mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-25 05:22:59 +00:00
feature-user-table: fix potential obscure XSS attack
This commit is contained in:
parent
2d6bf1df70
commit
2844a47f9f
1 changed files with 9 additions and 9 deletions
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
register_module([
|
register_module([
|
||||||
"name" => "User Organiser",
|
"name" => "User Organiser",
|
||||||
"version" => "0.1.1",
|
"version" => "0.1.2",
|
||||||
"author" => "Starbeamrainbowlabs",
|
"author" => "Starbeamrainbowlabs",
|
||||||
"description" => "Adds a organiser page that lets moderators (or better) control the reegistered user accounts, and perform adminstrative actions such as password resets, and adding / removing accounts.",
|
"description" => "Adds a organiser page that lets moderators (or better) control the reegistered user accounts, and perform adminstrative actions such as password resets, and adding / removing accounts.",
|
||||||
"id" => "feature-user-table",
|
"id" => "feature-user-table",
|
||||||
|
@ -129,7 +129,7 @@ register_module([
|
||||||
|
|
||||||
if(!save_settings()) {
|
if(!save_settings()) {
|
||||||
http_response_code(503);
|
http_response_code(503);
|
||||||
exit(page_renderer::render_main("Error: Failed to save settings - Add User - $settings->sitename", "<p>$settings->sitename failed to save the new user's data to disk. Please contact $settings->admindetails_name for assistance (their email address can be found at the bottom of this page).</p>"));
|
exit(page_renderer::render_main("Error: Failed to save settings - Add User - $settings->sitename", "<p>$settings->sitename failed to save the new user's data to disk. Please contact ".htmlentities($settings->admindetails_name)." for assistance (their email address can be found at the bottom of this page).</p>"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -153,9 +153,9 @@ https://github.com/sbrl/Pepperminty-Wiki/
|
||||||
<ul>
|
<ul>
|
||||||
<li>Username: <code>$new_username</code></li>";
|
<li>Username: <code>$new_username</code></li>";
|
||||||
if(!empty($new_email))
|
if(!empty($new_email))
|
||||||
$content .= " <li>Email Address: <code>$new_email</code></li>\n";
|
$content .= " <li>Email Address: <code>".htmlentities($new_email)."</code></li>\n";
|
||||||
if(!$welcome_email_result)
|
if(!$welcome_email_result)
|
||||||
$content .= " <li>Password: <code>$new_password</code></li>\n";
|
$content .= " <li>Password: <code>".htmlentities($new_password)."</code></li>\n";
|
||||||
$content .= "</ul>\n";
|
$content .= "</ul>\n";
|
||||||
if($welcome_email_result)
|
if($welcome_email_result)
|
||||||
$content .= "<p>An email has been sent to the email address given above containing their login details.</p>\n";
|
$content .= "<p>An email has been sent to the email address given above containing their login details.</p>\n";
|
||||||
|
@ -208,13 +208,13 @@ https://github.com/sbrl/Pepperminty-Wiki/
|
||||||
|
|
||||||
if(empty($settings->users->{$_POST["user"]})) {
|
if(empty($settings->users->{$_POST["user"]})) {
|
||||||
http_response_code(404);
|
http_response_code(404);
|
||||||
exit(page_renderer::render_main("User not found - Set Password - $settings->sitename", "<p>Error: No user called {$_POST["user"]} was found, so their password can't be set. Perhaps you forgot to create the user first?</p>"));
|
exit(page_renderer::render_main("User not found - Set Password - $settings->sitename", "<p>Error: No user called '".htmlentities($_POST["user"])."' was found, so their password can't be set. Perhaps you forgot to create the user first?</p>"));
|
||||||
}
|
}
|
||||||
|
|
||||||
$settings->users->{$_POST["user"]}->password = hash_password($_POST["new-pass"]);
|
$settings->users->{$_POST["user"]}->password = hash_password($_POST["new-pass"]);
|
||||||
if(!save_settings()) {
|
if(!save_settings()) {
|
||||||
http_response_code(503);
|
http_response_code(503);
|
||||||
