sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code

page-renderer: use htmlentities on admindetails_name 

This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
This commit is contained in:
Starbeamrainbowlabs 2021-09-03 00:09:44 +01:00
parent 98485e7bd2
commit 39af83caf9
Signed by: sbrl
GPG Key ID: 1BE5172E637709C2
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/40-page-renderer.php
View File

@ -190,7 +190,10 @@ class page_renderer
"{navigation-bar}" => self::render_navigation_bar($settings->nav_links, $settings->nav_links_extra, "top"),
"{navigation-bar-bottom}" => self::render_navigation_bar($settings->nav_links_bottom, [], "bottom"),
"{admin-details}" => hide_email($settings->admindetails_email, $settings->admindetails_name),
"{admin-details}" => hide_email(
$settings->admindetails_email,
htmlentities($settings->admindetails_name)
),
"{admin-details-name}" => $settings->admindetails_name,
"{admins-name-list}" => implode(", ", array_map(function($username) { return page_renderer::render_username($username); }, $settings->admins)),