sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code
1,863 Commits 5 Branches 62 Tags 9.2 MiB
Commit Graph

1863 Commits

Author SHA1 Message Date
Starbeamrainbowlabs fef9102393
page-move: htmlentities & returnto support in login URLs 2021-09-03 01:41:51 +01:00
Starbeamrainbowlabs c0c2bd7f6a
page-login: minor htmlentities for breakfast, lunch, and tea 2021-09-03 01:37:11 +01:00
Starbeamrainbowlabs e2517c0b20
page-list: Yep, you guessed it! XSS again..... 2021-09-03 01:34:38 +01:00
Starbeamrainbowlabs 7aaded1f40
page-help: Add formats to data size bar on ?action=help&dev=yes 2021-09-03 01:29:49 +01:00
Starbeamrainbowlabs 9bd69b1b01
page-export: XSS 2021-09-03 01:26:14 +01:00
Starbeamrainbowlabs 42ad55c849
page-edit: XSS 2021-09-03 01:23:42 +01:00
Starbeamrainbowlabs 3f286b4cda
page-delete: fix XSS 2021-09-03 01:16:29 +01:00
Starbeamrainbowlabs 54166c9b79
page-credits: htmlentities *everywhere* 2021-09-03 01:12:49 +01:00
Starbeamrainbowlabs 4dda12d195
feaature-watchlist: minor XSS improvements 2021-09-03 01:10:54 +01:00
Starbeamrainbowlabs 2844a47f9f
feature-user-table: fix potential obscure XSS attack 2021-09-03 01:08:27 +01:00
Starbeamrainbowlabs 2d6bf1df70
feature-user-preferences: fiix potential xss vulnerabilities 2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs 1f51bf31c6
Add new file formats to the list of allowed formats for uploaded files: 
image/avif
image/jxl

Also, lesser known image formats:

image/hief image/heic
 2021-09-03 00:52:01 +01:00
Starbeamrainbowlabs 227a7ac662
feature-upload: fix potential XSS attacks 2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs 4a00a404e1
Update changelog 2021-09-03 00:28:20 +01:00
Starbeamrainbowlabs 6dd3e52a9c
feature-theme-gallery: fill in help text 2021-09-03 00:26:55 +01:00
Starbeamrainbowlabs 538f899018
feturee-stats: minor admindetails_name issue 2021-09-03 00:14:53 +01:00
Starbeamrainbowlabs 39af83caf9
page-renderer: use htmlentities on admindetails_name 
This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
 2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs 98485e7bd2
feature-search: fix potential XSS 2021-09-03 00:00:49 +01:00
Starbeamrainbowlabs 738715af43
core | render_pagename, render_username: fix potential authenticated XSS attack 2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs d977d594e6
feture-recent-changes: fix typo 2021-09-02 23:02:01 +01:00
Starbeamrainbowlabs 0ff5ab20ec
feature-interwiki-links: fix potential XSS attack 2021-09-02 23:00:50 +01:00
Starbeamrainbowlabs b5b38166ac
feature-history: fix potential XSS attack 2021-09-02 22:58:19 +01:00
Starbeamrainbowlabs 3f61c9eac0
feature-guiconfig: fix potential obscure XSS 2021-09-02 22:53:59 +01:00
Starbeamrainbowlabs 80f77a93b5
feature-comments: fix potential XSS 2021-09-02 22:50:00 +01:00
Starbeamrainbowlabs a1259ec8d9
action-random: use new slugify() function 2021-09-02 22:39:10 +01:00
Starbeamrainbowlabs bacfc11723
fixup 2021-09-02 22:29:48 +01:00
Starbeamrainbowlabs 51be347000
action-protect: fix 2021-09-02 22:29:39 +01:00
Starbeamrainbowlabs d5ef65ce01
Update changelog 2021-09-02 21:35:12 +01:00
Starbeamrainbowlabs f400da6dce
Page renderer: Automatically run htmlentities() on all titles 2021-09-02 21:34:40 +01:00
Starbeamrainbowlabs e0f65c2e65
action-hash: fix potential XSS in string GET param 2021-09-02 21:27:26 +01:00
Starbeamrainbowlabs b6fc5941b7
feature-watchlist: fix format GET parameter 2021-09-02 21:23:31 +01:00
Starbeamrainbowlabs 4fdbd9a427
Update changelog 2021-09-02 21:22:03 +01:00
Starbeamrainbowlabs dfe76d1d9b
feature-watchlist: Fix Potential XSS in do GET parameter 2021-09-02 21:21:17 +01:00
Starbeamrainbowlabs 96546184dc
Implement simple slugify function 
I suspect I may have to fix a number of issues here.....
 2021-09-02 21:19:31 +01:00
Starbeamrainbowlabs 473e8e1fc9
Update changelog 2021-09-02 21:08:53 +01:00
Starbeamrainbowlabs 7f48302f1a
Bugfix: Fix XSS via action GET parameter. 
Ref CVE-2021-38601

