sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00
Code Activity

Implement simple slugify function

Browse source 
I suspect I may have to fix a number of issues here.....
This commit is contained in:
Starbeamrainbowlabs 2021-09-02 21:19:31 +01:00
parent 473e8e1fc9
commit 96546184dc
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
4 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Changelog.md
View file

@ -22,7 +22,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## Fixed ## Fixed
- [security] Fixed some potential XSS attacks in the page editor - [security] Fixed some potential XSS attacks in the page editor
- [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once - [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
- [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the `action` GET parameter. - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the `action` & `action=watchlist&return=blah` GET parameters.
- Fixed a weird bug in the `stats-update` action causing warnings - Fixed a weird bug in the `stats-update` action causing warnings
- search: Properly apply weightings of matches in page titles and tags - search: Properly apply weightings of matches in page titles and tags
- Improved error handling on first run where the PHP Zip extension is not installed - Improved error handling on first run where the PHP Zip extension is not installed

10
core/05-functions.php
View file

@ -316,6 +316,16 @@ function makepathsafe($string)
return $string; return $string;
} }
/**
* Slugifies a given string such that it can only contain a-z0-9-_.
* Also automatically makes it lowercase.
* @param string $text The text to operate on.
* @return string The slugified string.
*/
function slugify(string $text) : string {
return preg_replace("/[^a-zA-Z0-9\-_]", "", $text);
}
/** /**
* Hides an email address from bots. Returns a fragment of HTML that contains the mangled email address. * Hides an email address from bots. Returns a fragment of HTML that contains the mangled email address.
* @package core * @package core

2
core/45-environment-deferred.php
View file

@ -28,4 +28,4 @@ if($env->is_history_revision)
else if(isset($pageindex->{$env->page})) else if(isset($pageindex->{$env->page}))
$env->page_filename .= $pageindex->{$env->page}->filename; $env->page_filename .= $pageindex->{$env->page}->filename;
$env->action = preg_replace("/[^a-z0-9\-_]/", "", strtolower($_GET["action"])); $env->action = slugify($_GET["action"]);

4
modules/feature-watchlist.php
View file

@ -5,7 +5,7 @@
register_module([ register_module([
"name" => "User watchlists", "name" => "User watchlists",
"version" => "0.1.3", "version" => "0.1.4",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Adds per-user watchlists. When a page on a user's watchlist is edited, a notification email is sent.", "description" => "Adds per-user watchlists. When a page on a user's watchlist is edited, a notification email is sent.",
"id" => "feature-watchlist", "id" => "feature-watchlist",
@ -145,7 +145,7 @@ register_module([
http_response_code(401); http_response_code(401);
header("x-status: failed"); header("x-status: failed");
header("x-problem: not-logged-in"); header("x-problem: not-logged-in");
exit(page_renderer::render_main("Not logged in - $settings->sitename", "<p>Only logged in users can have watchlists. Try <a href='?action=login&amp;returnto=".rawurlencode("?action=watchlist-edit&do=$do&returnto=$returnto")."'>logging in</a>.</p>")); exit(page_renderer::render_main("Not logged in - $settings->sitename", "<p>Only logged in users can have watchlists. Try <a href='?action=login&amp;returnto=".rawurlencode("?action=watchlist-edit&do=$do&returnto=".htmlentities($returnto))."'>logging in</a>.</p>"));
} }
if(empty($env->user_data->emailAddress)) { if(empty($env->user_data->emailAddress)) {