mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-22 04:23:01 +00:00
Fix crash when loading the stats page
This commit is contained in:
parent
4853c1f604
commit
021ebaea22
2 changed files with 2 additions and 1 deletions
|
@ -8,6 +8,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
||||||
- Display returnto URL above the login form if present to further mitigate CSRF issues
|
- Display returnto URL above the login form if present to further mitigate CSRF issues
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
- Stats: Fix crash when loading the stats page
|
||||||
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
||||||
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
||||||
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
||||||
|
|
|
@ -33,7 +33,7 @@ register_module([
|
||||||
global $settings, $statistic_calculators;
|
global $settings, $statistic_calculators;
|
||||||
|
|
||||||
$allowed_formats = [ "html", "json" ];
|
$allowed_formats = [ "html", "json" ];
|
||||||
$format = slugify($_GET["format"]) ?? "html";
|
$format = slugify($_GET["format"] ?? "html");
|
||||||
|
|
||||||
if(!in_array($format, $allowed_formats)) {
|
if(!in_array($format, $allowed_formats)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
|
|
Loading…
Reference in a new issue