Update to v26.03.4

.env.example

@@ -26,6 +26,13 @@ DB_DATABASE=database_database
 DB_USERNAME=database_username
 DB_PASSWORD=database_user_password
 
+# Storage system to use
+# By default files are stored on the local filesystem, with images being placed in
+# public web space so they can be efficiently served directly by the web-server.
+# For other options with different security levels & considerations, refer to:
+# https://www.bookstackapp.com/docs/admin/upload-config/
+STORAGE_TYPE=local
+
 # Mail system to use
 # Can be 'smtp' or 'sendmail'
 MAIL_DRIVER=smtp

.env.example.complete

@@ -36,10 +36,14 @@ APP_LANG=en
 # APP_LANG will be used if such a header is not provided.
 APP_AUTO_LANG_PUBLIC=true
 
-# Application timezone
-# Used where dates are displayed such as on exported content.
+# Application timezones
+# The first option is used to determine what timezone is used for date storage.
+# Leaving that as "UTC" is advised.
+# The second option is used to set the timezone which will be used for date
+# formatting and display. This defaults to the "APP_TIMEZONE" value.
 # Valid timezone values can be found here: https://www.php.net/manual/en/timezones.php
 APP_TIMEZONE=UTC
+APP_DISPLAY_TIMEZONE=UTC
 
 # Application theme
 # Used to specific a themes/<APP_THEME> folder where BookStack UI
@@ -347,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow <script> tags in page content
+# Allow JavaScript, and other potentiall dangerous content in page content.
+# This also removes CSP-level JavaScript control.
 # Note, if set to 'true' the page editor may still escape scripts.
+# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
+# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
+# Control the behaviour of content filtering, primarily used for page content.
+# This setting is a string of characters which represent different available filters:
+# - j - Filter out JavaScript and unknown binary data based content
+# - h - Filter out unexpected, and potentially dangerous, HTML elements
+# - f - Filter out unexpected form elements
+# - a - Run content through a more complex allowlist filter
+# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
+# to ensure you are always using the full range of filters.
+APP_CONTENT_FILTERING="jfha"
+
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.
@@ -376,6 +395,19 @@ ALLOWED_IFRAME_HOSTS=null
 # Current host and source for the "DRAWIO" setting will be auto-appended to the sources configured.
 ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com"
 
+# A list of sources/hostnames that can be loaded as CSS styles within BookStack.
+# Space separated if multiple. BookStack host domain is auto-inferred.
+# Defaults to a permissive set if not provided.
+# Example: ALLOWED_STYLE_SOURCES="https://fonts.googleapis.com"
+ALLOWED_STYLE_SOURCES=null
+
+# A list of sources/hostnames that can be loaded as image content within BookStack.
+# Space separated if multiple. BookStack host domain is auto-inferred, in addition to
+# data and blob images, due to their use for various functionality.
+# Defaults to a permissive set if not provided.
+# Example: ALLOWED_IMAGE_SOURCES="https://images.example.com"
+ALLOWED_IMAGE_SOURCES=null
+
 # A list of the sources/hostnames that can be reached by application SSR calls.
 # This is used wherever users can provide URLs/hosts in-platform, like for webhooks.
 # Host-specific functionality (usually controlled via other options) like auth

.forgejo/CODE_OF_CONDUCT.md

@@ -0,0 +1,2 @@
+Please find our community rules on our website here:
+https://www.bookstackapp.com/about/community-rules/

.forgejo/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: [ssddanbrown]
+ko_fi: ssddanbrown

.github/ISSUE_TEMPLATE/api_request.yml → .forgejo/ISSUE_TEMPLATE/api_request.yml

@@ -1,6 +1,6 @@
 name: New API Endpoint or API Ability
 description: Request a new endpoint or API feature be added
-labels: [":nut_and_bolt: API Request"]
+labels: ["Type/API Request"]
 body:
   - type: textarea
     id: feature

.github/ISSUE_TEMPLATE/bug_report.yml → .forgejo/ISSUE_TEMPLATE/bug_report.yml

@@ -1,6 +1,6 @@
 name: Bug Report
 description: Create a report to help us fix bugs & issues in existing supported functionality
-labels: [":bug: Bug"]
+labels: ["Type/Bug Report"]
 body:
   - type: markdown
     attributes:

.forgejo/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,13 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Community Forum Support
+    url: https://community.bookstackapp.com
+    about: Get support by talking with the BookStack team & community.
+
+  - name: Debugging & Common Issues
+    url: https://www.bookstackapp.com/docs/admin/debugging/
+    about: Find details on how to debug issues and view common issues with their resolutions.
+
+  - name: Official Support Plans
+    url: https://www.bookstackapp.com/support/
+    about: View our official support plans that offer assured support for business.

