Merge branch 'master' of github.com:wekan/wekan

.meteor/versions

@@ -1,7 +1,7 @@
 3stack:presence@1.1.2
 accounts-base@1.9.0
 accounts-oauth@1.2.0
-accounts-password@1.7.0
+accounts-password@1.7.1
 aldeed:collection2@2.10.0
 aldeed:collection2-core@1.2.0
 aldeed:schema-deny@1.1.0
@@ -32,7 +32,7 @@ coffeescript-compiler@2.4.1
 cottz:publish-relations@2.0.8
 dburles:collection-helpers@1.1.0
 ddp@1.4.0
-ddp-client@2.4.0
+ddp-client@2.4.1
 ddp-common@1.4.0
 ddp-rate-limiter@1.0.9
 ddp-server@2.3.3
@@ -92,7 +92,7 @@ modern-browsers@0.1.5
 modules@0.16.0
 modules-runtime@0.12.0
 momentjs:moment@2.29.1
-mongo@1.11.0
+mongo@1.11.1
 mongo-decimal@0.1.2
 mongo-dev-server@1.1.0
 mongo-id@1.0.7

CHANGELOG.md

@@ -1,3 +1,25 @@
+# v5.28 2021-05-07 Wekan release
+
+This release adds the following new features:
+
+- [Mermaid Diagram](https://github.com/wekan/wekan/wiki/Mermaid-Diagram).
+  Thanks to xuguotong and xet7.
+
+and adds the following updates:
+
+- Updated dependencies
+  [Part 1](https://github.com/wekan/wekan/commit/521ef8b6dad4f00662f22702331193c16b91b482),
+  [Part 2](https://github.com/wekan/wekan/commit/48255f6f1e4a0caf0be006196f28295d0825eb95),
+  [Part 3](https://github.com/wekan/wekan/commit/a550c255e6c3bd2d609a1a45a213cdae7ab4f74d).
+  Thanks to developers of dependencies.
+
+and fixes the following bugs:
+
+- [Fix: BG color of StartDate](https://github.com/wekan/wekan/pull/3793).
+  Thanks to listenerri.
+
+Thanks to above GitHub users for their contributions and translators for their translations.
+
 # v5.27 2021-04-29 Wekan release
 
 This release fixes the following bugs:

Stackerfile.yml

@@ -1,5 +1,5 @@
 appId: wekan-public/apps/77b94f60-dec9-0136-304e-16ff53095928
-appVersion: "v5.27.0"
+appVersion: "v5.28.0"
 files:
   userUploads:
     - README.md

client/components/activities/activities.js

@@ -1,4 +1,4 @@
-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';
 
 const activitiesPerPage = 500;
 
@@ -162,11 +162,15 @@ BlazeComponent.extendComponent({
             {
               href: source.url,
             },
-            sanitizeXss(source.system),
+            DOMPurify.sanitize(source.system, {
+              ALLOW_UNKNOWN_PROTOCOLS: true,
+            }),
           ),
         );
       } else {
-        return sanitizeXss(source.system);
+        return DOMPurify.sanitize(source.system, {
+          ALLOW_UNKNOWN_PROTOCOLS: true,
+        });
       }
     }
     return null;
@@ -190,10 +194,10 @@ BlazeComponent.extendComponent({
               href: attachment.url({ download: true }),
               target: '_blank',
             },
-            sanitizeXss(attachment.name()),
+            DOMPurify.sanitize(attachment.name()),
           ),
         )) ||
-      sanitizeXss(this.currentData().activity.attachmentName)
+      DOMPurify.sanitize(this.currentData().activity.attachmentName)
     );
   },
 
@@ -232,7 +236,7 @@ BlazeComponent.extendComponent({
 
 Template.activity.helpers({
   sanitize(value) {
-    return sanitizeXss(value);
+    return DOMPurify.sanitize(value, { ALLOW_UNKNOWN_PROTOCOLS: true });
   },
 });
 
@@ -246,7 +250,7 @@ function createCardLink(card) {
           href: card.originRelativeUrl(),
           class: 'action-card',
         },
-        sanitizeXss(card.title),
+        DOMPurify.sanitize(card.title, { ALLOW_UNKNOWN_PROTOCOLS: true }),
       ),
     )
   );
@@ -263,7 +267,7 @@ function createBoardLink(board, list) {
           href: board.originRelativeUrl(),
           class: 'action-board',
         },
-        sanitizeXss(text),
+        DOMPurify.sanitize(text, { ALLOW_UNKNOWN_PROTOCOLS: true }),
       ),
     )
   );

client/components/cards/cardDate.js

@@ -187,7 +187,7 @@ class CardStartDate extends CardDate {
     // if dueAt or endAt exist & are > startAt, startAt doesn't need to be flagged
     if ((endAt && theDate.isAfter(endAt)) || (dueAt && theDate.isAfter(dueAt)))
       classes += 'long-overdue';
-    else if (theDate.isBefore(now, 'minute')) classes += 'almost-due';
+    else if (theDate.isAfter(now)) classes += '';
     else classes += 'current';
     return classes;
   }

client/components/main/editor.js

@@ -273,10 +273,12 @@ Template.editor.onRendered(() => {
   }
 });
 