Serously, don't make public GitHub repos before contacting me!

https://github.com/hmaverickadams/CVE-2021-38601
 2021-09-02 21:08:01 +01:00
Starbeamrainbowlabs 5dbca32844
Merge branch 'master' of github.com:sbrl/Pepperminty-Wiki 2021-09-02 20:58:36 +01:00
Starbeamrainbowlabs 0a77065c3f
Bugfix: Fix stored XSS attack - ref CVE-2021-38600 
See https://github.com/hmaverickadams/CVE-2021-38600

For some reason the author did not think ti wise to let me know 
privately first - instead publicly announcing it via a GitHub repo..... 
sigh.

In addition, is this *really* a vulnerability? Since Pepperminty Wiki 
requires the site secret to set it up, I can't see that this has a real 
impact.

Still, I'll fix it anyway.....
 2021-09-02 20:54:06 +01:00
Starbeamrainbowlabs b7e00d6676
Merge pull request #223 from sbrl/dependabot/npm_and_yarn/color-string-1.6.0 
build(deps): bump color-string from 1.5.3 to 1.6.0
 2021-09-02 20:37:28 +01:00
dependabot[bot] b98bb04291
build(deps): bump color-string from 1.5.3 to 1.6.0 
Bumps [color-string](https://github.com/Qix-/color-string) from 1.5.3 to 1.6.0.
- [Release notes](https://github.com/Qix-/color-string/releases)
- [Changelog](https://github.com/Qix-/color-string/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Qix-/color-string/commits/1.6.0)

---
updated-dependencies:
- dependency-name: color-string
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-15 20:46:39 +00:00
Starbeamrainbowlabs fab1b52882
Bugfix: fix error handling logic 2021-08-15 21:46:19 +01:00
Starbeamrainbowlabs ba70f74a96
Added automatic system requirements indicator to first run 2021-08-06 01:50:08 +01:00
Starbeamrainbowlabs e7b3f5e0d0
feature-upload: add function / class existence checks where functions from php extensions are required 2021-08-06 01:49:59 +01:00
Starbeamrainbowlabs fb9eec2d33
Fix & improve sidebar 2021-07-21 00:44:31 +01:00
Starbeamrainbowlabs 83012a1416
Prefix default value of logo_url with https: 
...apparently some browsers don't see //example.com as a valid URL
 2021-07-21 00:19:26 +01:00
Starbeamrainbowlabs 86206195b6
Fix crash when using the search bar in recent versions of php 2021-07-20 23:54:56 +01:00
Starbeamrainbowlabs 440b4e9cda
Add sidebar_show to the settings GUI & the configuration guide 2021-07-20 23:22:44 +01:00
Starbeamrainbowlabs 2e54a8a4d5
Improve resilience and error output if the PHP Zip extension is not installed on first run 2021-07-20 23:15:48 +01:00
Starbeamrainbowlabs 256d6a59e6
Merge branch 'master' of github.com:sbrl/Pepperminty-Wiki 2021-06-10 20:12:02 +01:00
Starbeamrainbowlabs 0c9934038c
feature-cli: fix typo 2021-06-10 20:11:53 +01:00