I suggest removing zxcvbn since it's causing serious issues on windows computers making it impossible to compile or use TypeScript.

"C:\Program Files\nodejs\node.exe" C:\Users\itsme\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js install --scripts-prepend-node-path=auto
npm ERR! code 1
npm ERR! git dep preparation failed
npm ERR! command C:\Program Files\nodejs\node.exe C:\Users\itsme\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js install --force --cache=C:\Users\itsme\AppData\Local\npm-cache --prefer-offline=false --prefer-online=false --offline=false --no-progress --no-sa
ve --no-audit --include=dev --include=peer --include=optional --no-package-lock-only --no-dry-run
npm ERR! > @woltlab/[email protected] prepublish
npm ERR! > npm run build
npm ERR!
npm ERR!
npm ERR! > @woltlab/[email protected] build
npm ERR! > npm run build-lib ; npm run build-dist
npm ERR!
npm ERR!
npm ERR! > @woltlab/[email protected] build-lib
npm ERR! > coffee -o lib --compile --bare --map src/*.coffee ";" "npm" "run" "build-dist"
npm ERR! npm WARN using --force Recommended protections disabled.
npm ERR! 
[2021-11-04T17_56_32_894Z-debug.log](https://github.com/WoltLab/WCF/files/7477381/2021-11-04T17_56_32_894Z-debug.log)
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm ERR! npm WARN deprecated [email protected]: Please use 'foreachasync' instead. See https://www.npmjs.com/package/foreachasync
npm ERR! npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm ERR! npm WARN deprecated [email protected]: The sprintf package is deprecated in favor of sprintf-js.
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm ERR! npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm ERR! npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm ERR! npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm ERR! npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgr
ade at this time, paid support is available for older versions (hapi.im/commercial).
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade a
t this time, paid support is available for older versions (hapi.im/commercial).
npm ERR! npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm ERR! npm WARN deprecated [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm ERR! npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm ERR! npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade a
t this time, paid support is available for older versions (hapi.im/commercial).
npm ERR! npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm ERR! npm WARN deprecated [email protected]: Use uuid module instead
npm ERR! npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm ERR! npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm ERR! npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm ERR! npm WARN deprecated [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm ERR! npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm ERR! npm WARN deprecated   npm i nyc
npm ERR! npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm ERR! npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm ERR! npm WARN deprecated   npm i nyc
npm ERR! npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm ERR! npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm ERR! npm WARN deprecated   npm i nyc
npm ERR! npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm ERR! npm WARN deprecated [email protected]: Version no longer supported. Upgrade to @latest
npm ERR! npm WARN deprecated [email protected]: connect 2.x series is deprecated
npm ERR! npm WARN using --force Recommended protections disabled.
npm ERR! npm WARN using --force Recommended protections disabled.
npm ERR! npm WARN using --force Recommended protections disabled.
npm ERR! npm WARN using --force Recommended protections disabled.
npm ERR! File not found: C:\Users\itsme\AppData\Local\npm-cache\_cacache\tmp\git-cloneOLv1ro\src\*.coffee
npm ERR! npm ERR! code 1
npm ERR! npm ERR! path C:\Users\itsme\AppData\Local\npm-cache\_cacache\tmp\git-cloneOLv1ro
npm ERR! npm ERR! command failed
npm ERR! npm ERR! command C:\WINDOWS\system32\cmd.exe /d /s /c npm run build
npm ERR!
npm ERR! npm ERR! A complete log of this run can be found in:
npm ERR! npm ERR!     C:\Users\itsme\AppData\Local\npm-cache\_logs\2021-11-04T17_56_30_119Z-debug.log

npm ERR! A complete log of this run can
 be found in:
npm ERR!     C:\Users\itsme\AppData\Local\npm-cache\_logs\2021-11-04T17_56_32_894Z-debug.log

Process finished with exit code 1

Evaluate options to combat spam even more, including but not limited to external services such as StopForumSpam. Whatever solution(s) we pick, they must be legal beyond doubt (GDPR/privacy shield) and should not require awkward contracts to be signed by each site owner.

ref https://community.woltlab.com/thread/264735-spam-problems/

at the moment the value of the password-field is set to the clear password string of the stored data for the edited packageserver this is risky in case you have more than one user accessing the packageserver list

please also patch this for WCF 2.2

Ref #2773

Dunno, if this is the expected behavior, but imho this should be improved:

1. When overriding the application of a page, the page is still listed under it's initial application instead of the "new" one:

2. Individual URLs are ignored within menu items when overriding the application. Let's take the example above:

The individual URL is "impressum". When not overriding the application, the menu item is linked to /index.php?impressum/

When overriding the application, the menu item is linked to /blog/index.php?legal-notice.

