Skip to content

V25.12 changes v3 #6057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ssddanbrown wants to merge 5 commits into
base: development
Choose a base branch
from
+202 −121
Open

V25.12 changes v3 #6057

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6d64262
Revision Diffs: Added filtering post-diff render
ssddanbrown Mar 10, 2026
404e67a
Page Revisions: Added testing coverage to basic diffing
ssddanbrown Mar 10, 2026
6216c89
Packages: Updated PHP package versions
ssddanbrown Mar 10, 2026
6e7cc16
Preferences: Updated return redirect with better origin checks
ssddanbrown Mar 10, 2026
5f5fea7
Deps: Bumped PHP packages before release
ssddanbrown Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions app/Entities/Controllers/PageRevisionController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
use BookStack\Facades\Activity;
use BookStack\Http\Controller;
use BookStack\Permissions\Permission;
use BookStack\Util\HtmlContentFilter;
use BookStack\Util\HtmlContentFilterConfig;
use BookStack\Util\SimpleListOptions;
use Illuminate\Http\Request;
use Ssddanbrown\HtmlDiff\Diff;
Expand Down Expand Up @@ -101,12 +103,15 @@ public function changes(string $bookSlug, string $pageSlug, int $revisionId)

$prev = $revision->getPreviousRevision();
$prevContent = $prev->html ?? '';
$diff = Diff::excecute($prevContent, $revision->html);

// TODO - Refactor PageContent so we can de-dupe these steps
$rawDiff = Diff::excecute($prevContent, $revision->html);
$filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
$filter = new HtmlContentFilter($filterConfig);
$diff = $filter->filterString($rawDiff);

$page->fill($revision->toArray());
// TODO - Refactor PageContent so we don't need to juggle this
$page->html = $revision->html;
$page->html = (new PageContent($page))->render();
$page->html = '';
$this->setPageTitle(trans('entities.pages_revision_named', ['pageName' => $page->getShortName()]));

return view('pages.revision', [
Expand Down
16 changes: 14 additions & 2 deletions app/Http/Controller.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,26 @@ protected function getImageValidationRules(): array

/**
* Redirect to the URL provided in the request as a '_return' parameter.
* Will check that the parameter leads to a URL under the root path of the system.
* Will check that the parameter leads to a URL under the same origin as the application.
*/
protected function redirectToRequest(Request $request): RedirectResponse
{
$basePath = url('/');
$returnUrl = $request->input('_return') ?? $basePath;

if (!str_starts_with($returnUrl, $basePath)) {
// Only allow use of _return on requests where we expect CSRF to be active
// to prevent it potentially being used as an open redirect
$allowedMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
if (!in_array($request->getMethod(), $allowedMethods)) {
return redirect($basePath);
}

$intendedUrl = parse_url($returnUrl);
$baseUrl = parse_url($basePath);
$isSameOrigin = ($intendedUrl['host'] ?? '') === ($baseUrl['host'] ?? '')
&& ($intendedUrl['scheme'] ?? '') === ($baseUrl['scheme'] ?? '')
&& ($intendedUrl['port'] ?? 0) === ($baseUrl['port'] ?? 0);
if (!$isSameOrigin) {
return redirect($basePath);
}

Expand Down
Loading
Loading