increase to 13.0.2

Signed-off-by: Simon L. <szaimen@e.mail.de>

Containers/apache/Dockerfile

@@ -2,7 +2,7 @@
 FROM caddy:2.11.2-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.66-alpine3.23
+FROM httpd:2.4.67-alpine3.23
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.7-alpine
+FROM haproxy:3.3.8-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.3.3
+FROM elasticsearch:9.4.0
 
 USER root
 

Containers/redis/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.2-alpine
+FROM redis:8.6.3-alpine
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/talk/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.8-scratch AS nats
+FROM nats:2.14.0-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus

php/public/clean-history.js

@@ -1,26 +0,0 @@
-// This script is loaded after a successful token-based login.
-// It replaces the browser's current history entry (stripping the token from the
-// URL) before navigating to the main AIO page, so the token is never left in
-// the browser history and cannot be accidentally exposed via the back-button.
-//
-// The target URL is passed via the script tag's data-target attribute.
-// document.currentScript is only available during synchronous script execution
-// (not with defer/async), so this script is loaded without those attributes.
-//
-// We replace with location.pathname only (no query string, no hash), which
-// intentionally strips the ?token=… parameter and any hash fragment from the
-// recorded history entry.
-
-// Guard against environments where document.currentScript may be null.
-if (!document.currentScript) {
-    window.location.replace('/');
-} else {
-    const rawTarget = document.currentScript.dataset.target;
-
-    // Only accept the exact relative path we set server-side to prevent any
-    // potential open-redirect via a manipulated data-target value.
-    const target = rawTarget === '../../' ? rawTarget : '/';
-
-    history.replaceState(null, '', location.pathname);
-    window.location.replace(target);
-}

php/public/index.php

@@ -181,7 +181,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,
-    ])->withHeader('Cache-Control', 'no-store');
+    ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
     $view = Twig::fromRequest($request);
@@ -209,7 +209,7 @@ $app->get('/setup', function (Request $request, Response $response, array $args)
         [
             'password' => $setup->Setup(),
         ]
-    )->withHeader('Cache-Control', 'no-store');
+    );
 });
 $app->get('/log', function (Request $request, Response $response, array $args) use ($container) {
     $params = $request->getQueryParams();

php/src/Controller/DockerController.php

@@ -339,7 +339,7 @@ readonly class DockerController {
 
         $body = $nonbufResp->getBody();
         $addToStreamingResponseBody = function (string $message) use ($body) : void {
-            $body->write('<div>' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
+            $body->write("<div>$message</div>");
         };
 
         $this->dockerActionManager->SystemPrune($addToStreamingResponseBody);
@@ -430,7 +430,7 @@ readonly class DockerController {
         // if it'll actually pull an image), but which should not need to know anything about the
         // wanted markup or formatting.
         $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
-            $nonbufResp->getBody()->write('<div>' . htmlspecialchars($container->displayName, ENT_QUOTES | ENT_HTML5) . ': ' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
+            $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
         };
 
         return $addToStreamingResponseBody;

php/src/Controller/LoginController.php

@@ -39,19 +39,7 @@ readonly class LoginController {
         $token = $request->getQueryParams()['token'] ?? '';
         if($this->authManager->CheckToken($token)) {
             $this->authManager->SetAuthState(true);
-            // Return a minimal HTML page that uses JavaScript to replace the browser's
-            // current history entry (removing the token from it) before navigating to
-            // the main AIO page.  This prevents the token from remaining in browser history.
-            // The script is served from 'self'; same-origin scripts are already trusted under
-            // the 'script-src-elem self' CSP directive, so no SRI hash is needed here.
-            $response->getBody()->write(
-                '<!DOCTYPE html>' .
-                '<html lang="en">' .
-                '<head><script src="../../clean-history.js" data-target="../../"></script></head>' .
-                '<body></body>' .
-                '</html>'
-            );
-            return $response->withHeader('Content-Type', 'text/html; charset=utf-8')->withStatus(200);
+            return $response->withHeader('Location', '../..')->withStatus(302);
         }
 
         // Punish failed auth attempts with a delay, as a very simple means against bots.

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-13.0.1
+13.0.2