Pinned post
Welcome the #HedgeDoc account :)
Recent searches
Search options
HedgeDoc 
@hedgedoc@fosstodon.org
#HedgeDoc lets you create real-time collaborative markdown notes. You can try it out by visiting our demo server below!
This account is managed by @sheogorath and http://github.com/hedgedoc/social-media. Don't forget to join our Matrix channel!
- Joined
- Oct 30, 2022
- Website
- https://hedgedoc.org
- Matrix
- https://chat.hedgedoc.org
- Source Code
- https://git.hedgedoc.org
HedgeDoc boosted
boosted
HedgeDoc security issue response time was quite good this time around: Monday evening we got the report and started working on it and today we released the new version. That is a response time of ~48h.
#HedgeDoc #SecurityResponse
We've just released #HedgeDoc 1.10.3 
This release contains a security fix for XSS possibility through malicious SVG uploads
See our security advisory https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-3983-rrqh-mvx5
Read the full changelog on https://hedgedoc.org/releases/1.10.3/
GitHubXSS possibility through malicious SVG uploads## Summary
A malicious SVG file uploaded to HedgeDoc results in the possibility of XSS when opened in a new tab instead of the editor itself. The XSS is possible by exploiting the JSONP capabili...
HedgeDoc boosted
boosted
HedgeDoc boosted
boosted
This episode #OpenSourceSecurity talks to @sheogorath about forking open source projects
It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc
It's a fun chat filled with lessons
https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/
Open Source Security · Forking Open Source Projects with SheogorathIf you use GitHub, you probably have “forked” a repo more times than you can count. It’s super common and the ideal way you can interact with a git repository you don’t control. But the idea of forking in open source can have another meaning, a far more interesting meaning. It’s when you take the open source project, and create a new open source project based on the first. It’s not as simple as clicking a button. The process is complicated and is a ton of corner cases.
We've just released #HedgeDoc 1.10.2
This release contains a security fix for users of the SAML Login!
See our security advisory https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gw77-7r3c-4cm3
Read the full changelog on https://hedgedoc.org/releases/1.10.2/
GitHubShared user access via SAML misconfiguration## Summary
A misconfigured SAML authentication method can result in the mapping for multiple users to a common one. This means they all had ownership access to the same notes.
The problem onl...
HedgeDoc boosted
boosted
Over the last couple of evenings, I put together a prototype for editing a @hedgedoc document from Neovim!
This involved forking the rust-socketio crate to add support for Socket.IO 2.x, slightly extending our @ethersync editor plugin, and writing some "connecting glue".
Not quite ready to publish – but would this be interesting/useful for any of you?
EDIT: In the long run, this would support any editor that has a plugin speaking the Ethersync Protocol, see https://ethersync.github.io/ethersync/editor-plugin-dev-guide.html :)
GIF
We've just released #HedgeDoc 1.10.1
This release contains a medium severity security fix for users of the local email/password login!
Read the full changelog on https://hedgedoc.org/releases/1.10.1/
REMEMBER: Deletion of https://demo-archive.hedgedoc.org
As announced in July of last year already, we're deleting the archive of the old demo instance soon. In 2 weeks from now on - so on February 3rd, 2025 - the instance with all its notes and media files will be removed. In case there's anything which you need to backup, do that now. There won't be any way to recover your notes afterward.
The new demo instance is wiped daily, please seek a new place for your notes to live on.
HedgeDoc boosted
boosted
We've just released #HedgeDoc 2 Alpha 3
Read more on https://github.com/hedgedoc/hedgedoc/releases/tag/v2.0.0-alpha.3
GitHubRelease HedgeDoc 2 Alpha 3 · hedgedoc/hedgedoc⚠️ Please note
This release requires at least Node 20.
This release changed the database schema, so unfortunately you can't migrate directly from Alpha 2 to Alpha 3. We'll provide migrations from ...
We've just re-released #HedgeDoc 1.10.0
This release contains a medium severity security fix for users of MySQL/MariaDB!
Please be aware that running HedgeDoc with Node.js 22.7.0 may lead to UTF-8 problems because of a regression in Node.
We recommend using Node 20 for the time being.
Read the full changelog on https://hedgedoc.org/releases/1.10.0/
HedgeDoc - Collaborative markdown editor · HedgeDoc 1.10.0This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use this database.
Continued thread
In conclusion: we re-released #HedgeDoc version 1.10.0 with no adjustments to the HedgeDoc code. The #NodeJS version 22.7.0 was the origin of the issue.
If you run HedgeDoc with an own installation, please make sure you don't use this NodeJS version.
The official container images were adjusted to use Node 20 in the meantime for both 1.9.9 and 1.10.0.
HedgeDoc boosted
boostedWhat will we do today, Brain? The same thing we do everyday, Pinky: Release HedgeDoc 1.10.0.
#HedgeDocLeaks
Continued thread
We suspect it's related to a recent nodejs problem: https://github.com/nodejs/node/issues/54543
This explains some indeterminate behaviour as well as why we saw reports even for 1.9.9.
We are currently working on reverting the recent base-image updates for existing versions as well as preparing a new release for the changes we introduced in 1.10.0
GitHubUTF+8 encodings are broken · Issue #54543 · nodejs/node
Please be aware that we are currently investigating a problem with the fresh #hedgedoc 1.10.0 release after reports of broken notes. We pulled the release, PLEASE DON'T INSTALL IT.
matrix.toYou're invited to talk on MatrixYou're invited to talk on Matrix
HedgeDoc boosted
boosted
Well, maybe that release broke UTF-8.
HedgeDoc boosted
boostedLook at @innaytool developing HedgeDoc 2 on a totally normal setup.
#HedgeDocLeaks
Continued thread
There are news! Good news!
We provide an cleaned up read-only archive of the old demo instance as well as set up a new demo instance which will be wiped on a regular basis.
https://community.hedgedoc.org/t/status-of-the-demo-instance/1634/14
Please go ahead and start migrating your notes to a self-hosted instance. In the upcoming weeks.
HedgeDoc Community · Status of the demo instanceThe demo is back online, but with some restrictions. The database will be wiped (at least) every 24h to prevent that the demo gets used as a share point for illegal content again. We don’t want to receive another DMCA takedown mail again. We had to wipe the database. The old content has been pushed over to demo-archive.hedgedoc.org. Please backup your data because we’re gonna delete the archive in 6 months. Also the creation of new notes in the archive is prohibited. No more E-Mail / OpenID (n...
Sadly we had to suspend the demo instance after abuse.
https://community.hedgedoc.org/t/no-more-anonymous-usage-of-demo-instance/1634/4
Some entity decided to spam and abuse the demo instance for their gains. This is why we can't have nice things.
We hope we can bring the demo instance come back from this. But be ready to migrate to your own instances in the next few weeks.
HedgeDoc Community · No more anonymous usage of demo instanceUnfortunately due to more abuse of the demo instance, we’re forced to temporarily shut down the instance. We’ll keep you informed about any news in this forum thread.
HedgeDoc 's featured hashtags
#hedgedocLast post on Apr 09
28