I'd suggest wrapping the whole JS (or at least WCF.js and WCF.Acp.js) into a closure with jQuery passed as a argument:

(function ($) {

})(jQuery);

Otherwise the whole board could be bricked with a Prototype or any other JS-Framework as one could no longer use the ACP. That way we can ensure that the minimum JS will stay working.

This is a meta issue and affects other repositories too.

• [ ] Implement lazy loading via the loading="lazy" attribute for <img>.
• [ ] Set loading="eager" to hint images that are known to be required to be loaded immediately.
• [ ] Be careful not to break backwards compatibility for code that relies on images being loaded right away. When in doubt, do not making any change.
• [ ] Check other repositories for images that are affected too.

See https://community.woltlab.com/thread/281830-native-lazy-loading/

We need a check whether the package webp is installed on the server when using ImageMagick:

Fri, 12 Mar 2021 18:54:56 +0000
Message: delegate failed `'cwebp' -quiet %Q '%i' -o '%o'' @ error/delegate.c/InvokeDelegate/1949
PHP version: 8.0.3
WoltLab Suite version: 5.4.0 Alpha 1
Request URI: POST /index.php?ajax-upload/&t=
Referrer: /avatar-edit/
User Agent: n/a
Peak Memory Usage: 4657616/0
======
Error Class: ImagickException
Error Message: delegate failed `'cwebp' -quiet %Q '%i' -o '%o'' @ error/delegate.c/InvokeDelegate/1949
Error Code: 415
File: /lib/system/image/adapter/ImagickImageAdapter.class.php (519)
Extra Information: -
Stack Trace: [{"file":"\/lib\/system\/image\/adapter\/ImagickImageAdapter.class.php","line":519,"function":"writeimages","class":"Imagick","type":"->","args":[]},{"file":"\/lib\/system\/image\/adapter\/ImageAdapter.class.php","line":419,"function":"saveImageAs","class":"wcf\\system\\image\\adapter\\ImagickImageAdapter","type":"->","args":[]},{"file":"\/lib\/data\/user\/avatar\/UserAvatarEditor.class.php","line":148,"function":"saveImageAs","class":"wcf\\system\\image\\adapter\\ImageAdapter","type":"->","args":[]},{"file":"\/lib\/system\/upload\/AvatarUploadFileSaveStrategy.class.php","line":120,"function":"createAvatarVariant","class":"wcf\\data\\user\\avatar\\UserAvatarEditor","type":"->","args":[]},{"file":"\/lib\/system\/upload\/UploadHandler.class.php","line":132,"function":"save","class":"wcf\\system\\upload\\AvatarUploadFileSaveStrategy","type":"->","args":[]},{"file":"\/lib\/data\/user\/avatar\/UserAvatarAction.class.php","line":87,"function":"saveFiles","class":"wcf\\system\\upload\\UploadHandler","type":"->","args":[]},{"file":"\/lib\/data\/AbstractDatabaseObjectAction.class.php","line":216,"function":"upload","class":"wcf\\data\\user\\avatar\\UserAvatarAction","type":"->","args":[]},{"file":"\/lib\/action\/AJAXProxyAction.class.php","line":86,"function":"executeAction","class":"wcf\\data\\AbstractDatabaseObjectAction","type":"->","args":[]},{"file":"\/lib\/action\/AJAXInvokeAction.class.php","line":102,"function":"invoke","class":"wcf\\action\\AJAXProxyAction","type":"->","args":[]},{"file":"\/lib\/action\/AbstractAction.class.php","line":53,"function":"execute","class":"wcf\\action\\AJAXInvokeAction","type":"->","args":[]},{"file":"\/lib\/action\/AJAXInvokeAction.class.php","line":65,"function":"__run","class":"wcf\\action\\AbstractAction","type":"->","args":[]},{"file":"\/lib\/system\/request\/Request.class.php","line":89,"function":"__run","class":"wcf\\action\\AJAXInvokeAction","type":"->","args":[]},{"file":"\/lib\/system\/request\/RequestHandler.class.php","line":119,"function":"execute","class":"wcf\\system\\request\\Request","type":"->","args":[]},{"file":"\/index.php","line":11,"function":"handle","class":"wcf\\system\\request\\RequestHandler","type":"->","args":[]}]

Multi domain setups have been semi supported for quite some time, but they are a constant source of issues while bringing little to no value to the table. CORS is the most prominent case for added complexity to support these setups, this also applies to the crippled localStorage to some extent. This indirectly also causes the app domain management to be overly complex, instead of providing a simple interface with proper safeguards against misconfigurations.

