1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-12-22 13:45:02 +00:00

page-renderer: use htmlentities on admindetails_name

This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
This commit is contained in:
Starbeamrainbowlabs 2021-09-03 00:09:44 +01:00
parent 98485e7bd2
commit 39af83caf9
Signed by: sbrl
GPG key ID: 1BE5172E637709C2

View file

@ -190,7 +190,10 @@ class page_renderer
"{navigation-bar}" => self::render_navigation_bar($settings->nav_links, $settings->nav_links_extra, "top"),
"{navigation-bar-bottom}" => self::render_navigation_bar($settings->nav_links_bottom, [], "bottom"),
"{admin-details}" => hide_email($settings->admindetails_email, $settings->admindetails_name),
"{admin-details}" => hide_email(
$settings->admindetails_email,
htmlentities($settings->admindetails_name)
),
"{admin-details-name}" => $settings->admindetails_name,
"{admins-name-list}" => implode(", ", array_map(function($username) { return page_renderer::render_username($username); }, $settings->admins)),