Starbeamrainbowlabs
2d6bf1df70
feature-user-preferences: fiix potential xss vulnerabilities
2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs
227a7ac662
feature-upload: fix potential XSS attacks
2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs
39af83caf9
page-renderer: use htmlentities on admindetails_name
...
This is NOT to fix a security issue - rather to allow the admin's name
to contain special characters. Note that the admin's name can only be
changed either in peppermint.json or via the admin settings panel (which
only admins can access). If you're worries about admins serving
arbitrary HTML, then Pepperminty Wiki is not for you because they could
serve a random static HTML file that they've uploaded to their web
server for instance.
2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs
738715af43
core | render_pagename, render_username: fix potential authenticated XSS attack
2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs
f400da6dce
Page renderer: Automatically run htmlentities() on all titles
2021-09-02 21:34:40 +01:00
Starbeamrainbowlabs
96546184dc
Implement simple slugify function
...
I suspect I may have to fix a number of issues here.....
2021-09-02 21:19:31 +01:00
Starbeamrainbowlabs
7f48302f1a
Bugfix: Fix XSS via action GET parameter.
...
Ref CVE-2021-38601
Serously, don't make public GitHub repos before contacting me!
https://github.com/hmaverickadams/CVE-2021-38601
2021-09-02 21:08:01 +01:00
Starbeamrainbowlabs
2e54a8a4d5
Improve resilience and error output if the PHP Zip extension is not installed on first run
2021-07-20 23:15:48 +01:00
Starbeamrainbowlabs
b2a783e903
core: Support setting page through either GET or POST
...
Fixes #217 .
2020-11-20 21:25:47 +00:00
Starbeamrainbowlabs
cfd087d919
Add MPL 2.0 short header to core code files
2020-09-23 23:22:39 +01:00
Starbeamrainbowlabs
0085ddf0c4
Don't emit custom css unless there's something to emit
2020-08-31 21:04:59 +01:00
Starbeamrainbowlabs
23998f60bf
Bugfix: correctly escape ampersands with htmlentities in URLs
2020-08-31 21:00:15 +01:00
Starbeamrainbowlabs
42971f573d
Bugfix: Fix invalid HTML generated by new hide_email() logic
2020-08-31 20:56:34 +01:00
Starbeamrainbowlabs
d9ddb504bf
Fix typo in the name of the didyoumean index (which is disabled by default).
...
Admins need to manually rename `didyoumeaninddex.sqlite` →
`didyoumeanindex.sqlite`
2020-08-18 15:41:14 +01:00
Starbeamrainbowlabs
3c5a407356
Really fix #205
2020-08-11 23:01:44 +01:00
Starbeamrainbowlabs
93bff09422
Update hide_email implementation
...
It now requires Javascript to decode the email address. If this is a
problem for whatever reason, please get in touch by opening an issue. I
take accessibility very seriously.
2020-08-09 23:53:29 +01:00
Starbeamrainbowlabs
e710d55883
makepathsafe: don't allow dots on their own
...
Specifically, we don't want a single dot as a page name. This is because
'.' has a special meaning on Linux: The current directory.
2020-08-09 13:03:40 +01:00
Starbeamrainbowlabs
5fed4cb5ab
Bugfixx: improve rebustness of new filepath_to_pagename and pageindex rebuilder
2020-08-08 22:18:12 +01:00
Starbeamrainbowlabs
c0fa5b8ae4
Finish improvements to pageindex rebuilder
...
also squash warning from stats engine during the firstrun wizard
2020-08-08 22:01:12 +01:00
Starbeamrainbowlabs
62a3ea9d1e
Start working on intelligently finding history revisions, but it isn't finished yet.
...
Note that this commit does **not** build. I'm in the middle of something
- please build the previous commit instead until I'm finished :P
2020-08-08 02:15:08 +01:00
Starbeamrainbowlabs
6e7ff16041
For #204 : Implement initial (untested!) page history algorithm.
...
TODO: Search for existing page history revisions
2020-08-08 02:07:35 +01:00
Starbeamrainbowlabs
75c15d66b2
page-move: Ensure that the new subpage actually exists - fixes #201
2020-08-06 15:47:41 +01:00
Starbeamrainbowlabs
607c9f8529
minify_css: minor improvements
...
", " -> ","
"0." -> "."
