sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code
1,785 Commits 5 Branches 62 Tags 9.2 MiB
Commit Graph

1785 Commits

Author SHA1 Message Date
Starbeamrainbowlabs 2e1e1d0535
100-run: fix XSS when action is not found 2021-09-25 11:42:07 +01:00
Starbeamrainbowlabs 978da55e00
Update changelog 2021-09-21 14:10:02 +01:00
Starbeamrainbowlabs 7b6cbbe821
feature-upload: ensure that Javascript in SVG images does not execute 
My first time using Content-Security-Policy. Yay!

It's real powerful, but I have yet to find a good generator to help me 
create more complex policies. In this case, the policy allows everything 
by default, but disables all Javascript.

This new Content-Security-Policy header is served for all image 
previews.
 2021-09-21 14:04:42 +01:00
Starbeamrainbowlabs f59e68127c
Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) 2021-09-21 13:40:12 +01:00
Starbeamrainbowlabs 4be6a181cb
Bugfix: XSS in format GET param of stats action 2021-09-21 13:29:27 +01:00
Starbeamrainbowlabs bca154859c
Apparently security researchers have a big problem with reading. 2021-09-20 01:05:26 +01:00
Starbeamrainbowlabs 05555e7d55
Changelog: fix heading indents 2021-09-15 14:42:50 +01:00
Starbeamrainbowlabs 874f703c39
Bugfix build.sh: fix shellcheck error 2021-09-11 01:14:28 +01:00
Starbeamrainbowlabs a3c0f04668
README: Add explicit security section 2021-09-05 15:58:09 +01:00
Starbeamrainbowlabs ae1842d064
docs: Add web server config snippet for Apache (thanks, @viradpt!) and Nginx 2021-09-03 21:12:36 +01:00
Starbeamrainbowlabs fd8703470d
docs/making a release: Add tweet template text 2021-09-03 02:37:56 +01:00
Starbeamrainbowlabs d84411b746
Bump version to v0.24-dev 2021-09-03 02:34:50 +01:00
Starbeamrainbowlabs 6b9dfbcf68
Update changelog again 2021-09-03 02:26:47 +01:00
Starbeamrainbowlabs 51475b41b1
Update Changelog 2021-09-03 02:25:58 +01:00
Starbeamrainbowlabs 8e4afbc31c
build.sh: fix xargs warning 2021-09-03 02:07:47 +01:00
Starbeamrainbowlabs 07eed388bd
Bump version 2021-09-03 02:05:24 +01:00
Starbeamrainbowlabs 14eb9e0d41
fixup 2021-09-03 02:04:49 +01:00
Starbeamrainbowlabs edd1702ea3
page-sitemap: tweak description 2021-09-03 02:04:41 +01:00
Starbeamrainbowlabs ec0b556892
recent changes: fix broken charactetr when displaying page moves 2021-09-03 02:01:24 +01:00
Starbeamrainbowlabs 525dbaa3e1
page history: fix username rendering 2021-09-03 02:01:07 +01:00
Starbeamrainbowlabs 0a950425e1
Bugfix: fix new slugify function 2021-09-03 01:55:05 +01:00
Starbeamrainbowlabs de4536e173
page-view: XSS again again again 2021-09-03 01:50:09 +01:00
Starbeamrainbowlabs fef9102393
page-move: htmlentities & returnto support in login URLs 2021-09-03 01:41:51 +01:00
Starbeamrainbowlabs c0c2bd7f6a
page-login: minor htmlentities for breakfast, lunch, and tea 2021-09-03 01:37:11 +01:00
Starbeamrainbowlabs e2517c0b20
page-list: Yep, you guessed it! XSS again..... 2021-09-03 01:34:38 +01:00
Starbeamrainbowlabs 7aaded1f40
page-help: Add formats to data size bar on ?action=help&dev=yes 2021-09-03 01:29:49 +01:00
Starbeamrainbowlabs 9bd69b1b01
page-export: XSS 2021-09-03 01:26:14 +01:00
Starbeamrainbowlabs 42ad55c849
page-edit: XSS 2021-09-03 01:23:42 +01:00
Starbeamrainbowlabs 3f286b4cda
page-delete: fix XSS 2021-09-03 01:16:29 +01:00
Starbeamrainbowlabs 54166c9b79
page-credits: htmlentities *everywhere* 2021-09-03 01:12:49 +01:00
Starbeamrainbowlabs 4dda12d195
feaature-watchlist: minor XSS improvements 2021-09-03 01:10:54 +01:00
Starbeamrainbowlabs 2844a47f9f
feature-user-table: fix potential obscure XSS attack 2021-09-03 01:08:27 +01:00
Starbeamrainbowlabs 2d6bf1df70
feature-user-preferences: fiix potential xss vulnerabilities 2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs 1f51bf31c6
Add new file formats to the list of allowed formats for uploaded files: 
image/avif
image/jxl

Also, lesser known image formats:

image/hief image/heic
 2021-09-03 00:52:01 +01:00
Starbeamrainbowlabs 227a7ac662
feature-upload: fix potential XSS attacks 2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs 4a00a404e1
Update changelog 2021-09-03 00:28:20 +01:00
Starbeamrainbowlabs 6dd3e52a9c
feature-theme-gallery: fill in help text 2021-09-03 00:26:55 +01:00
Starbeamrainbowlabs 538f899018
feturee-stats: minor admindetails_name issue 2021-09-03 00:14:53 +01:00
Starbeamrainbowlabs 39af83caf9
page-renderer: use htmlentities on admindetails_name 
This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
 2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs 98485e7bd2
feature-search: fix potential XSS 2021-09-03 00:00:49 +01:00
Starbeamrainbowlabs 738715af43
core | render_pagename, render_username: fix potential authenticated XSS attack 2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs d977d594e6
feture-recent-changes: fix typo 2021-09-02 23:02:01 +01:00
Starbeamrainbowlabs 0ff5ab20ec
feature-interwiki-links: fix potential XSS attack 2021-09-02 23:00:50 +01:00
Starbeamrainbowlabs b5b38166ac
feature-history: fix potential XSS attack 2021-09-02 22:58:19 +01:00
Starbeamrainbowlabs 3f61c9eac0
feature-guiconfig: fix potential obscure XSS 2021-09-02 22:53:59 +01:00
Starbeamrainbowlabs 80f77a93b5
feature-comments: fix potential XSS 2021-09-02 22:50:00 +01:00
Starbeamrainbowlabs a1259ec8d9
action-random: use new slugify() function 2021-09-02 22:39:10 +01:00
Starbeamrainbowlabs bacfc11723
fixup 2021-09-02 22:29:48 +01:00
Starbeamrainbowlabs 51be347000
action-protect: fix 2021-09-02 22:29:39 +01:00
Starbeamrainbowlabs d5ef65ce01
Update changelog 2021-09-02 21:35:12 +01:00