mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-25 05:22:59 +00:00
page-view: XSS again again again
This commit is contained in:
parent
fef9102393
commit
de4536e173
2 changed files with 10 additions and 10 deletions
|
@ -523,7 +523,7 @@ class page_renderer
|
||||||
$result = "";
|
$result = "";
|
||||||
$result .= "<a href='?page=" . rawurlencode(get_user_pagename($name)) . "'>";
|
$result .= "<a href='?page=" . rawurlencode(get_user_pagename($name)) . "'>";
|
||||||
if($settings->avatars_show)
|
if($settings->avatars_show)
|
||||||
$result .= "<img class='avatar' aria-hidden='true' src='?action=avatar&user=" . urlencode($name) . "&size=$settings->avatars_size' /> ";
|
$result .= "<img class='avatar' aria-hidden='true' src='?action=avatar&user=" . rawurlencode($name) . "&size=$settings->avatars_size' /> ";
|
||||||
if(in_array($name, $settings->admins))
|
if(in_array($name, $settings->admins))
|
||||||
$result .= $settings->admindisplaychar;
|
$result .= $settings->admindisplaychar;
|
||||||
$result .= htmlentities($name);
|
$result .= htmlentities($name);
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
register_module([
|
register_module([
|
||||||
"name" => "Page viewer",
|
"name" => "Page viewer",
|
||||||
"version" => "0.16.10",
|
"version" => "0.16.11",
|
||||||
"author" => "Starbeamrainbowlabs",
|
"author" => "Starbeamrainbowlabs",
|
||||||
"description" => "Allows you to view pages. You really should include this one.",
|
"description" => "Allows you to view pages. You really should include this one.",
|
||||||
"id" => "page-view",
|
"id" => "page-view",
|
||||||
|
@ -53,7 +53,7 @@ register_module([
|
||||||
} else {
|
} else {
|
||||||
// Editing is disabled, show an error message
|
// Editing is disabled, show an error message
|
||||||
http_response_code(404);
|
http_response_code(404);
|
||||||
exit(page_renderer::render_main("404: Page not found - $env->page - $settings->sitename", "<p>$env->page does not exist.</p><p>Since editing is currently disabled on this wiki, you may not create this page. If you feel that this page should exist, try contacting this wiki's Administrator.</p>"));
|
exit(page_renderer::render_main("404: Page not found - $env->page - $settings->sitename", "<p>$env->page_safe does not exist.</p><p>Since editing is currently disabled on this wiki, you may not create this page. If you feel that this page should exist, try contacting this wiki's Administrator (see the bottom of this page for their contact details).</p>"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ register_module([
|
||||||
if(!empty($pageindex->$newPage->redirect))
|
if(!empty($pageindex->$newPage->redirect))
|
||||||
$redirectUrl .= "&redirect=no";
|
$redirectUrl .= "&redirect=no";
|
||||||
if(strlen($hashCode) > 0)
|
if(strlen($hashCode) > 0)
|
||||||
$redirectUrl .= "#$hashCode";
|
$redirectUrl .= "#".htmlentities($hashCode);
|
||||||
|
|
||||||
// Support absolute redirect URLs
|
// Support absolute redirect URLs
|
||||||
if(isset($pageindex->$page->redirect_absolute) && $pageindex->$page->redirect_absolute === true)
|
if(isset($pageindex->$page->redirect_absolute) && $pageindex->$page->redirect_absolute === true)
|
||||||
|
@ -107,8 +107,8 @@ register_module([
|
||||||
if(!$env->is_history_revision)
|
if(!$env->is_history_revision)
|
||||||
$content .= "<h1>$env->page</h1>\n";
|
$content .= "<h1>$env->page</h1>\n";
|
||||||
else {
|
else {
|
||||||
$content .= "<h1>Revision #{$env->history->revision_number} of $env->page</h1>\n";
|
$content .= "<h1>Revision #{$env->history->revision_number} of $env->page_safe</h1>\n";
|
||||||
$content .= "<p class='system-text-insert revision-note'><em>(Revision saved by {$env->history->revision_data->editor} " . render_timestamp($env->history->revision_data->timestamp) . ". <a href='?page=" . rawurlencode($env->page) . "'>Jump to the current revision</a> or see a <a href='?action=history&page=" . rawurlencode($env->page) . "'>list of all revisions</a> for this page.)</em></p>\n";
