Starbeamrainbowlabs
2844a47f9f
feature-user-table: fix potential obscure XSS attack
2021-09-03 01:08:27 +01:00
Starbeamrainbowlabs
2d6bf1df70
feature-user-preferences: fiix potential xss vulnerabilities
2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs
1f51bf31c6
Add new file formats to the list of allowed formats for uploaded files:
...
image/avif
image/jxl
Also, lesser known image formats:
image/hief image/heic
2021-09-03 00:52:01 +01:00
Starbeamrainbowlabs
227a7ac662
feature-upload: fix potential XSS attacks
2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs
4a00a404e1
Update changelog
2021-09-03 00:28:20 +01:00
Starbeamrainbowlabs
6dd3e52a9c
feature-theme-gallery: fill in help text
2021-09-03 00:26:55 +01:00
Starbeamrainbowlabs
538f899018
feturee-stats: minor admindetails_name issue
2021-09-03 00:14:53 +01:00
Starbeamrainbowlabs
39af83caf9
page-renderer: use htmlentities on admindetails_name
...
This is NOT to fix a security issue - rather to allow the admin's name
to contain special characters. Note that the admin's name can only be
changed either in peppermint.json or via the admin settings panel (which
only admins can access). If you're worries about admins serving
arbitrary HTML, then Pepperminty Wiki is not for you because they could
serve a random static HTML file that they've uploaded to their web
server for instance.
2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs
98485e7bd2
feature-search: fix potential XSS
2021-09-03 00:00:49 +01:00
Starbeamrainbowlabs
738715af43
core | render_pagename, render_username: fix potential authenticated XSS attack
2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs
d977d594e6
feture-recent-changes: fix typo
2021-09-02 23:02:01 +01:00
Starbeamrainbowlabs
0ff5ab20ec
feature-interwiki-links: fix potential XSS attack
2021-09-02 23:00:50 +01:00
Starbeamrainbowlabs
b5b38166ac
feature-history: fix potential XSS attack
2021-09-02 22:58:19 +01:00
Starbeamrainbowlabs
3f61c9eac0
feature-guiconfig: fix potential obscure XSS
2021-09-02 22:53:59 +01:00
Starbeamrainbowlabs
80f77a93b5
feature-comments: fix potential XSS
2021-09-02 22:50:00 +01:00
Starbeamrainbowlabs
a1259ec8d9
action-random: use new slugify() function
2021-09-02 22:39:10 +01:00
Starbeamrainbowlabs
bacfc11723
fixup
2021-09-02 22:29:48 +01:00
Starbeamrainbowlabs
51be347000
action-protect: fix
2021-09-02 22:29:39 +01:00
Starbeamrainbowlabs
d5ef65ce01
Update changelog
2021-09-02 21:35:12 +01:00
Starbeamrainbowlabs
f400da6dce
Page renderer: Automatically run htmlentities() on all titles
2021-09-02 21:34:40 +01:00
Starbeamrainbowlabs
e0f65c2e65
action-hash: fix potential XSS in string GET param
2021-09-02 21:27:26 +01:00
Starbeamrainbowlabs
b6fc5941b7
feature-watchlist: fix format GET parameter
2021-09-02 21:23:31 +01:00
Starbeamrainbowlabs
4fdbd9a427
Update changelog
2021-09-02 21:22:03 +01:00
Starbeamrainbowlabs
dfe76d1d9b
feature-watchlist: Fix Potential XSS in do GET parameter
2021-09-02 21:21:17 +01:00
Starbeamrainbowlabs
96546184dc
Implement simple slugify function
...
I suspect I may have to fix a number of issues here.....
2021-09-02 21:19:31 +01:00
Starbeamrainbowlabs
473e8e1fc9
Update changelog
2021-09-02 21:08:53 +01:00
Starbeamrainbowlabs
7f48302f1a
Bugfix: Fix XSS via action GET parameter.
...
Ref CVE-2021-38601
Serously, don't make public GitHub repos before contacting me!
https://github.com/hmaverickadams/CVE-2021-38601
2021-09-02 21:08:01 +01:00
Starbeamrainbowlabs
5dbca32844
Merge branch 'master' of github.com:sbrl/Pepperminty-Wiki
2021-09-02 20:58:36 +01:00
Starbeamrainbowlabs
0a77065c3f
Bugfix: Fix stored XSS attack - ref CVE-2021-38600
...