2020-07-28 21:46:00 +01:00
Starbeamrainbowlabs
3652c20662
Fix $env->is_secure detection
2020-07-28 19:51:56 +01:00
Starbeamrainbowlabs
1ec1705a62
Standardise error_log prefixes to aid clarity in multi-wiki environments
2020-07-28 19:42:41 +01:00
Starbeamrainbowlabs
7d93aa6a10
Overhaul the way we use setcookie()
...
- Use SameSite=Strict to avoid issues in modern browsers & prevent
session-stealing attacks
- Use Secure when requests run over HTTPS by default to avoid
downgrade-based session-stealing attacks
- Add warning for PHP <= 7.2, as it doesn't support SameSite in
setcookie().
2020-07-28 19:40:22 +01:00
Starbeamrainbowlabs
45c2fa56cd
Add more type hints, and fail to get Server-Timing working.
...
Note to self: If we do end up implementing it, remember that
$env->perfdata does containsensitive information sometimes, so we might
need to revise our approach a bit (e.g. only sending it to authenticated
admins)
2020-07-28 02:10:28 +01:00
Starbeamrainbowlabs
1813fe73e2
Add absolute redirects
2020-07-07 21:10:38 +01:00
Starbeamrainbowlabs
093b405182
Add meta theme-color support
2020-05-24 01:59:05 +01:00
Starbeamrainbowlabs
f632c0907c
Integrate didyoumean into the main search engine, but it's crashing.
...
We're getting there though!
2020-03-15 17:54:27 +00:00
Starbeamrainbowlabs
fa81f0df25
Implement basic Pepperminty Wiki CLI & shell :D
...
The BkTree tester gave me the idea.
No longer will you have to hope that search indexing will complete in
time and adjust the maximum execution time for larger wikis..... when
that's implemented.
2020-03-10 01:47:40 +00:00
Starbeamrainbowlabs
1d540d3d8a
Send content-type: text/plain when erroring out 'cause we can't write to disk
2020-02-04 01:23:44 +00:00
Starbeamrainbowlabs
0be001990f
Bugfix: fix new url_stem() function
2020-01-05 21:07:59 +00:00
Starbeamrainbowlabs
b4c0782e58
bool -> boolean
2020-01-05 20:59:21 +00:00
Starbeamrainbowlabs
322f956a9f
Add url_stem() & email address verification system
2020-01-05 20:49:20 +00:00
Starbeamrainbowlabs
7548c1e7ee
Bugfix: Fix alt + enter search box submit failing with allow popups message
2019-12-23 20:52:48 +00:00
Starbeamrainbowlabs
86a9828565
Improve render_timestamp()
2019-12-23 18:30:06 +00:00
Starbeamrainbowlabs
1686ee33d3
Add new email_debug_dontsend setting
2019-12-23 17:53:46 +00:00
Starbeamrainbowlabs
1602fab2c3
Correctly handle utf-8 in email_user()
2019-12-23 17:39:18 +00:00
Starbeamrainbowlabs
ead1663849
pageindex: Unset stray global
2019-12-23 15:42:40 +00:00
Starbeamrainbowlabs
f02e486580
Tweak peppermint.josn access check message again
2019-12-22 14:32:46 +00:00
Starbeamrainbowlabs
23f526baaa
Bugfix: Avoid inadvertent link loop for bots on login page
2019-12-19 15:36:41 +00:00
Starbeamrainbowlabs
d3e83a0aea
page_renderer: Don't generate the page list for the datalist if it's not displayed
2019-12-08 20:27:20 +00:00
Starbeamrainbowlabs
1ef86f117c
Bugfix: Make errorimage() multibyte-safe
2019-10-22 21:44:20 +01:00
Starbeamrainbowlabs
6d19af2e1b
Refactor errorimage into core & greatly improve it
2019-10-20 21:42:13 +01:00
Starbeamrainbowlabs
6213a6e715
Refactor login code a bit to reduce nesting
2019-10-07 18:19:48 +01:00
Starbeamrainbowlabs
f543321304
Bugfix: Correct CSS rendering
2019-09-29 16:10:58 +01:00
Starbeamrainbowlabs
e91852ca68
Finish implementing $settings->css_custom
2019-09-29 16:09:27 +01:00
Starbeamrainbowlabs
6120fa8842
Refactor css minification code out into own function
2019-09-29 15:54:40 +01:00
Starbeamrainbowlabs
3ab0d6dba2
Use tempnam() instead of tmpfile() when unpacking extra data
...
It seems that some people were experiencing some strange issues with
stream_get_meta_data($handle)["uri"] - hrm 🤔
2019-09-11 23:44:59 +01:00