Commit Graph

2221 Commits

Author SHA1 Message Date
noobpk
7097c9c4c0 Update pattern and code check 2021-11-19 18:54:34 +07:00
noobpk
4a2ca815fd update pattern fix issue multi-line in text can be bypass 2021-11-19 15:24:40 +07:00
noobpk
c54b89f143 Add URL schemes that are allowed within links
Fix bug Stored XSS via markdown
Disclosure: https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/
2021-11-19 13:00:03 +07:00
Garret Wassermann
ffcc83f91d Sync master with 0.3 2021-11-19 00:37:23 -05:00
Garret Wassermann
96338bd73f Bump version to 0.3.1 2021-11-19 00:34:21 -05:00
Garret Wassermann
44abb19712 Backport #980, #981, #984 to 0.3 2021-11-19 00:30:20 -05:00
Garret Wassermann
b78f89c3ef
Merge pull request #984 from noobpk/noobpk-patch-validators
Add `att.full_clean()` before saving to address file validators not working on email attachments
2021-11-18 02:55:39 -05:00
lethanhphuc
04483bdac3
Add att.full_clean() before saving
Fix issue https://github.com/django-helpdesk/django-helpdesk/issues/983
Also, fix bug stored XSS disclosure: https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e/
2021-11-18 10:42:02 +07:00
Garret Wassermann
73787bd245
Merge pull request #981 from GibbsConsulting/master
Update task registration in line with Celery changes
2021-11-17 12:14:56 -05:00
Gibbs Consulting
fedcca42ad
Update tasks.py
Following https://docs.celeryproject.org/en/stable/internals/deprecation.html the importing of the celery task decorator needs to be updated for use with the current version of the celery package.
2021-11-12 11:56:22 -08:00
Garret Wassermann
91b37f6d73
Merge pull request #980 from noobpk/noobpk-fix-xss
Add function `htmlEntities` into template ticket_list.html
2021-11-12 12:02:19 -05:00
lethanhphuc
2c7065e0c4
Add function htmlEntities
`htmlentities()` is a function which converts special characters. This allows you to show to display the string without the browser reading it as HTML.
2021-11-11 17:32:09 +07:00
Garret Wassermann
e016e6699d fix minutes representation in models.py, see #978 2021-10-20 08:11:08 -04:00
Garret Wassermann
3f245871ac
Merge pull request #978 from AmatorAVG/master
Fix minutes representation in format_time_spent in models.py
2021-10-20 08:09:02 -04:00
AmatorAVG
5538985fe1
Update models.py
fix minutes representation in format_time_spent
2021-10-20 14:18:38 +07:00
Garret Wassermann
7a4046b237 azure does not yet support python 3.10 2021-10-19 04:41:56 -04:00
Garret Wassermann
08c41b7206 Really fix azure pipeline testing 2021-10-19 03:31:22 -04:00
Garret Wassermann
8e632830de Fix azure pipeline testing 2021-10-19 02:54:52 -04:00
Garret Wassermann
d0bbb6905a Merge fixes from branch '0.3' 2021-10-18 23:05:38 -04:00
Garret Wassermann
914e751a6d Fix quicktest and update azure config 2021-10-18 23:05:03 -04:00
Garret Wassermann
e6d14b1d3d Update README with azure build status 2021-10-18 22:31:43 -04:00
Garret Wassermann
5ca1f39c23 Update versions and copyrights to begin the 0.4 release dev cycle 2021-10-18 01:16:39 -04:00
Garret Wassermann
266694509f Update CONTRIBUTING to reference the new 0.3 release branch 2021-10-18 01:02:55 -04:00
Garret Wassermann
ec96538a54 Set end date for official 0.2 support, update license copyright years 2021-10-18 00:57:31 -04:00
Garret Wassermann
122d8f7b6a Update documentation for 0.3.0 release, restrict support to python 3.8+ because earlier pythons are no longer supported upstream anyway 2021-10-17 23:49:16 -04:00
Garret Wassermann
0be0e279b7 Update azure pipelines config to test all versions of django supported 2021-10-17 23:34:23 -04:00
Garret Wassermann
751459e5c5 Set max 1 parallel 2021-10-15 02:33:25 -04:00
Garret Wassermann
2d839df7a0 Parallel testing isn't free automatically so skip for now 2021-10-15 02:22:45 -04:00
Garret Wassermann
36e5370a7d Set up CI with Azure Pipelines
[skip ci]
2021-10-15 02:20:40 -04:00
Garret Wassermann
558318f352 Remove old py2 import from setup 2021-10-05 06:28:13 -04:00
Garret Wassermann
aff67184d4 Add attachment validator when uploading attachment to tickets 2021-10-05 06:25:42 -04:00
Garret Wassermann
a5f801bb52 use csrf tokens in all forms 2021-10-04 23:13:38 -04:00
Garret Wassermann
02bdaea76a Add security warning to comments of demodesk about using secure cookies 2021-09-27 23:19:06 -04:00
Garret Wassermann
166d552fba Turn on secure cookie support if the server os environment expects to use secure connections 2021-09-27 22:12:32 -04:00
Garret Wassermann
e8efa4d263 Merge remote-tracking branch 'upstream/master' 2021-09-27 18:59:31 -04:00
Garret Wassermann
3216ff0c55
Merge pull request #974 from passiv/master
fix: strip extraneous whitespace characters that are returned in the Message-ID and In-Reply-To fields from some email providers
2021-09-23 10:19:52 -04:00
Brendan Wood
6a0b367171 fix: strip extraneous whitespace characters that are returned in the Message-ID and In-Reply-To fields from some email providers 2021-09-23 10:07:12 -03:00
Garret Wassermann
66ed61ee6a Set default autofield to be compatible for django 3.2 2021-09-17 10:09:20 -04:00
Garret Wassermann
f53ee1366d
Create SECURITY.md 2021-09-17 07:57:08 -04:00
Garret Wassermann
fc9002b2ac
Merge pull request #972 from auto-mat/kb-items-dashboard
Don't show kbitems on dashboard if there are no unassigned tickets in…
2021-09-15 17:16:30 -04:00
Timothy Hobbs
247fd2e26d Don't show kbitems on dashboard if there are no unassigned tickets in them 2021-09-14 21:59:25 +02:00
Garret Wassermann
fe17124092
Merge pull request #970 from auto-mat/kb-base-iframe
Kb base iframe - fix query param syntax and wording.
2021-09-14 02:15:54 -04:00
Timothy Hobbs
650665b21e Fix wording of iframe ticket creation buttons 2021-09-13 23:55:49 +02:00
Timothy Hobbs
92caf5f284 Change ; to & when separating query params 2021-09-13 23:42:03 +02:00
Garret Wassermann
00edddbaad Update docs to recommend using django 3.2 LTS 2021-08-20 02:12:55 -04:00
Garret Wassermann
1559333993 Fix some docs and migrations in prep for 0.3 release, see #878 2021-08-20 02:05:21 -04:00
Garret Wassermann
8a40ceeddd
Merge pull request #967 from auto-mat/iframe-defaults-fix
Iframe defaults fix by ensuring queries use ampersands for parameters instead of semicolons
2021-08-19 16:09:35 -04:00
Timothy Hobbs
a9e5cfa52d Fix hidden field query args 2021-08-19 22:00:18 +02:00
Timothy Hobbs
b708b786d4 Add failing test for hidden field query args 2021-08-19 22:00:06 +02:00
Timothy Hobbs
f4b7e899fa Change query arg delimiter from ; to & 2021-08-19 22:00:01 +02:00