.github/ISSUE_TEMPLATE/feature_request.yml → .forgejo/ISSUE_TEMPLATE/feature_request.yml

@@ -1,6 +1,6 @@
 name: Feature Request
 description: Request a new feature or idea to be added to BookStack
-labels: [":hammer: Feature Request"]
+labels: ["Type/Feature Request"]
 body:
   - type: textarea
     id: description
@@ -33,7 +33,7 @@ body:
     attributes:
       label: Have you searched for an existing open/closed issue?
       description: |
-        To help us keep these issues under control, please ensure you have first [searched our issue list](https://github.com/BookStackApp/BookStack/issues?q=is%3Aissue) for any existing issues that cover the fundamental benefit/goal of your request.
+        To help us keep these issues under control, please ensure you have first [searched our issue list](https://codeberg.org/bookstack/bookstack/issues) for any existing issues that cover the fundamental benefit/goal of your request.
       options:
         - label: I have searched for existing issues and none cover my fundamental request
           required: true
@@ -56,3 +56,13 @@ body:
       description: Add any other context or screenshots about the feature request here.
     validations:
       required: false
+  - type: checkboxes
+    id: ai-thoughts
+    attributes:
+      label: Have you used generative AI/LLMs to create any thoughts in this request?
+      description: |
+        We ask that no machine generated thoughts or ideas are provided, to avoid us spending time considering the ideas
+        of a machine instead of a human. Further guidance on this can be found [in the BookStack community rules](https://www.bookstackapp.com/about/community-rules/#use-of-llmsai).
+      options:
+        - label: This request only contains the thoughts & ideas of a human
+          required: true

.github/ISSUE_TEMPLATE/language_request.yml → .forgejo/ISSUE_TEMPLATE/language_request.yml

@@ -1,6 +1,6 @@
 name: Language Request
 description: Request a new language to be added to Crowdin for you to translate
-labels: [":earth_africa: Translations"]
+labels: ["Focus: Translations"]
 assignees:
   - ssddanbrown
 body:

.github/ISSUE_TEMPLATE/support_request.yml → .forgejo/ISSUE_TEMPLATE/support_request.yml

@@ -1,6 +1,6 @@
 name: Support Request
 description: Request support for a specific problem you have not been able to solve yourself
-labels: [":dog2: Support"]
+labels: ["Type/Support"]
 body:
   - type: checkboxes
     id: useddocs
@@ -15,11 +15,11 @@ body:
   - type: checkboxes
     id: searchissue
     attributes:
-      label: Searched GitHub Issues
+      label: Searched Existing Issues
       description: |
-        I have searched for the issue and potential resolutions within the [project's GitHub issue list](https://github.com/BookStackApp/BookStack/issues)
+        I have searched for the issue and potential resolutions within the [project's issue list](https://codeberg.org/bookstack/bookstack/issues)
       options:
-        - label: I have searched GitHub for the issue.
+        - label: I have searched for the issue.
           required: true
   - type: textarea
     id: scenario

.github/SECURITY.md → .forgejo/SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Supported Versions
 
-Only the [latest version](https://github.com/BookStackApp/BookStack/releases) of BookStack is supported.
+Only the [latest version](https://codeberg.org/bookstack/bookstack/releases) of BookStack is supported.
 We generally don't support older versions of BookStack due to maintenance effort and
 since we aim to provide a fairly stable upgrade path for new versions.
 
@@ -12,16 +12,14 @@ If you'd like to be notified of new potential security concerns you can [sign-up
 
 ## Reporting a Vulnerability
 
-If you've found an issue that likely has no impact to existing users (For example, in a development-only branch)
-feel free to raise it via a standard GitHub bug report issue.
+If you've found an issue that likely has no impact to existing users (For example, an issue only in the development branch)
+feel free to raise it via a standard Codeberg bug report issue.
 
 If the issue could have a security impact to BookStack instances, 
-please directly contact the lead maintainer [@ssddanbrown](https://github.com/ssddanbrown). 
-You will need to log in to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown).
-Alternatively you can send a DM via Mastodon to [@danb@fosstodon.org](https://fosstodon.org/@danb).
+please directly contact the lead maintainer via email Dan Brown using the [details found here](https://www.bookstackapp.com/links/contact/).
 
 Please be patient while the vulnerability is being reviewed. Deploying the fix to address the vulnerability
 can often take a little time due to the amount of preparation required, to ensure the vulnerability has
 been covered, and to create the content required to adequately notify the user-base.
 
