Add load previous button to DiscussionList

* huntr.dev as first point for security vuln

* add badge for huntr.dev

.gitattributes

@@ -12,5 +12,6 @@ tests export-ignore
 
 js/dist/* -diff
 js/dist/* linguist-generated
+js/dist-typings/* linguist-generated
 
 * text=auto eol=lf

.github/FUNDING.yml

@@ -1,3 +1,2 @@
 github: flarum
 open_collective: flarum
-tidelift: packagist/flarum/core

.github/SECURITY.md

@@ -1,13 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Versions
 
-We will only patch security vulnerabilities in the stable 1.x release.
+Due to the nature of our project - being open source - we have decided to patch only the latest major release (currently v1.x) for security vulnerabilities.
 
-## Reporting a Vulnerability
+## How to disclose
 
-If you discover a security vulnerability within Flarum, please send an email to security@flarum.org so we can address it promptly.
+Please use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via [this form](https://huntr.dev/bounties/disclose/?target=https://github.com/flarum/core).
 
-We will get back to you as time allows.
-Discussions may commence internally, so you may not hear back immediately.
-When reporting a vulnerability, please provide your GitHub username (if available), so that we can invite you to collaborate on a [security advisory on GitHub](https://help.github.com/en/articles/about-maintainer-security-advisories).
+This will enable us to **review** the vulnerability, **fix** it promptly, and **reward** you for your efforts.
+
+If you have any questions about the process, feel free to reach out to security@huntr.dev or security@flarum.org.

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## [1.0.2](https://github.com/flarum/core/compare/v1.0.1...v1.0.2)
+
+### Fixed
+- Critical XSS vulnerability
+
 ## [1.0.1](https://github.com/flarum/core/compare/v1.0.0...v1.0.1)
 
 ### Fixed

README.md

@@ -5,6 +5,7 @@
 <a href="https://packagist.org/packages/flarum/core"><img src="https://img.shields.io/packagist/dt/flarum/core" alt="Total Downloads"></a>
 <a href="https://packagist.org/packages/flarum/core"><img src="https://img.shields.io/github/v/release/flarum/core?sort=semver" alt="Latest Version"></a>
 <a href="https://packagist.org/packages/flarum/core"><img src="https://img.shields.io/packagist/l/flarum/core" alt="License"></a>
+<a href="https://huntr.dev/bounties/disclose/?target=https://github.com/flarum/core"><img src="https://cdn.huntr.dev/huntr_security_badge_mono.svg" alt="huntr"></a>
 <a href="https://github.styleci.io/repos/28257573"><img src="https://github.styleci.io/repos/28257573/shield?style=flat" alt="StyleCI"></a>
 </p>
 

composer.json

@@ -14,10 +14,26 @@
             "homepage": "https://flarum.org/team"
         }
     ],
+    "funding": [
+        {
+            "type": "opencollective",
+            "url": "https://opencollective.com/flarum"
+        },
+        {
+            "type": "github",
+            "url": "https://github.com/sponsors/flarum"
+        },
+        {
+            "type": "other",
+            "url": "https://flarum.org/donate"
+        }
+    ],
     "support": {
         "issues": "https://github.com/flarum/core/issues",
         "source": "https://github.com/flarum/core",
-        "docs": "https://flarum.org/docs/"
+        "docs": "https://docs.flarum.org",
+        "forum": "https://discuss.flarum.org",
+        "chat": "https://flarum.org/chat"
     },
     "require": {
         "php": ">=7.3",

js/package-lock.json

@@ -7552,9 +7552,9 @@
       "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
     },
     "node_modules/ws": {
-      "version": "7.4.5",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.5.tgz",
-      "integrity": "sha512-xzyu3hFvomRfXKH8vOFMU3OguG6oOvhXMo3xsGy3xWExqaM2dxBbVxuD99O7m3ZUFMvvscsZDqxfgMaRr/Nr1g==",
+      "version": "7.4.6",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz",
+      "integrity": "sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==",
       "dev": true,
       "engines": {
         "node": ">=8.3.0"
@@ -13723,9 +13723,9 @@
       "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
     },
     "ws": {
-      "version": "7.4.5",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.5.tgz",
-      "integrity": "sha512-xzyu3hFvomRfXKH8vOFMU3OguG6oOvhXMo3xsGy3xWExqaM2dxBbVxuD99O7m3ZUFMvvscsZDqxfgMaRr/Nr1g==",
+      "version": "7.4.6",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz",
+      "integrity": "sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==",
       "dev": true,
       "requires": {}
     },