See https://github.com/hmaverickadams/CVE-2021-38600
For some reason the author did not think ti wise to let me know
privately first - instead publicly announcing it via a GitHub repo.....
sigh.
In addition, is this *really* a vulnerability? Since Pepperminty Wiki
requires the site secret to set it up, I can't see that this has a real
impact.
Still, I'll fix it anyway.....
2021-09-02 20:54:06 +01:00
Starbeamrainbowlabs
b7e00d6676
Merge pull request #223 from sbrl/dependabot/npm_and_yarn/color-string-1.6.0
...
build(deps): bump color-string from 1.5.3 to 1.6.0
2021-09-02 20:37:28 +01:00
dependabot[bot]
b98bb04291
build(deps): bump color-string from 1.5.3 to 1.6.0
...
Bumps [color-string](https://github.com/Qix-/color-string ) from 1.5.3 to 1.6.0.
- [Release notes](https://github.com/Qix-/color-string/releases )
- [Changelog](https://github.com/Qix-/color-string/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Qix-/color-string/commits/1.6.0 )
---
updated-dependencies:
- dependency-name: color-string
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-15 20:46:39 +00:00
Starbeamrainbowlabs
fab1b52882
Bugfix: fix error handling logic
2021-08-15 21:46:19 +01:00
Starbeamrainbowlabs
ba70f74a96
Added automatic system requirements indicator to first run
2021-08-06 01:50:08 +01:00
Starbeamrainbowlabs
e7b3f5e0d0
feature-upload: add function / class existence checks where functions from php extensions are required
2021-08-06 01:49:59 +01:00
Starbeamrainbowlabs
fb9eec2d33
Fix & improve sidebar
2021-07-21 00:44:31 +01:00
Starbeamrainbowlabs
83012a1416
Prefix default value of logo_url with https:
...
...apparently some browsers don't see //example.com as a valid URL
2021-07-21 00:19:26 +01:00
Starbeamrainbowlabs
86206195b6
Fix crash when using the search bar in recent versions of php
2021-07-20 23:54:56 +01:00
Starbeamrainbowlabs
440b4e9cda
Add sidebar_show to the settings GUI & the configuration guide
2021-07-20 23:22:44 +01:00
Starbeamrainbowlabs
2e54a8a4d5
Improve resilience and error output if the PHP Zip extension is not installed on first run
2021-07-20 23:15:48 +01:00
Starbeamrainbowlabs
256d6a59e6
Merge branch 'master' of github.com:sbrl/Pepperminty-Wiki
2021-06-10 20:12:02 +01:00
Starbeamrainbowlabs
0c9934038c
feature-cli: fix typo
2021-06-10 20:11:53 +01:00
Starbeamrainbowlabs
45a03874b4
Merge pull request #220 from sbrl/dependabot/npm_and_yarn/lodash-4.17.21
...
build(deps): bump lodash from 4.17.19 to 4.17.21
2021-05-09 20:02:56 +01:00
dependabot[bot]
f84f318b1c
build(deps): bump lodash from 4.17.19 to 4.17.21
...
Bumps [lodash](https://github.com/lodash/lodash ) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases )
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-07 23:17:40 +00:00
Starbeamrainbowlabs
351b24eb48
README: Linkify liberapay profile
2021-04-25 17:31:08 +01:00
Starbeamrainbowlabs
03c7d941e6
fix changelog
2021-04-11 21:49:44 +01:00
Starbeamrainbowlabs
26f5838ce0
Add experimental [display text](./Page Name.md) style internal links
...
This is transparently handled by a wrapper around inlineLink, which
conditionally bails by returning the parent if parsing fails. It then
~~ab~~uses inlineInternalLink to provide proper internal link support.
Fixes #190 .
2021-04-11 21:47:41 +01:00
Starbeamrainbowlabs
ffe1d37d4b
docs: clarify system requirements
2021-02-10 22:19:36 +00:00
Starbeamrainbowlabs
77880d9410
search: properly apply weightings in titlels and tags
2021-02-10 22:17:38 +00:00
Starbeamrainbowlabs
b2a783e903
core: Support setting page through either GET or POST
...
Fixes #217 .
2020-11-20 21:25:47 +00:00
Starbeamrainbowlabs
e76eaf5963
feature-stats: bump version
2020-11-20 21:20:05 +00:00