sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-21 16:13:00 +00:00
Code Activity

page-renderer: use htmlentities on admindetails_name

Browse source 
This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
This commit is contained in:
Starbeamrainbowlabs 2021-09-03 00:09:44 +01:00
parent 98485e7bd2
commit 39af83caf9
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
core/40-page-renderer.php
View file

@ -190,7 +190,10 @@ class page_renderer
"{navigation-bar}" => self::render_navigation_bar($settings->nav_links, $settings->nav_links_extra, "top"),
"{navigation-bar-bottom}" => self::render_navigation_bar($settings->nav_links_bottom, [], "bottom"),
"{admin-details}" => hide_email($settings->admindetails_email, $settings->admindetails_name),
"{admin-details}" => hide_email(
$settings->admindetails_email,
htmlentities($settings->admindetails_name)
),
"{admin-details-name}" => $settings->admindetails_name,
"{admins-name-list}" => implode(", ", array_map(function($username) { return page_renderer::render_username($username); }, $settings->admins)),