page-view: XSS again again again
This commit is contained in:
parent
fef9102393
commit
de4536e173
GPG Key ID:
1BE5172E637709C2
|
|
@ -523,7 +523,7 @@ class page_renderer
|
|||
$result = "";
|
||||
$result .= "<a href='?page=" . rawurlencode(get_user_pagename($name)) . "'>";
|
||||
if($settings->avatars_show)
|
||||
$result .= "<img class='avatar' aria-hidden='true' src='?action=avatar&user=" . urlencode($name) . "&size=$settings->avatars_size' /> ";
|
||||
$result .= "<img class='avatar' aria-hidden='true' src='?action=avatar&user=" . rawurlencode($name) . "&size=$settings->avatars_size' /> ";
|
||||
if(in_array($name, $settings->admins))
|
||||
$result .= $settings->admindisplaychar;
|
||||
$result .= htmlentities($name);
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
register_module([
|
||||
"name" => "Page viewer",
|
||||
"version" => "0.16.10",
|
||||
"version" => "0.16.11",
|
||||
"author" => "Starbeamrainbowlabs",
|
||||
"description" => "Allows you to view pages. You really should include this one.",
|
||||
"id" => "page-view",
|
||||
|
|
@ -53,7 +53,7 @@ register_module([
|
|||
} else {
|
||||
// Editing is disabled, show an error message
|
||||
http_response_code(404);
|
||||
exit(page_renderer::render_main("404: Page not found - $env->page - $settings->sitename", "<p>$env->page does not exist.</p><p>Since editing is currently disabled on this wiki, you may not create this page. If you feel that this page should exist, try contacting this wiki's Administrator.</p>"));
|
||||
exit(page_renderer::render_main("404: Page not found - $env->page - $settings->sitename", "<p>$env->page_safe does not exist.</p><p>Since editing is currently disabled on this wiki, you may not create this page. If you feel that this page should exist, try contacting this wiki's Administrator (see the bottom of this page for their contact details).</p>"));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -89,7 +89,7 @@ register_module([
|
|||
if(!empty($pageindex->$newPage->redirect))
|
||||
$redirectUrl .= "&redirect=no";
|
||||
if(strlen($hashCode) > 0)
|
||||
$redirectUrl .= "#$hashCode";
|
||||
$redirectUrl .= "#".htmlentities($hashCode);
|
||||
|
||||
// Support absolute redirect URLs
|
||||
if(isset($pageindex->$page->redirect_absolute) && $pageindex->$page->redirect_absolute === true)
|
||||
|
|
@ -107,8 +107,8 @@ register_module([
|
|||
if(!$env->is_history_revision)
|
||||
$content .= "<h1>$env->page</h1>\n";
|
||||
else {
|
||||
$content .= "<h1>Revision #{$env->history->revision_number} of $env->page</h1>\n";
|
||||
$content .= "<p class='system-text-insert revision-note'><em>(Revision saved by {$env->history->revision_data->editor} " . render_timestamp($env->history->revision_data->timestamp) . ". <a href='?page=" . rawurlencode($env->page) . "'>Jump to the current revision</a> or see a <a href='?action=history&page=" . rawurlencode($env->page) . "'>list of all revisions</a> for this page.)</em></p>\n";
|
||||
$content .= "<h1>Revision #{$env->history->revision_number} of $env->page_safe</h1>\n";
|
||||
$content .= "<p class='system-text-insert revision-note'><em>(Revision saved by ".htmlentities($env->history->revision_data->editor)." " . render_timestamp($env->history->revision_data->timestamp) . ". <a href='?page=" . rawurlencode($env->page) . "'>Jump to the current revision</a> or see a <a href='?action=history&page=" . rawurlencode($env->page) . "'>list of all revisions</a> for this page.)</em></p>\n";
|
||||
}
|
||||
|
||||
// Add a visit parent page link if we're a subpage
|
||||
|
|
@ -117,7 +117,7 @@ register_module([
|
|||
|
||||
// Add an extra message if the requester was redirected from another page
|
||||
if(isset($_GET["redirected_from"]))
|
||||
$content .= "<p class='system-text-insert'><em>Redirected from <a href='?page=" . rawurlencode($_GET["redirected_from"]) . "&redirect=no'>" . $_GET["redirected_from"] . "</a>.</em></p>\n";
|
||||
$content .= "<p class='system-text-insert'><em>Redirected from <a href='?page=" . rawurlencode($_GET["redirected_from"]) . "&redirect=no'>" . htmlentities($_GET["redirected_from"]) . "</a>.</em></p>\n";
|
||||
|
||||
$parsing_start = microtime(true);
|
||||
|
||||
|
|
@ -127,7 +127,7 @@ register_module([
|
|||
if(!empty($pageindex->$page->tags)) {
|
||||
$content .= "<ul class='page-tags-display'>\n";
|
||||
foreach($pageindex->$page->tags as $tag)
|
||||
$content .= "<li><a href='?action=list-tags&tag=" . rawurlencode($tag) . "'>$tag</a></li>\n";
|
||||
$content .= "<li><a href='?action=list-tags&tag=" . rawurlencode($tag) . "'>".htmlentities($tag)."</a></li>\n";
|
||||
$content .= "\n</ul>\n";
|
||||
}
|
||||
/*else
|
||||
|
|
@ -143,7 +143,7 @@ register_module([
|
|||
$content .= "Subpages: ";
|
||||
foreach($subpages as $subpage => $times_removed) {
|
||||
if($times_removed <= $settings->subpages_display_depth) {
|
||||
$content .= "<a href='?action=view&page=" . rawurlencode($subpage) . "'>$subpage</a>, ";
|
||||
$content .= "<a href='?action=view&page=" . rawurlencode($subpage) . "'>".htmlentities($subpage)."</a>, ";
|
||||
}
|
||||
}
|
||||
// Remove the last comma from the content
|
||||
|
|
@ -159,7 +159,7 @@ register_module([
|
|||
time() - $pageindex->{$env->page}->lastmodified < $settings->delayed_indexing_time)
|
||||
header("x-robots-tag: noindex");
|
||||
|
||||
$settings->footer_message = "$env->page was last edited by {$pageindex->{$env->page}->lasteditor} at " . date('h:ia T \o\n j F Y', $pageindex->{$env->page}->lastmodified) . ".</p>\n<p>" . $settings->footer_message; // Add the last edited time to the footer
|
||||
$settings->footer_message = "$env->page_safe was last edited by {$pageindex->{$env->page}->lasteditor} at " . date('h:ia T \o\n j F Y', $pageindex->{$env->page}->lastmodified) . ".</p>\n<p>" . $settings->footer_message; // Add the last edited time to the footer
|
||||
|
||||
$mode = isset($_GET["mode"]) ? strtolower(trim($_GET["mode"])) : "normal";
|
||||
switch($mode) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue