v0.13.5-cryptowarning.2

Thanks to walle303 for letting us know these weren't being checked.

CHANGELOG.md

@@ -1,3 +1,51 @@
+Changes in [0.13.5-cryptowarning.2](https://github.com/vector-im/riot-web/releases/tag/v0.13.5-cryptowarning.2) (2018-03-26)
+============================================================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.5-cryptowarning.1...v0.13.5-cryptowarning.2)
+
+ * Fix strings file
+
+Changes in [0.13.5-cryptowarning.1](https://github.com/vector-im/riot-web/releases/tag/v0.13.5-cryptowarning.1) (2018-03-26)
+============================================================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.5...v0.13.5-cryptowarning.1)
+
+ * Disable e2e crypto with a big warning if the database schema is newer than we expect.
+
+Changes in [0.13.5](https://github.com/vector-im/riot-web/releases/tag/v0.13.5) (2018-02-09)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.4...v0.13.5)
+
+ * SECURITY UPDATE: Sanitise URLs from 'external_url'. Thanks to walle303 for contacting
+   us about this vulnerability.
+
+Changes in [0.13.4](https://github.com/vector-im/riot-web/releases/tag/v0.13.4) (2018-01-03)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.3...v0.13.4)
+
+ * Change config of riot.im electron build to fix some widgets not working. This only affects
+   electron builds using the riot.im config - for all other builds, this is identical to
+   v0.13.3.
+
+Changes in [0.13.3](https://github.com/vector-im/riot-web/releases/tag/v0.13.3) (2017-12-04)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.2...v0.13.3)
+
+ * Bump js-sdk, react-sdk version to pull in fix for [setting room publicity in a group](https://github.com/matrix-org/matrix-js-sdk/commit/aa3201ebb0fff5af2fb733080aa65ed1f7213de6).
+
+Changes in [0.13.2](https://github.com/vector-im/riot-web/releases/tag/v0.13.2) (2017-11-28)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.1...v0.13.2)
+
+
+Changes in [0.13.1](https://github.com/vector-im/riot-web/releases/tag/v0.13.1) (2017-11-17)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.0...v0.13.1)
+
+ * SECURITY UPDATE: Fix the force TURN option for inbound calls. This option forced the use
+   of TURN but only worked for outbound calls and not inbound calls. This means that if you
+   enabled this option expecting it to mask your IP address in calls, your IP would still
+   have been revealed to the room if you accepted an incoming call.
+ * Also adds the Slovak translation.
+
 Changes in [0.13.0](https://github.com/vector-im/riot-web/releases/tag/v0.13.0) (2017-11-15)
 ============================================================================================
 [Full Changelog](https://github.com/vector-im/riot-web/compare/v0.13.0-rc.3...v0.13.0)

electron_app/package.json

@@ -2,7 +2,7 @@
   "name": "riot-web",
   "productName": "Riot",
   "main": "src/electron-main.js",
-  "version": "0.13.0",
+  "version": "0.13.5-cryptowarning.2",
   "description": "A feature-rich client for Matrix.org",
   "author": "Vector Creations Ltd.",
   "dependencies": {

electron_app/riot.im/config.json

@@ -5,6 +5,10 @@
     "brand": "Riot",
     "integrations_ui_url": "https://scalar.vector.im/",
     "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar-staging.riot.im/scalar/api",
+        "https://scalar.vector.im/api"
+    ],
     "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
     "welcomeUserId": "@riot-bot:matrix.org",
     "roomDirectory": {

package.json

@@ -2,7 +2,7 @@
   "name": "riot-web",
   "productName": "Riot",
   "main": "electron_app/src/electron-main.js",
-  "version": "0.13.0",
+  "version": "0.13.5-cryptowarning.2",
   "description": "A feature-rich client for Matrix.org",
   "author": "Vector Creations Ltd.",
   "repository": {
@@ -68,8 +68,8 @@
     "gfm.css": "^1.1.1",
     "highlight.js": "^9.0.0",
     "linkifyjs": "^2.1.3",
-    "matrix-js-sdk": "0.9.0",
-    "matrix-react-sdk": "0.11.0",
+    "matrix-js-sdk": "0.9.2-cryptowraning.1",
+    "matrix-react-sdk": "0.11.4-cryptowarning.2",
     "modernizr": "^3.1.0",
     "pako": "^1.0.5",
     "prop-types": "^15.5.10",

scripts/copy-res.js

@@ -29,6 +29,7 @@ const INCLUDE_LANGS = [
     {'value': 'pt_BR', 'label': 'Português do Brasil'},
     {'value': 'ru', 'label': 'Русский'},
     {'value': 'sv', 'label': 'Svenska'},
+    {'value': 'sk', 'label': 'Slovenčina'},
     {'value': 'th', 'label': 'ไทย'},
     {'value': 'te', 'label': 'తెలుగు'},
     {'value': 'tr', 'label': 'Türk'},

src/components/views/context_menus/MessageContextMenu.js

@@ -1,5 +1,6 @@
 /*
 Copyright 2015, 2016 OpenMarket Ltd
+Copyright 2018 New Vector Ltd
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -25,6 +26,7 @@ import { _t } from 'matrix-react-sdk/lib/languageHandler';
 const Modal = require('matrix-react-sdk/lib/Modal');
 const Resend = require("matrix-react-sdk/lib/Resend");
 import * as UserSettingsStore from 'matrix-react-sdk/lib/UserSettingsStore';
+import { isUrlPermitted } from 'matrix-react-sdk/lib/HtmlUtils';
 
 module.exports = React.createClass({
     displayName: 'MessageContextMenu',
@@ -275,7 +277,10 @@ module.exports = React.createClass({
         }
 
         // Bridges can provide a 'external_url' to link back to the source.
-        if( typeof(this.props.mxEvent.event.content.external_url) === "string") {
+        if(
+            typeof(this.props.mxEvent.event.content.external_url) === "string" &&
+            isUrlPermitted(this.props.mxEvent.event.content.external_url)
+        ) {
           externalURLButton = (
               <div className="mx_MessageContextMenu_field">
                   <a href={ this.props.mxEvent.event.content.external_url }