docker(deps): Bump astral-sh/uv

Bumps [astral-sh/uv](https://github.com/astral-sh/uv) from 0.9.15-python3.12-trixie-slim to 0.9.17-python3.12-trixie-slim.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/uv/compare/0.9.15...0.9.17)

---
updated-dependencies:
- dependency-name: astral-sh/uv
  dependency-version: 0.9.17-python3.12-trixie-slim
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/ci.yml

@@ -275,12 +275,8 @@ jobs:
   tests-frontend-e2e:
     name: "Frontend E2E Tests (Node ${{ matrix.node-version }} - ${{ matrix.shard-index }}/${{ matrix.shard-count }})"
     runs-on: ubuntu-24.04
-    container: mcr.microsoft.com/playwright:v1.57.0-noble
     needs:
       - install-frontend-dependencies
-    env:
-      PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
-      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
     strategy:
       fail-fast: false
       matrix:
@@ -309,8 +305,19 @@ jobs:
           key: ${{ runner.os }}-frontenddeps-${{ hashFiles('src-ui/pnpm-lock.yaml') }}
       - name: Re-link Angular cli
         run: cd src-ui && pnpm link @angular/cli
+      - name: Cache Playwright browsers
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('src-ui/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+      - name: Install Playwright system dependencies
+        run: npx playwright install-deps
       - name: Install dependencies
         run: cd src-ui && pnpm install --no-frozen-lockfile
+      - name: Install Playwright
+        run: cd src-ui && pnpm exec playwright install
       - name: Run Playwright e2e tests
         run: cd src-ui && pnpm exec playwright test --shard ${{ matrix.shard-index }}/${{ matrix.shard-count }}
   frontend-bundle-analysis:

Dockerfile

@@ -32,7 +32,7 @@ RUN set -eux \
 # Purpose: Installs s6-overlay and rootfs
 # Comments:
 #  - Don't leave anything extra in here either
-FROM ghcr.io/astral-sh/uv:0.9.15-python3.12-trixie-slim AS s6-overlay-base
+FROM ghcr.io/astral-sh/uv:0.9.17-python3.12-trixie-slim AS s6-overlay-base
 
 WORKDIR /usr/src/s6
 

src-ui/src/app/components/common/preview-popup/preview-popup.component.html

@@ -14,7 +14,7 @@
         @if (previewText) {
           <div class="bg-light p-3 overflow-auto whitespace-preserve" width="100%">{{previewText}}</div>
         } @else {
-          <object [data]="previewURL" width="100%" class="bg-light" [class.p-2]="!isPdf"></object>
+          <object [data]="previewURL | safeUrl" width="100%" class="bg-light" [class.p-2]="!isPdf"></object>
         }
       } @else {
         @if (requiresPassword) {

src-ui/src/app/components/common/preview-popup/preview-popup.component.ts

@@ -7,6 +7,7 @@ import { first, Subject, takeUntil } from 'rxjs'
 import { Document } from 'src/app/data/document'
 import { SETTINGS_KEYS } from 'src/app/data/ui-settings'
 import { DocumentTitlePipe } from 'src/app/pipes/document-title.pipe'
+import { SafeUrlPipe } from 'src/app/pipes/safeurl.pipe'
 import { DocumentService } from 'src/app/services/rest/document.service'
 import { SettingsService } from 'src/app/services/settings.service'
 
@@ -18,6 +19,7 @@ import { SettingsService } from 'src/app/services/settings.service'
     NgbPopoverModule,
     DocumentTitlePipe,
     PdfViewerModule,
+    SafeUrlPipe,
     NgxBootstrapIconsModule,
   ],
 })

src-ui/src/app/components/dashboard/widgets/saved-view-widget/saved-view-widget.component.spec.ts

@@ -32,6 +32,7 @@ import { IfPermissionsDirective } from 'src/app/directives/if-permissions.direct
 import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { DocumentTitlePipe } from 'src/app/pipes/document-title.pipe'
+import { SafeUrlPipe } from 'src/app/pipes/safeurl.pipe'
 import { DocumentListViewService } from 'src/app/services/document-list-view.service'
 import { PermissionsService } from 'src/app/services/permissions.service'
 import { CustomFieldsService } from 'src/app/services/rest/custom-fields.service'
@@ -127,6 +128,7 @@ describe('SavedViewWidgetComponent', () => {
         IfPermissionsDirective,
         CustomDatePipe,
         DocumentTitlePipe,
+        SafeUrlPipe,
         PreviewPopupComponent,
         CustomFieldDisplayComponent,
       ],

