Pepperminty-Wiki

mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 16:33:00 +00:00

Author	SHA1	Message	Date
Starbeamrainbowlabs	fa407ce99d	login: regenerate sessiono token on login; make returnto sanitisation more intelligent	2021-09-27 21:32:39 +01:00
Starbeamrainbowlabs	4f3a1c3757	Display returnto URL above the login form if present to further mitigate CSRF issues	2021-09-27 20:51:12 +01:00
Starbeamrainbowlabs	2e1e1d0535	100-run: fix XSS when action is not found	2021-09-25 11:42:07 +01:00
Starbeamrainbowlabs	978da55e00	Update changelog	2021-09-21 14:10:02 +01:00
Starbeamrainbowlabs	7b6cbbe821	feature-upload: ensure that Javascript in SVG images does not execute My first time using Content-Security-Policy. Yay! It's real powerful, but I have yet to find a good generator to help me create more complex policies. In this case, the policy allows everything by default, but disables all Javascript. This new Content-Security-Policy header is served for all image previews.	2021-09-21 14:04:42 +01:00
Starbeamrainbowlabs	f59e68127c	Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)	2021-09-21 13:40:12 +01:00
Starbeamrainbowlabs	4be6a181cb	Bugfix: XSS in format GET param of stats action	2021-09-21 13:29:27 +01:00
Starbeamrainbowlabs	bca154859c	Apparently security researchers have a big problem with reading.	2021-09-20 01:05:26 +01:00
Starbeamrainbowlabs	05555e7d55	Changelog: fix heading indents	2021-09-15 14:42:50 +01:00
Starbeamrainbowlabs	874f703c39	Bugfix build.sh: fix shellcheck error	2021-09-11 01:14:28 +01:00
Starbeamrainbowlabs	a3c0f04668	README: Add explicit security section	2021-09-05 15:58:09 +01:00
Starbeamrainbowlabs	ae1842d064	docs: Add web server config snippet for Apache (thanks, @viradpt!) and Nginx	2021-09-03 21:12:36 +01:00
Starbeamrainbowlabs	fd8703470d	docs/making a release: Add tweet template text	2021-09-03 02:37:56 +01:00
Starbeamrainbowlabs	d84411b746	Bump version to v0.24-dev	2021-09-03 02:34:50 +01:00
Starbeamrainbowlabs	6b9dfbcf68	Update changelog again	2021-09-03 02:26:47 +01:00
Starbeamrainbowlabs	51475b41b1	Update Changelog	2021-09-03 02:25:58 +01:00
Starbeamrainbowlabs	8e4afbc31c	build.sh: fix xargs warning	2021-09-03 02:07:47 +01:00
Starbeamrainbowlabs	07eed388bd	Bump version	2021-09-03 02:05:24 +01:00
Starbeamrainbowlabs	14eb9e0d41	fixup	2021-09-03 02:04:49 +01:00
Starbeamrainbowlabs	edd1702ea3	page-sitemap: tweak description	2021-09-03 02:04:41 +01:00
Starbeamrainbowlabs	ec0b556892	recent changes: fix broken charactetr when displaying page moves	2021-09-03 02:01:24 +01:00
Starbeamrainbowlabs	525dbaa3e1	page history: fix username rendering	2021-09-03 02:01:07 +01:00
Starbeamrainbowlabs	0a950425e1	Bugfix: fix new slugify function	2021-09-03 01:55:05 +01:00
Starbeamrainbowlabs	de4536e173	page-view: XSS again again again	2021-09-03 01:50:09 +01:00
Starbeamrainbowlabs	fef9102393	page-move: htmlentities & returnto support in login URLs	2021-09-03 01:41:51 +01:00
Starbeamrainbowlabs	c0c2bd7f6a	page-login: minor htmlentities for breakfast, lunch, and tea	2021-09-03 01:37:11 +01:00
Starbeamrainbowlabs	e2517c0b20	page-list: Yep, you guessed it! XSS again.....	2021-09-03 01:34:38 +01:00
Starbeamrainbowlabs	7aaded1f40	page-help: Add formats to data size bar on ?action=help&dev=yes	2021-09-03 01:29:49 +01:00
Starbeamrainbowlabs	9bd69b1b01	page-export: XSS	2021-09-03 01:26:14 +01:00
Starbeamrainbowlabs	42ad55c849	page-edit: XSS	2021-09-03 01:23:42 +01:00
Starbeamrainbowlabs	3f286b4cda	page-delete: fix XSS	2021-09-03 01:16:29 +01:00
Starbeamrainbowlabs	54166c9b79	page-credits: htmlentities everywhere	2021-09-03 01:12:49 +01:00
Starbeamrainbowlabs	4dda12d195	feaature-watchlist: minor XSS improvements	2021-09-03 01:10:54 +01:00
Starbeamrainbowlabs	2844a47f9f	feature-user-table: fix potential obscure XSS attack	2021-09-03 01:08:27 +01:00
Starbeamrainbowlabs	2d6bf1df70	feature-user-preferences: fiix potential xss vulnerabilities	2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs	1f51bf31c6	Add new file formats to the list of allowed formats for uploaded files: image/avif image/jxl Also, lesser known image formats: image/hief image/heic	2021-09-03 00:52:01 +01:00
Starbeamrainbowlabs	227a7ac662	feature-upload: fix potential XSS attacks	2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs	4a00a404e1	Update changelog	2021-09-03 00:28:20 +01:00
Starbeamrainbowlabs	6dd3e52a9c	feature-theme-gallery: fill in help text	2021-09-03 00:26:55 +01:00
Starbeamrainbowlabs	538f899018	feturee-stats: minor admindetails_name issue	2021-09-03 00:14:53 +01:00
Starbeamrainbowlabs	39af83caf9	page-renderer: use htmlentities on admindetails_name This is NOT to fix a security issue - rather to allow the admin's name to contain special characters. Note that the admin's name can only be changed either in peppermint.json or via the admin settings panel (which only admins can access). If you're worries about admins serving arbitrary HTML, then Pepperminty Wiki is not for you because they could serve a random static HTML file that they've uploaded to their web server for instance.	2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs	98485e7bd2	feature-search: fix potential XSS	2021-09-03 00:00:49 +01:00
Starbeamrainbowlabs	738715af43	core \| render_pagename, render_username: fix potential authenticated XSS attack	2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs	d977d594e6	feture-recent-changes: fix typo	2021-09-02 23:02:01 +01:00
Starbeamrainbowlabs	0ff5ab20ec	feature-interwiki-links: fix potential XSS attack	2021-09-02 23:00:50 +01:00
Starbeamrainbowlabs	b5b38166ac	feature-history: fix potential XSS attack	2021-09-02 22:58:19 +01:00
Starbeamrainbowlabs	3f61c9eac0	feature-guiconfig: fix potential obscure XSS	2021-09-02 22:53:59 +01:00
Starbeamrainbowlabs	80f77a93b5	feature-comments: fix potential XSS	2021-09-02 22:50:00 +01:00
Starbeamrainbowlabs	a1259ec8d9	action-random: use new slugify() function	2021-09-02 22:39:10 +01:00
Starbeamrainbowlabs	bacfc11723	fixup	2021-09-02 22:29:48 +01:00

1 2 3 4 5 ...

1787 commits