|
$content .= "<p class='system-text-insert revision-note'><em>(Revision saved by ".htmlentities($env->history->revision_data->editor)." " . render_timestamp($env->history->revision_data->timestamp) . ". <a href='?page=" . rawurlencode($env->page) . "'>Jump to the current revision</a> or see a <a href='?action=history&page=" . rawurlencode($env->page) . "'>list of all revisions</a> for this page.)</em></p>\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add a visit parent page link if we're a subpage
|
// Add a visit parent page link if we're a subpage
|
||||||
|
@ -117,7 +117,7 @@ register_module([
|
||||||
|
|
||||||
// Add an extra message if the requester was redirected from another page
|
// Add an extra message if the requester was redirected from another page
|
||||||
if(isset($_GET["redirected_from"]))
|
if(isset($_GET["redirected_from"]))
|
||||||
$content .= "<p class='system-text-insert'><em>Redirected from <a href='?page=" . rawurlencode($_GET["redirected_from"]) . "&redirect=no'>" . $_GET["redirected_from"] . "</a>.</em></p>\n";
|
$content .= "<p class='system-text-insert'><em>Redirected from <a href='?page=" . rawurlencode($_GET["redirected_from"]) . "&redirect=no'>" . htmlentities($_GET["redirected_from"]) . "</a>.</em></p>\n";
|
||||||
|
|
||||||
$parsing_start = microtime(true);
|
$parsing_start = microtime(true);
|
||||||
|
|
||||||
|
@ -127,7 +127,7 @@ register_module([
|
||||||
if(!empty($pageindex->$page->tags)) {
|
if(!empty($pageindex->$page->tags)) {
|
||||||
$content .= "<ul class='page-tags-display'>\n";
|
$content .= "<ul class='page-tags-display'>\n";
|
||||||
foreach($pageindex->$page->tags as $tag)
|
foreach($pageindex->$page->tags as $tag)
|
||||||
$content .= "<li><a href='?action=list-tags&tag=" . rawurlencode($tag) . "'>$tag</a></li>\n";
|
$content .= "<li><a href='?action=list-tags&tag=" . rawurlencode($tag) . "'>".htmlentities($tag)."</a></li>\n";
|
||||||
$content .= "\n</ul>\n";
|
$content .= "\n</ul>\n";
|
||||||
}
|
}
|
||||||
/*else
|
/*else
|
||||||
|
@ -143,7 +143,7 @@ register_module([
|
||||||
$content .= "Subpages: ";
|
$content .= "Subpages: ";
|
||||||
foreach($subpages as $subpage => $times_removed) {
|
foreach($subpages as $subpage => $times_removed) {
|
||||||
if($times_removed <= $settings->subpages_display_depth) {
|
if($times_removed <= $settings->subpages_display_depth) {
|
||||||
$content .= "<a href='?action=view&page=" . rawurlencode($subpage) . "'>$subpage</a>, ";
|
$content .= "<a href='?action=view&page=" . rawurlencode($subpage) . "'>".htmlentities($subpage)."</a>, ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Remove the last comma from the content
|
// Remove the last comma from the content
|
||||||
|
@ -159,7 +159,7 @@ register_module([
|
||||||
time() - $pageindex->{$env->page}->lastmodified < $settings->delayed_indexing_time)
|
time() - $pageindex->{$env->page}->lastmodified < $settings->delayed_indexing_time)
|
||||||
header("x-robots-tag: noindex");
|
header("x-robots-tag: noindex");
|
||||||
|
|
||||||
$settings->footer_message = "$env->page was last edited by {$pageindex->{$env->page}->lasteditor} at " . date('h:ia T \o\n j F Y', $pageindex->{$env->page}->lastmodified) . ".</p>\n<p>" . $settings->footer_message; // Add the last edited time to the footer
|
$settings->footer_message = "$env->page_safe was last edited by {$pageindex->{$env->page}->lasteditor} at " . date('h:ia T \o\n j F Y', $pageindex->{$env->page}->lastmodified) . ".</p>\n<p>" . $settings->footer_message; // Add the last edited time to the footer
|
||||||
|
|
||||||
$mode = isset($_GET["mode"]) ? strtolower(trim($_GET["mode"])) : "normal";
|
$mode = isset($_GET["mode"]) ? strtolower(trim($_GET["mode"])) : "normal";
|
||||||
switch($mode) {
|
switch($mode) {
|
||||||
|
|
Loading…
Reference in a new issue