This change does not impact the ability to assign cookies to the domain apex.

Proposed roadmap:

• 5.4: Deprecate multi domain setups and add a warning if such a setup is found.
• 5.5: Remove the support for multi domain setups.

Resulting CSS compiles down to something like:

@font-face{font-family:'Slackey';font-style:normal;font-weight:400;src:local('Slackey Regular'), local('Slackey-Regular'), url("../font/getFont.php?family=Slackey&filename=Slackey-Regular.woff2") format('woff2')}

Blocked on #3447, will be a draft PR until #3447 is merged.

Resolves #3394

Hey, if you want to update a cronjob when you update a package, it will allways create a new one. Same, if you want to add a second cronjob during an update and edit nothing in the existing one.

Two potential security threats I noticed while working with WBB and by extension WCF:

• User passwords are hashed with sha1 by default: even though a salt is used, sha1 is almost as fast as md5 to calculate these days, a slower hashing algorithm (ie blowfish) would be a better option to mitigate the risk of possible brute force attacks over the passwords, should the database of a WCF application be compromised. See: http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/
• sessionIDs are stored "as is" in cookies, meaning that in the event the database is compromised, an attacker only has to copy-paste the sessionID found in the database into a fake cookie and be logged in — which in effect is the equivalent of storing user passwords in plain text.

The risk may seem minor, since the attacker would have to break into the database first, but I believe these points are still worth looking into. I would fix them myself but I don't really have time at the moment.

Using the following additional search parameter field:

<select name="fooCategoryIDs" id="fooCategoryIDs" multiple>
    <option value="1">1</option>
    <option value="2">2</option>
    <option value="3">3</option>
</select>

Select 1, 2, 3. Expectation: The request contains a comma-separated list of the values or an array containing the selected values. Current behavior: The request contains only the last value (of the list => 3), which means the submitted data is unreliable.

The change processes the form data before using it. In case one parameter-key appears more than once, the value is translated to an Array<string> instead of overriding the string-value every time the key appears:

The method attempts a partial reinitialization of the tab menu, but fails to reset the internal state. Furthermore, the init() method does not initialize new tab menu containers, because the responsible part of the code will not run when oldTabs is present.

Related to https://www.woltlab.com/community/thread/298349/

The update of icons.json is still missing, because it's not yet clear to me how it was generated in the first place. It might also need some fixes:

• [x] icons.json currently contains brand icons, but the FontAwesomeIcon class is unable to handle those. The brand icons should likely be dropped.
• [x] icons.json is only used in PHP, it might make sense to not store it as JSON then, but instead as a file that can simply be require()d.

Hi,

JS/TS module WoltLabSuite/Core/Ui/Dialog uses ResizeObserver and property ResizeObserverEntry.contentBoxSize in its callback. This property is supported by normal browsers for few years, but Safari (Mac, iOS) supports it since version 15.4, which was released only this year (2022-03-15).

As result, the dialogs don't show the buttons (like "submit" or "cancel") at all on Safari below 15.4. It would be great, if it falls back to ResizeObserverEntry.contentRect instead, please. There is an example saying that it's feasible.

Additionally, ResizeObserver is available on Safari 13.1 and Safari for iOS 13.4. Hence on old 'vintage' mobile devices it's not possible to open the main menu and none of the dialogs even show up. Is it possible to make use of ResizeObserver optional in these cases, so old 'vintage' clients can use WCF-powered websites with known limitations?

Thank you.

The description says:

The image must be placed inside the directory wcf/icon/ or use a FontAwesome icon.

But this doesn't seem to work. Or does it require a specific format, like SVG?

    This one appears to be correct, but does not belong in this PR, because this is not PHPDoc.

There might also be some bug lurking here, because the $icon is not invalidated when the value changes. Perhaps the property should be removed entirely.

Originally posted by @TimWolla in https://github.com/WoltLab/WCF/pull/5156#discussion_r1039299951