mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-12-22 13:45:02 +00:00
Fix crash when loading the stats page
This commit is contained in:
parent
4853c1f604
commit
021ebaea22
2 changed files with 2 additions and 1 deletions
|
@ -8,6 +8,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
|||
- Display returnto URL above the login form if present to further mitigate CSRF issues
|
||||
|
||||
### Fixed
|
||||
- Stats: Fix crash when loading the stats page
|
||||
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
||||
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
||||
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
||||
|
|
|
@ -33,7 +33,7 @@ register_module([
|
|||
global $settings, $statistic_calculators;
|
||||
|
||||
$allowed_formats = [ "html", "json" ];
|
||||
$format = slugify($_GET["format"]) ?? "html";
|
||||
$format = slugify($_GET["format"] ?? "html");
|
||||
|
||||
if(!in_array($format, $allowed_formats)) {
|
||||
http_response_code(400);
|
||||
|
|
Loading…
Reference in a new issue