sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 16:33:00 +00:00
Code Activity

Fix crash when loading the stats page

Browse source
This commit is contained in:
Starbeamrainbowlabs 2022-01-05 02:47:28 +00:00
parent 4853c1f604
commit 021ebaea22
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -8,6 +8,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
- Display returnto URL above the login form if present to further mitigate CSRF issues - Display returnto URL above the login form if present to further mitigate CSRF issues
### Fixed ### Fixed
- Stats: Fix crash when loading the stats page
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome) - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to) - [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)

2
modules/feature-stats.php
View file

@ -33,7 +33,7 @@ register_module([
global $settings, $statistic_calculators; global $settings, $statistic_calculators;
$allowed_formats = [ "html", "json" ]; $allowed_formats = [ "html", "json" ];
$format = slugify($_GET["format"]) ?? "html"; $format = slugify($_GET["format"] ?? "html");
if(!in_array($format, $allowed_formats)) { if(!in_array($format, $allowed_formats)) {
http_response_code(400); http_response_code(400);