74 commits

Author	SHA1	Message	Date
Starbeamrainbowlabs	2d6bf1df70	feature-user-preferences: fiix potential xss vulnerabilities	2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs	227a7ac662	feature-upload: fix potential XSS attacks	2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs	39af83caf9	page-renderer: use htmlentities on admindetails_name ... This is NOT to fix a security issue - rather to allow the admin's name to contain special characters. Note that the admin's name can only be changed either in peppermint.json or via the admin settings panel (which only admins can access). If you're worries about admins serving arbitrary HTML, then Pepperminty Wiki is not for you because they could serve a random static HTML file that they've uploaded to their web server for instance.	2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs	738715af43	core | render_pagename, render_username: fix potential authenticated XSS attack	2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs	f400da6dce	Page renderer: Automatically run htmlentities() on all titles	2021-09-02 21:34:40 +01:00
Starbeamrainbowlabs	96546184dc	Implement simple slugify function ... I suspect I may have to fix a number of issues here.....	2021-09-02 21:19:31 +01:00
Starbeamrainbowlabs	7f48302f1a	Bugfix: Fix XSS via action GET parameter. ... Ref CVE-2021-38601 Serously, don't make public GitHub repos before contacting me! https://github.com/hmaverickadams/CVE-2021-38601	2021-09-02 21:08:01 +01:00
Starbeamrainbowlabs	2e54a8a4d5	Improve resilience and error output if the PHP Zip extension is not installed on first run	2021-07-20 23:15:48 +01:00
Starbeamrainbowlabs	b2a783e903	core: Support setting page through either GET or POST ... Fixes #217.	2020-11-20 21:25:47 +00:00
Starbeamrainbowlabs	cfd087d919	Add MPL 2.0 short header to core code files	2020-09-23 23:22:39 +01:00
Starbeamrainbowlabs	0085ddf0c4	Don't emit custom css unless there's something to emit	2020-08-31 21:04:59 +01:00
Starbeamrainbowlabs	23998f60bf	Bugfix: correctly escape ampersands with htmlentities in URLs	2020-08-31 21:00:15 +01:00
Starbeamrainbowlabs	42971f573d	Bugfix: Fix invalid HTML generated by new hide_email() logic	2020-08-31 20:56:34 +01:00
Starbeamrainbowlabs	d9ddb504bf	Fix typo in the name of the didyoumean index (which is disabled by default). ... Admins need to manually rename `didyoumeaninddex.sqlite` → `didyoumeanindex.sqlite`	2020-08-18 15:41:14 +01:00
Starbeamrainbowlabs	3c5a407356	Really fix #205	2020-08-11 23:01:44 +01:00
Starbeamrainbowlabs	93bff09422	Update hide_email implementation ... It now requires Javascript to decode the email address. If this is a problem for whatever reason, please get in touch by opening an issue. I take accessibility very seriously.	2020-08-09 23:53:29 +01:00
Starbeamrainbowlabs	e710d55883	makepathsafe: don't allow dots on their own ... Specifically, we don't want a single dot as a page name. This is because '.' has a special meaning on Linux: The current directory.	2020-08-09 13:03:40 +01:00
Starbeamrainbowlabs	5fed4cb5ab	Bugfixx: improve rebustness of new filepath_to_pagename and pageindex rebuilder	2020-08-08 22:18:12 +01:00
Starbeamrainbowlabs	c0fa5b8ae4	Finish improvements to pageindex rebuilder ... also squash warning from stats engine during the firstrun wizard	2020-08-08 22:01:12 +01:00
Starbeamrainbowlabs	62a3ea9d1e	Start working on intelligently finding history revisions, but it isn't finished yet. ... Note that this commit does **not** build. I'm in the middle of something - please build the previous commit instead until I'm finished :P	2020-08-08 02:15:08 +01:00
Starbeamrainbowlabs	6e7ff16041	For #204: Implement initial (untested!) page history algorithm. ... TODO: Search for existing page history revisions	2020-08-08 02:07:35 +01:00
Starbeamrainbowlabs	75c15d66b2	page-move: Ensure that the new subpage actually exists - fixes #201	2020-08-06 15:47:41 +01:00