-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';
 
 // Additional  safeAttrValue function to allow for other specific protocols
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
+
+/*
 function mySafeAttrValue(tag, name, value, cssFilter) {
   // only when the tag is 'a' and attribute is 'href'
   // then use your custom function
@@ -302,6 +304,7 @@ function mySafeAttrValue(tag, name, value, cssFilter) {
     return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
   }
 }
+*/
 
 // XXX I believe we should compute a HTML rendered field on the server that
 // would handle markdown and user mentions. We can simply have two
@@ -317,7 +320,9 @@ Blaze.Template.registerHelper(
     let content = Blaze.toHTML(view.templateContentBlock);
     const currentBoard = Boards.findOne(Session.get('currentBoard'));
     if (!currentBoard)
-      return HTML.Raw(sanitizeXss(content, { safeAttrValue: mySafeAttrValue }));
+      return HTML.Raw(
+        DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+      );
     const knowedUsers = currentBoard.members.map(member => {
       const u = Users.findOne(member.userId);
       if (u) {
@@ -361,7 +366,9 @@ Blaze.Template.registerHelper(
       content = content.replace(fullMention, Blaze.toHTML(link));
     }
 
-    return HTML.Raw(sanitizeXss(content, { safeAttrValue: mySafeAttrValue }));
+    return HTML.Raw(
+      DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+    );
   }),
 );
 

package.json

@@ -1,35 +1,8 @@
 {
   "name": "wekan",
-  "version": "v5.27.0",
+  "version": "v5.28.0",
   "description": "Open-Source kanban",
   "private": true,
-  "scripts": {
-    "lint": "eslint --cache --ext .js --ignore-path .eslintignore .",
-    "lint:eslint:fix": "eslint --ext .js --ignore-path .eslintignore --fix .",
-    "lint:staged": "lint-staged",
-    "prettify": "prettier --write '**/*.js' '**/*.jsx'",
-    "test": "npm run lint"
-  },
-  "lint-staged": {
-    "*.js": [
-      "meteor npm run prettify",
-      "meteor npm run lint:eslint:fix",
-      "git add --force"
-    ],
-    "*.jsx": [
-      "meteor npm run prettify",
-      "meteor npm run lint:eslint:fix",
-      "git add --force"
-    ],
-    "*.json": [
-      "prettier --write",
-      "git add --force"
-    ]
-  },
-  "pre-commit": "lint:staged",
-  "eslintConfig": {
-    "extends": "@meteorjs/eslint-config-meteor"
-  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/wekan/wekan.git"
@@ -40,43 +13,33 @@
   },
   "homepage": "https://wekan.github.io",
   "devDependencies": {
-    "babel-eslint": "^10.1.0",
-    "eslint": "^5.16.0",
-    "eslint-config-meteor": "0.0.9",
-    "eslint-config-prettier": "^3.6.0",
-    "eslint-import-resolver-meteor": "^0.4.0",
-    "eslint-plugin-import": "^2.20.0",
-    "eslint-plugin-meteor": "^5.1.0",
-    "eslint-plugin-prettier": "^3.1.2",
-    "lint-staged": "^7.3.0",
-    "pre-commit": "^1.2.2",
-    "prettier": "^1.19.1",
-    "prettier-eslint": "^9.0.2"
+    "flatted": "^3.1.1"
   },
   "dependencies": {
-    "@babel/core": "^7.9.6",
-    "@babel/runtime": "^7.9.6",
-    "ajv": "^6.12.4",
+    "@babel/core": "^7.14.0",
+    "@babel/runtime": "^7.14.0",
+    "@liradb2000/markdown-it-mermaid": "^0.4.2",
+    "ajv": "^6.12.6",
     "babel-runtime": "^6.26.0",
-    "bcrypt": "^5.0.0",
-    "bson": "^4.0.3",
-    "bunyan": "^1.8.12",
+    "bcryptjs": "^2.4.3",
+    "bson": "^4.3.0",
+    "bunyan": "^1.8.15",
+    "core-js": "^2.6.12",
+    "dompurify": "^2.2.8",
     "es6-promise": "^4.2.4",
     "exceljs": "^4.2.1",
     "fibers": "^5.0.0",
-    "flatted": "^3.0.4",
     "gridfs-stream": "https://github.com/wekan/gridfs-stream/tarball/master",
     "jszip": "^3.6.0",
-    "ldapjs": "^2.1.1",
-    "markdown-it": "^12.0.2",
+    "ldapjs": "^2.2.4",
+    "markdown-it": "^12.0.6",
     "markdown-it-emoji": "^2.0.0",
     "meteor-node-stubs": "^1.0.3",
-    "mongodb": "^3.6.2",
+    "mongodb": "^3.6.6",
     "os": "^0.1.1",
     "page": "^1.11.5",
-    "papaparse": "^5.2.0",
-    "qs": "^6.9.4",
-    "source-map-support": "^0.5.19",
-    "xss": "^1.0.8"
+    "papaparse": "^5.3.0",
+    "qs": "^6.10.1",
+    "source-map-support": "^0.5.19"
   }
 }