js/src/common/Translator.tsx

@@ -48,12 +48,23 @@ export default class Translator {
     // future there should be a hook here to inspect the user and change the
     // translation key. This will allow a gender property to determine which
     // translation key is used.
+
     if ('user' in parameters) {
       const user = extract(parameters, 'user');
 
       if (!parameters.username) parameters.username = username(user);
     }
-    return parameters;
+
+    const escapedParameters: TranslatorParameters = {};
+
+    for (const param in parameters) {
+      const paramValue = parameters[param];
+
+      if (typeof paramValue === 'string') escapedParameters[param] = <>{parameters[param]}</>;
+      else escapedParameters[param] = parameters[param];
+    }
+
+    return escapedParameters;
   }
 
   trans(id: string, parameters: TranslatorParameters = {}) {

js/src/forum/components/DiscussionList.js

@@ -41,13 +41,28 @@ export default class DiscussionList extends Component {
 
     return (
       <div className={'DiscussionList' + (state.isSearchResults() ? ' DiscussionList--searchResults' : '')}>
+        {state.hasPrev() && (
+          <div className="DiscussionList-loadPrev">
+            {state.isLoadingPrev() ? (
+              <LoadingIndicator />
+            ) : (
+              <Button className="Button" onclick={state.loadPrev.bind(state)}>
+                {app.translator.trans('core.forum.discussion_list.load_prev_button')}
+              </Button>
+            )}
+          </div>
+        )}
+
         <ul className="DiscussionList-discussions">
           {state.getPages().map((pg) => {
-            return pg.items.map((discussion) => (
-              <li key={discussion.id()} data-id={discussion.id()}>
-                {DiscussionListItem.component({ discussion, params })}
-              </li>
-            ));
+            return [
+              <hr key={`page-${pg.number}`} data-page={pg.number} />,
+              ...pg.items.map((discussion) => (
+                <li key={discussion.id()} data-id={discussion.id()}>
+                  {DiscussionListItem.component({ discussion, params })}
+                </li>
+              )),
+            ];
           })}
         </ul>
         <div className="DiscussionList-loadMore">{loading}</div>

less/forum/DiscussionList.less

@@ -7,8 +7,12 @@
   list-style-type: none;
   position: relative;
 }
-.DiscussionList-loadMore {
+
+.DiscussionList-loadMore, .DiscussionList-loadPrev {
   text-align: center;
+}
+
+.DiscussionList-loadMore {
   margin-top: 10px;
 
   .LoadingIndicator-container {
@@ -16,6 +20,10 @@
   }
 }
 
+.DiscussionList-loadPrev .LoadingIndicator-container {
+  height: 36px;
+}
+
 @media @phone {
   .DiscussionList {
     margin: 0 -15px;

less/forum/NotificationList.less

@@ -136,6 +136,14 @@
     .Avatar--size(24px);
     grid-area: avatar;
   }
+  
+  // Since images don't have baselines, aligning against the baseline won't work.
+  // Instead we need to do some manual hackery to fix then, otherwise they won't
+  // be correctly vertically aligned.
+  img.Avatar {
+    align-self: flex-start;
+    margin-top: -2px;
+  }
 
   &-icon {
     font-size: 14px;

src/Foundation/Application.php

@@ -21,7 +21,7 @@ class Application
      *
      * @var string
      */
-    const VERSION = '1.0.1';
+    const VERSION = '1.0.2';
 
     /**
      * The IoC container for the Flarum application.

src/User/Command/RequestPasswordResetHandler.php

@@ -110,7 +110,7 @@ class RequestPasswordResetHandler
         ];
 
         $body = $this->translator->trans('core.email.reset_password.body', $data);
-        $subject = '['.$data['forum'].'] '.$this->translator->trans('core.email.reset_password.subject');
+        $subject = $this->translator->trans('core.email.reset_password.subject');
 
         $this->queue->push(new SendRawEmailJob($user->email, $subject, $body));
 

src/User/EmailConfirmationMailer.php

@@ -52,7 +52,7 @@ class EmailConfirmationMailer
         $data = $this->getEmailData($event->user, $email);
 
         $body = $this->translator->trans('core.email.confirm_email.body', $data);
-        $subject = '['.$data['forum'].'] '.$this->translator->trans('core.email.confirm_email.subject');
+        $subject = $this->translator->trans('core.email.confirm_email.subject');
 
         $this->queue->push(new SendRawEmailJob($email, $subject, $body));
     }