Starbeamrainbowlabs	607c9f8529	minify_css: minor improvements ... ", " -> "," "0." -> "."	2020-07-28 21:46:00 +01:00
Starbeamrainbowlabs	3652c20662	Fix $env->is_secure detection	2020-07-28 19:51:56 +01:00
Starbeamrainbowlabs	1ec1705a62	Standardise error_log prefixes to aid clarity in multi-wiki environments	2020-07-28 19:42:41 +01:00
Starbeamrainbowlabs	7d93aa6a10	Overhaul the way we use setcookie() ... - Use SameSite=Strict to avoid issues in modern browsers & prevent session-stealing attacks - Use Secure when requests run over HTTPS by default to avoid downgrade-based session-stealing attacks - Add warning for PHP <= 7.2, as it doesn't support SameSite in setcookie().	2020-07-28 19:40:22 +01:00
Starbeamrainbowlabs	45c2fa56cd	Add more type hints, and fail to get Server-Timing working. ... Note to self: If we do end up implementing it, remember that $env->perfdata does containsensitive information sometimes, so we might need to revise our approach a bit (e.g. only sending it to authenticated admins)	2020-07-28 02:10:28 +01:00
Starbeamrainbowlabs	1813fe73e2	Add absolute redirects	2020-07-07 21:10:38 +01:00
Starbeamrainbowlabs	093b405182	Add meta theme-color support	2020-05-24 01:59:05 +01:00
Starbeamrainbowlabs	f632c0907c	Integrate didyoumean into the main search engine, but it's crashing. ... We're getting there though!	2020-03-15 17:54:27 +00:00
Starbeamrainbowlabs	fa81f0df25	Implement basic Pepperminty Wiki CLI & shell :D ... The BkTree tester gave me the idea. No longer will you have to hope that search indexing will complete in time and adjust the maximum execution time for larger wikis..... when that's implemented.	2020-03-10 01:47:40 +00:00
Starbeamrainbowlabs	1d540d3d8a	Send content-type: text/plain when erroring out 'cause we can't write to disk	2020-02-04 01:23:44 +00:00
Starbeamrainbowlabs	0be001990f	Bugfix: fix new url_stem() function	2020-01-05 21:07:59 +00:00
Starbeamrainbowlabs	b4c0782e58	bool -> boolean	2020-01-05 20:59:21 +00:00
Starbeamrainbowlabs	322f956a9f	Add url_stem() & email address verification system	2020-01-05 20:49:20 +00:00
Starbeamrainbowlabs	7548c1e7ee	Bugfix: Fix alt + enter search box submit failing with allow popups message	2019-12-23 20:52:48 +00:00
Starbeamrainbowlabs	86a9828565	Improve render_timestamp()	2019-12-23 18:30:06 +00:00
Starbeamrainbowlabs	1686ee33d3	Add new email_debug_dontsend setting	2019-12-23 17:53:46 +00:00
Starbeamrainbowlabs	1602fab2c3	Correctly handle utf-8 in email_user()	2019-12-23 17:39:18 +00:00
Starbeamrainbowlabs	ead1663849	pageindex: Unset stray global	2019-12-23 15:42:40 +00:00
Starbeamrainbowlabs	f02e486580	Tweak peppermint.josn access check message again	2019-12-22 14:32:46 +00:00
Starbeamrainbowlabs	23f526baaa	Bugfix: Avoid inadvertent link loop for bots on login page	2019-12-19 15:36:41 +00:00
Starbeamrainbowlabs	d3e83a0aea	page_renderer: Don't generate the page list for the datalist if it's not displayed	2019-12-08 20:27:20 +00:00
Starbeamrainbowlabs	1ef86f117c	Bugfix: Make errorimage() multibyte-safe	2019-10-22 21:44:20 +01:00
Starbeamrainbowlabs	6d19af2e1b	Refactor errorimage into core & greatly improve it	2019-10-20 21:42:13 +01:00
Starbeamrainbowlabs	6213a6e715	Refactor login code a bit to reduce nesting	2019-10-07 18:19:48 +01:00
Starbeamrainbowlabs	f543321304	Bugfix: Correct CSS rendering	2019-09-29 16:10:58 +01:00
Starbeamrainbowlabs	e91852ca68	Finish implementing $settings->css_custom	2019-09-29 16:09:27 +01:00
Starbeamrainbowlabs	6120fa8842	Refactor css minification code out into own function	2019-09-29 15:54:40 +01:00
Starbeamrainbowlabs	3ab0d6dba2	Use tempnam() instead of tmpfile() when unpacking extra data ... It seems that some people were experiencing some strange issues with stream_get_meta_data($handle)["uri"] - hrm 🤔	2019-09-11 23:44:59 +01:00