-Thank you for keeping BookStack instances safe!
+Thank you for keeping BookStack instances safe!

.forgejo/pull_request_template.md

@@ -0,0 +1,11 @@
+## Details
+
+<!-- Write details of your pull request in here -->
+<!-- Include references to any relevant issues/discussions -->
+
+## Checklist
+
+<!-- Put an 'x' in between the brackets below to confirm these elements -->
+
+- [ ] I have read the [BookStack community rules](https://www.bookstackapp.com/about/community-rules/).
+- [ ] This PR does not feature significant use of LLM/AI generation as per the community rules above.

.github/workflows/analyse-php.yml → .forgejo/workflows/analyse-php.yml

@@ -1,6 +1,7 @@
 name: analyse-php
 
 on:
+  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -11,14 +12,16 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-24.04
+    runs-on: docker
+    container:
+      image: docker.io/library/node:24-trixie
     steps:
-    - uses: actions/checkout@v4
+    - uses: https://code.forgejo.org/actions/checkout@v6
 
     - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: https://github.com/shivammathur/setup-php@v2
       with:
-        php-version: 8.3
+        php-version: 8.5
         extensions: gd, mbstring, json, curl, xml, mysql, ldap
 
     - name: Get Composer Cache Directory
@@ -27,14 +30,16 @@ jobs:
         echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache composer packages
-      uses: actions/cache@v4
+      uses: https://code.forgejo.org/actions/cache@v5
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
-        key: ${{ runner.os }}-composer-8.3
+        key: ${{ runner.os }}-composer-8.5
         restore-keys: ${{ runner.os }}-composer-
 
     - name: Install composer dependencies
       run: composer install --prefer-dist --no-interaction --ansi
+      env:
+        COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.GH_TOKEN }}"}}'
 
     - name: Run static analysis check
       run: composer check-static

.github/workflows/lint-js.yml → .forgejo/workflows/lint-js.yml

@@ -1,6 +1,7 @@
 name: lint-js
 
 on:
+  workflow_dispatch:
   push:
     paths:
       - '**.js'
@@ -13,9 +14,11 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-24.04
+    runs-on: docker
+    container:
+      image: docker.io/library/node:24-trixie
     steps:
-    - uses: actions/checkout@v4
+    - uses: https://code.forgejo.org/actions/checkout@v6
 
     - name: Install NPM deps
       run: npm ci

.github/workflows/lint-php.yml → .forgejo/workflows/lint-php.yml

@@ -1,6 +1,7 @@
 name: lint-php
 
 on:
+  workflow_dispatch:
   push:
     paths:
       - '**.php'
@@ -11,14 +12,16 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-24.04
+    runs-on: docker
+    container:
+      image: docker.io/library/node:24-trixie
     steps:
-    - uses: actions/checkout@v4
+    - uses: https://code.forgejo.org/actions/checkout@v6
 
     - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: https://github.com/shivammathur/setup-php@v2
       with:
-        php-version: 8.3
+        php-version: 8.5
         tools: phpcs
 
     - name: Run formatting check

.forgejo/workflows/sync-translations.yml

@@ -0,0 +1,33 @@
+name: Crowdin Action
+
+on:
+  push:
+    branches: [ development ]
+    paths:
+      - 'lang/**.php'
+  schedule:
+    - cron: '30 4 * * *'
+  workflow_dispatch:
+
+jobs:
+  synchronize-with-crowdin:
+    runs-on: docker
+    container:
+      image: docker.io/library/node:24-trixie
+
+    steps:
+      - name: Checkout
+        uses: https://code.forgejo.org/actions/checkout@v6
+
+      - name: crowdin action
+        uses: https://github.com/crowdin/github-action@v2
+        with:
+          upload_sources: true
+          upload_translations: false
+          download_translations: true
+          localization_branch_name: l10n_development
+          create_pull_request: false
+          github_base_url: codeberg.org
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}

.github/workflows/test-js.yml → .forgejo/workflows/test-js.yml

@@ -1,6 +1,7 @@
 name: test-js
 
 on:
+  workflow_dispatch:
   push:
     paths:
       - '**.js'
@@ -15,9 +16,11 @@ on:
 jobs:
   build:
     if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-24.04
+    runs-on: docker
+    container:
+      image: docker.io/library/node:24-trixie
     steps:
-    - uses: actions/checkout@v4
+    - uses: https://code.forgejo.org/actions/checkout@v6
 
     - name: Install NPM deps
       run: npm ci
@@ -26,4 +29,4 @@ jobs:
       run: npm run ts:lint
 
     - name: Run JavaScript tests
-      run: npm run test
+      run: npm run test:ci