sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00
Code Activity

feature-watchlist: fix format GET parameter

Browse source
This commit is contained in:
Starbeamrainbowlabs 2021-09-02 21:23:31 +01:00
parent 4fdbd9a427
commit b6fc5941b7
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Changelog.md
View file

@ -24,7 +24,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
- [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once - [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
- [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the following GET parameters - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the following GET parameters
- `action` - `action`
- `action=watchlist`: `returnto`, `do` - `action=watchlist-edit`: `returnto`, `do`
- `action=watchlist`: `format`
- Fixed a weird bug in the `stats-update` action causing warnings - Fixed a weird bug in the `stats-update` action causing warnings
- search: Properly apply weightings of matches in page titles and tags - search: Properly apply weightings of matches in page titles and tags
- Improved error handling on first run where the PHP Zip extension is not installed - Improved error handling on first run where the PHP Zip extension is not installed

2
modules/feature-watchlist.php
View file

@ -51,7 +51,7 @@ register_module([
exit(page_renderer::render_main("No email address specified -$settings->sitename", "<p>You are logged in, but have not specified an email address to send notifications to. Try specifying one in your <a href='?action=user-preferences'>user preferences</a> and then coming back here.</p>")); exit(page_renderer::render_main("No email address specified -$settings->sitename", "<p>You are logged in, but have not specified an email address to send notifications to. Try specifying one in your <a href='?action=user-preferences'>user preferences</a> and then coming back here.</p>"));
} }
$format = $_GET["format"] ?? "html"; $format = slugify($_GET["format"] ?? "html");
$watchlist = []; $watchlist = [];
if(!empty($env->user_data->watchlist)) if(!empty($env->user_data->watchlist))