exit(page_renderer::render_main("Server Error - Set Password - $settings->sitename", "<p>Error: $settings->sitename couldn't save the settings back to disk! Nothing has been changed. Please context $settings->admindetails_name, whose email address can be found at the bottom of this page.</p>"));
|
exit(page_renderer::render_main("Server Error - Set Password - $settings->sitename", "<p>Error: $settings->sitename couldn't save the settings back to disk! Nothing has been changed. Please context ".htmlentities($settings->admindetails_name).", whose email address can be found at the bottom of this page.</p>"));
|
||||||
}
|
}
|
||||||
|
|
||||||
exit(page_renderer::render_main("Set Password - $settings->sitename", "<p>" . htmlentities($_POST["user"]) . "'s password has been set successfully. <a href='?action=user-table'>Go back</a> to the user table.</p>"));
|
exit(page_renderer::render_main("Set Password - $settings->sitename", "<p>" . htmlentities($_POST["user"]) . "'s password has been set successfully. <a href='?action=user-table'>Go back</a> to the user table.</p>"));
|
||||||
|
@ -256,12 +256,12 @@ https://github.com/sbrl/Pepperminty-Wiki/
|
||||||
}
|
}
|
||||||
if(empty($settings->users->{$_GET["user"]})) {
|
if(empty($settings->users->{$_GET["user"]})) {
|
||||||
http_response_code(404);
|
http_response_code(404);
|
||||||
exit(page_renderer::render_main("User not found - Delete User - $settings->sitename", "<p>Error: No user called {$_GET["user"]} was found, so their account can't be delete. Perhaps you spelt their account name incorrectly?</p>"));
|
exit(page_renderer::render_main("User not found - Delete User - $settings->sitename", "<p>Error: No user called ".htmlentities($_GET["user"])." was found, so their account can't be delete. Perhaps you spelt their account name incorrectly?</p>"));
|
||||||
}
|
}
|
||||||
|
|
||||||
email_user($_GET["user"], "Account Deletion", "Hello, {$_GET["user"]}!
|
email_user($_GET["user"], "Account Deletion", "Hello, {$_GET["user"]}!
|
||||||
|
|
||||||
This is a notification email from $settings->sitename, to let you know that $env->user has deleted your user account, so you won't be able to log in to your account anymore.
|
This is a notification email from $settings->sitename to let you know that $env->user has deleted your user account, so you won't be able to log in to your account anymore.
|
||||||
|
|
||||||
If this was done in error, then please contact a moderator, or $settings->admindetails_name ($settings->sitename's Administrator) - whose email address can be found at the bottom of every page on $settings->sitename.
|
If this was done in error, then please contact a moderator, or $settings->admindetails_name ($settings->sitename's Administrator) - whose email address can be found at the bottom of every page on $settings->sitename.
|
||||||
|
|
||||||
|
@ -275,7 +275,7 @@ Powered by Pepperminty Wiki
|
||||||
|
|
||||||
if(!save_settings()) {
|
if(!save_settings()) {
|
||||||
http_response_code(503);
|
http_response_code(503);
|
||||||
exit(page_renderer::render_main("Server Error - Delete User - $settings->sitename", "<p>Error: $settings->sitename couldn't save the settings back to disk! Nothing has been changed. Please context $settings->admindetails_name, whose email address can be found at the bottom of this page.</p>"));
|
exit(page_renderer::render_main("Server Error - Delete User - $settings->sitename", "<p>Error: $settings->sitename couldn't save the settings back to disk! Nothing has been changed. Please context ".htmlentities($settings->admindetails_name).", whose email address can be found at the bottom of this page.</p>"));
|
||||||
}
|
}
|
||||||
|
|
||||||
exit(page_renderer::render_main("Delete User - $settings->sitename", "<p>" . htmlentities($_GET["user"]) . "'s account has been deleted successfully. <a href='?action=user-table'>Go back</a> to the user table.</p>"));
|
exit(page_renderer::render_main("Delete User - $settings->sitename", "<p>" . htmlentities($_GET["user"]) . "'s account has been deleted successfully. <a href='?action=user-table'>Go back</a> to the user table.</p>"));
|
||||||
|
|
Loading…
Reference in a new issue