We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
- github action updated with new ruleset in pint.json
- codebase linted with new ruleset
- contributors can now run `./vendor/bin/pint`
- action workflow will auto correct any lint issues upon commit/opened pull request
- Fixes Vue.js Vulnerability due to v-html directive
- if not using git:updater you must run the following commands.
`composer update && php artisan clear:all`
Sometime emoji's would randomly not render due to VueJS being reactive
and during DOM updates, it would just cause it to be wacky!
By parsing the emoji's server side before VueJS renders the dom, we now
solve this issue.
This is a "Alpha" commit. Its meant for Alpha testing. Features are
still being developed.
Please note, you must setup at least a FREE account with pusher and set
the corresponding fields in you `.env` file.
In the coming commits I will introducing a fallback so that once the
FREE pusher DAILY limits are reached, it will fall back to tradiational
database pulling every 3 seconds to get new messages.
There are still features that need to be added:
1. Emoji's
2. Statuses
3. User Tagging
4. Users List
5. Delete own messages, and staff moderation
and more ...