src-ui/src/app/components/document-detail/document-detail.component.html

@@ -379,7 +379,7 @@
 <ng-template #previewContent>
   <div class="thumb-preview position-absolute pe-none text-center" [class.fade]="previewLoaded">
     @if (showThumbnailOverlay) {
-      <img [src]="thumbUrl" class="mx-auto" [attr.width]="previewZoomScale === 'page-fit' ? 'auto' : '100%'" [attr.height]="previewZoomScale === 'page-fit' ? '100%' : 'auto'" alt="Document loading..." i18n-alt />
+      <img [src]="thumbUrl | safeUrl" class="mx-auto" [attr.width]="previewZoomScale === 'page-fit' ? 'auto' : '100%'" [attr.height]="previewZoomScale === 'page-fit' ? '100%' : 'auto'" alt="Document loading..." i18n-alt />
     }
     <div class="position-absolute top-0 start-0 m-2 p-2 d-flex align-items-center justify-content-center">
       <div>
@@ -406,7 +406,7 @@
             </pdf-viewer>
           </div>
         } @else {
-          <object [data]="previewUrl" class="preview-sticky" width="100%"></object>
+          <object [data]="previewUrl | safeUrl" class="preview-sticky" width="100%"></object>
         }
       }
       @case (ContentRenderType.Text) {
@@ -414,7 +414,7 @@
       }
       @case (ContentRenderType.Image) {
         <div class="preview-sticky">
-          <img [src]="previewUrl" width="100%" height="100%" alt="{{title}}" />
+          <img [src]="previewUrl | safeUrl" width="100%" height="100%" alt="{{title}}" />
         </div>
       }
       @case (ContentRenderType.TIFF) {
@@ -427,7 +427,7 @@
         }
       }
       @case (ContentRenderType.Other) {
-        <object [data]="previewUrl" class="preview-sticky" width="100%"></object>
+        <object [data]="previewUrl | safeUrl" class="preview-sticky" width="100%"></object>
       }
     }
     @if (requiresPassword) {

src-ui/src/app/components/document-detail/document-detail.component.ts

@@ -60,6 +60,7 @@ import { IfPermissionsDirective } from 'src/app/directives/if-permissions.direct
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { DocumentTitlePipe } from 'src/app/pipes/document-title.pipe'
 import { FileSizePipe } from 'src/app/pipes/file-size.pipe'
+import { SafeUrlPipe } from 'src/app/pipes/safeurl.pipe'
 import { ComponentRouterService } from 'src/app/services/component-router.service'
 import { DocumentListViewService } from 'src/app/services/document-list-view.service'
 import { HotKeyService } from 'src/app/services/hot-key.service'
@@ -168,6 +169,7 @@ export enum ZoomSetting {
     FormsModule,
     ReactiveFormsModule,
     NgTemplateOutlet,
+    SafeUrlPipe,
     NgbNavModule,
     NgbDropdownModule,
     NgxBootstrapIconsModule,

src-ui/src/app/components/document-list/document-card-large/document-card-large.component.spec.ts

@@ -14,6 +14,7 @@ import { IfPermissionsDirective } from 'src/app/directives/if-permissions.direct
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { DocumentTitlePipe } from 'src/app/pipes/document-title.pipe'
 import { IsNumberPipe } from 'src/app/pipes/is-number.pipe'
+import { SafeUrlPipe } from 'src/app/pipes/safeurl.pipe'
 import { CustomFieldDisplayComponent } from '../../common/custom-field-display/custom-field-display.component'
 import { PreviewPopupComponent } from '../../common/preview-popup/preview-popup.component'
 import { DocumentCardLargeComponent } from './document-card-large.component'
@@ -52,6 +53,7 @@ describe('DocumentCardLargeComponent', () => {
         DocumentTitlePipe,
         CustomDatePipe,
         IfPermissionsDirective,
+        SafeUrlPipe,
         IsNumberPipe,
         PreviewPopupComponent,
         CustomFieldDisplayComponent,

src-ui/src/app/pipes/safeurl.pipe.spec.ts

@@ -0,0 +1,32 @@
+import { TestBed } from '@angular/core/testing'
+import { BrowserModule, DomSanitizer } from '@angular/platform-browser'
+import { SafeUrlPipe } from './safeurl.pipe'
+
+describe('SafeUrlPipe', () => {
+  let pipe: SafeUrlPipe
+
+  beforeEach(() => {
+    TestBed.configureTestingModule({
+      providers: [SafeUrlPipe],
+      imports: [BrowserModule],
+    })
+    pipe = TestBed.inject(SafeUrlPipe)
+  })
+
+  it('should bypass security and trust the url', () => {
+    const url = 'https://example.com'
+    const domSanitizer = TestBed.inject(DomSanitizer)
+    const sanitizerSpy = jest.spyOn(
+      domSanitizer,
+      'bypassSecurityTrustResourceUrl'
+    )
+
+    let safeResourceUrl = pipe.transform(url)
+    expect(safeResourceUrl).not.toBeNull()
+    expect(sanitizerSpy).toHaveBeenCalled()
+
+    safeResourceUrl = pipe.transform(null)
+    expect(safeResourceUrl).not.toBeNull()
+    expect(sanitizerSpy).toHaveBeenCalled()
+  })
+})

src-ui/src/app/pipes/safeurl.pipe.ts

@@ -0,0 +1,17 @@
+import { Pipe, PipeTransform, inject } from '@angular/core'
+import { DomSanitizer } from '@angular/platform-browser'
+
+@Pipe({
+  name: 'safeUrl',
+})
+export class SafeUrlPipe implements PipeTransform {
+  private sanitizer = inject(DomSanitizer)
+
+  transform(url) {
+    if (url == null) {
+      return this.sanitizer.bypassSecurityTrustResourceUrl('')
+    } else {
+      return this.sanitizer.bypassSecurityTrustResourceUrl(url)
+    }
+  }
+}