_title: {type: 'boolean', nullable: false, defaultTo: true},
+        show_excerpt: {type: 'boolean', nullable: false, defaultTo: false},
         title_font_category: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'sans_serif', validations: {isIn: [['serif', 'sans_serif']]}},
         title_alignment: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'center', validations: {isIn: [['center', 'left']]}},
         show_feature_image: {type: 'boolean', nullable: false, defaultTo: true},
@@ -412,7 +413,8 @@ module.exports = {
         reason: {type: 'string', maxlength: 50, nullable: true},
         feature_image: {type: 'string', maxlength: 2000, nullable: true},
         feature_image_alt: {type: 'string', maxlength: 191, nullable: true, validations: {isLength: {max: 125}}},
-        feature_image_caption: {type: 'text', maxlength: 65535, nullable: true}
+        feature_image_caption: {type: 'text', maxlength: 65535, nullable: true},
+        custom_excerpt: {type: 'string', maxlength: 2000, nullable: true, validations: {isLength: {max: 300}}}
     },
     members: {
         id: {type: 'string', maxlength: 24, nullable: false, primary: true},

package/core/server/models/newsletter.js CHANGED Viewed

@@ -29,7 +29,8 @@ const Newsletter = ghostBookshelf.Model.extend({
             background_color: 'light',
             border_color: null,
             title_color: null,
-            feedback_enabled: false
+            feedback_enabled: false,
+            show_excerpt: false
         };
     },

package/core/server/models/post.js CHANGED Viewed

@@ -973,6 +973,7 @@ Post = ghostBookshelf.Model.extend({
                     feature_image_alt: model.get('posts_meta')?.feature_image_alt,
                     feature_image_caption: model.get('posts_meta')?.feature_image_caption,
                     title: model.get('title'),
+                    custom_excerpt: model.get('custom_excerpt'),
                     post_status: model.get('status')
                 };

package/core/server/services/members/middleware.js CHANGED Viewed

@@ -47,12 +47,16 @@ const setAccessCookies = function setAccessCookies(member = undefined, res, free
     if (!hmacSecret) {
         return;
     }
+    const hmacSecretBuffer = Buffer.from(hmacSecret, 'base64');
+    if (hmacSecretBuffer.length === 0) {
+        return;
+    }
     const activeSubscription = member.subscriptions?.find(sub => sub.status === 'active');
     const cookieTimestamp = Math.floor(Date.now() / 1000); // to mitigate a cookie replay attack
     const memberTier = activeSubscription && activeSubscription.tier.id || freeTier.id;
     const memberTierAndTimestamp = `${memberTier}:${cookieTimestamp}`;
-    const memberTierHmac = crypto.createHmac('sha256', hmacSecret).update(memberTierAndTimestamp).digest('hex');
+    const memberTierHmac = crypto.createHmac('sha256', hmacSecretBuffer).update(memberTierAndTimestamp).digest('hex');
     const maxAge = 3600;
     const accessCookie = `ghost-access=${memberTierAndTimestamp}; Max-Age=${maxAge}; Path=/; HttpOnly; SameSite=Strict;`;

package/core/server/services/slack.js CHANGED Viewed

@@ -63,7 +63,24 @@ function ping(post) {
         if (post.custom_excerpt) {
             description = post.custom_excerpt;
         } else if (post.html) {
-            description = `${post.html.replace(/<[^>]+>/g, '').split('.').slice(0, 3).join('.')}.`;
+            const membersContentIdx = post.html.indexOf('<!--members-only-->');
+            const substringEnd = membersContentIdx > -1 ? membersContentIdx : post.html.length;
+            description = `${
+                post.html
+                    // Remove members-only content
+                    .substring(0, substringEnd)
+                    // Strip out HTML
+                    .replace(/<[^>]+>/g, '')
+                    // Split into sentences
+                    .split('.')
+                    // Remove empty strings
+                    .filter(sentence => sentence.trim() !== '')
+                    // Get the first three sentences
+                    .slice(0, 3)
+                    // Join 'em back together
+                    .join('.')
+            }.`;
         } else {
             description = null;
         }
@@ -160,7 +177,10 @@ function slackListener(model, options) {
         return;
     }
-    ping(model.toJSON());
+    ping({
+        ...model.toJSON(),
+        authors: model.related('authors').toJSON()
+    });
 }
 function slackTestPing() {

package/core/server/web/api/middleware/upload.js CHANGED Viewed

@@ -6,6 +6,7 @@ const errors = require('@tryghost/errors');
 const config = require('../../../../shared/config');
 const tpl = require('@tryghost/tpl');
 const logging = require('@tryghost/logging');
+const {JSDOM} = require('jsdom');
 const messages = {
     db: {
@@ -144,14 +145,33 @@ const checkFileExists = (fileData) => {
 const checkFileIsValid = (fileData, types, extensions) => {
     const type = fileData.mimetype;
     if (types.includes(type) && extensions.includes(fileData.ext)) {
         return true;
     }
     return false;
 };
+/**
+ *
+ * @param {String} filepath
+ * @returns {Boolean}
+ *
+ * Checks for the presence of <script> tags or 'on' attributes in an SVG file
+ *
+ */
+const isSvgSafe = (filepath) => {
+    const fileContent = fs.readFileSync(filepath, 'utf8');
+    const document = new JSDOM(fileContent).window.document;
+    document.body.innerHTML = fileContent;
+    const svgEl = document.body.firstElementChild;
+    const attributes = Array.from(svgEl.attributes).map(({name}) => name);
+    const hasScriptAttr = !!attributes.find(attr => attr.startsWith('on'));
+    const scripts = svgEl.getElementsByTagName('script');
+    return scripts.length === 0 && !hasScriptAttr ? true : false;
+};
 /**
  *
  * @param {Object} options
@@ -190,6 +210,14 @@ const validation = function ({type}) {
             }));
         }
+        if (req.file.ext === '.svg') {
+            if (!isSvgSafe(req.file.path)) {
+                return next(new errors.UnsupportedMediaTypeError({
+                    message: 'SVG files cannot contain <script> tags or "on" attributes.'
+                }));
+            }
+        }
         next();
     };
 };
@@ -261,5 +289,6 @@ module.exports = {
 // Exports for testing only
 module.exports._test = {
     checkFileExists,
-    checkFileIsValid
+    checkFileIsValid,
+    isSvgSafe
 };

package/core/shared/labs.js CHANGED Viewed

@@ -25,7 +25,8 @@ const GA_FEATURES = [
     'filterEmailDisabled',
     'newEmailAddresses',
     'portalImprovements',
-    'onboardingChecklist'
+    'onboardingChecklist',
+    'newsletterExcerpt'
 ];
 // NOTE: this allowlist is meant to be used to filter out any unexpected
@@ -36,7 +37,8 @@ const BETA_FEATURES = [
     'activitypub',
     'internalLinking',
     'stripeAutomaticTax',
-    'webmentions'
+    'webmentions',
+    'editorExcerpt'
 ];
 const ALPHA_FEATURES = [
@@ -51,7 +53,8 @@ const ALPHA_FEATURES = [
     'tipsAndDonations',
     'importMemberTier',
     'lexicalIndicators',
-    'adminXDemo'
+    'adminXDemo',
+    'internalLinkingAtLinks'
 ];
 module.exports.GA_KEYS = [...GA_FEATURES];