packages/markdown/src/checkNpmVersions.js

@@ -1,5 +1,5 @@
 import { checkNpmVersions } from 'meteor/tmeasday:check-npm-versions';
 
 checkNpmVersions({
-    'xss': '1.0.8',
+    'dompurify': '2.2.8',
 }, 'my:xss');

packages/markdown/src/template-integration.js

@@ -1,4 +1,5 @@
-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';
+
 var Markdown = require('markdown-it')({
   html: true,
   linkify: true,
@@ -6,7 +7,9 @@ var Markdown = require('markdown-it')({
   breaks: true,
 });
 
+import markdownItMermaid from "@liradb2000/markdown-it-mermaid";
 
+/*
 // Static URL Scheme Listing
 var urlschemes = [
   "aodroplink",
@@ -19,7 +22,7 @@ var urlschemes = [
   "mailspring"
 ];
 
-// Better would be a field in the admin backend to set this dynamically 
+// Better would be a field in the admin backend to set this dynamically
 // instead of putting all known or wanted url schemes here hard into code
 // but i was not able to access those settings
 // var urlschemes = currentSetting.automaticLinkedUrlSchemes.split('\n');
@@ -44,14 +47,18 @@ function mySafeAttrValue(tag, name, value, cssFilter) {
       // use the default safeAttrValue function to process all non cbthunderlinks
       return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
     }
+//  } else if (tag === 'svg') {
+//    return `<img src="data:image/svg+xml;base64,` + atob(value) + `"></img>`;
   } else {
     // use the default safeAttrValue function to process it
     return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
   }
 };
+*/
 
 var emoji = require('markdown-it-emoji');
 Markdown.use(emoji);
+Markdown.use(markdownItMermaid);
 
 if (Package.ui) {
   const Template = Package.templating.Template;
@@ -66,6 +73,6 @@ if (Package.ui) {
       text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING);
     }
 
-    return HTML.Raw(sanitizeXss(Markdown.render(text), { safeAttrValue: mySafeAttrValue }));
+    return HTML.Raw(DOMPurify.sanitize(Markdown.render(text), {ALLOW_UNKNOWN_PROTOCOLS: true}));
   }));
 }

public/api/wekan.html

@@ -7,7 +7,7 @@
     <meta charset="utf-8">
     <meta content="IE=edge,chrome=1" http-equiv="X-UA-Compatible">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-    <title>Wekan REST API v5.27</title>
+    <title>Wekan REST API v5.28</title>
 
     <style>
     </style>
@@ -1550,7 +1550,7 @@ var n=this.pipeline.run(e.tokenizer(t)),r=new e.Vector,i=[],o=this._fields.reduc
 	  	<ul class="toc-list-h1">
         
           <li>
-            <a href="#wekan-rest-api" class="toc-h1 toc-link" data-title="Wekan REST API v5.27">Wekan REST API v5.27</a>
+            <a href="#wekan-rest-api" class="toc-h1 toc-link" data-title="Wekan REST API v5.28">Wekan REST API v5.28</a>
             
           </li>
         
@@ -2098,7 +2098,7 @@ var n=this.pipeline.run(e.tokenizer(t)),r=new e.Vector,i=[],o=this._fields.reduc
     <div class="page-wrapper">
       <div class="dark-box"></div>
       <div class="content">
-        <h1 id="wekan-rest-api">Wekan REST API v5.27</h1>
+        <h1 id="wekan-rest-api">Wekan REST API v5.28</h1>
 <blockquote>
 <p>Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.</p>
 </blockquote>

public/api/wekan.yml

@@ -1,7 +1,7 @@
 swagger: '2.0'
 info:
   title: Wekan REST API
-  version: v5.27
+  version: v5.28
   description: |
     The REST API allows you to control and extend Wekan with ease.
 

sandstorm-pkgdef.capnp

@@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
     appTitle = (defaultText = "Wekan"),
     # The name of the app as it is displayed to the user.
 
-    appVersion = 527,
+    appVersion = 528,
     # Increment this for every release.
 
-    appMarketingVersion = (defaultText = "5.27.0~2021-04-29"),
+    appMarketingVersion = (defaultText = "5.28.0~2021-05-07"),
     # Human-readable presentation of the app version.
 
     minUpgradableAppVersion = 0,

snapcraft.yaml

@@ -1,5 +1,5 @@
 name: wekan
-version: '5.27'
+version: '5.28'
 summary: The open-source kanban
 description: |
    Wekan is an open-source and collaborative kanban board application.