zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-04-25 09:42:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

patch XSS related to directories, remove redundant text editor file load

Browse source
This commit is contained in:
Kyle Drake 2017-01-17 21:20:34 -08:00
parent eed42b7558
commit e95dd99c29
3 changed files with 36 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/site_files.rb
View file

@ -32,7 +32,7 @@ post '/site_files/create' do
name = current_site.scrubbed_path name name = current_site.scrubbed_path name
if current_site.file_exists?(name) if current_site.file_exists?(name)
flash[:error] = %{Web page "#{name}" already exists! Choose another name.} flash[:error] = %{Web page "#{Rack::Utils.escape_html name}" already exists! Choose another name.}
redirect redirect_uri redirect redirect_uri
end end
@ -67,7 +67,9 @@ post '/site_files/create' do
site_file.save site_file.save
end end
flash[:success] = %{#{name} was created! <a style="color: #FFFFFF; text-decoration: underline" href="/site_files/text_editor/#{name}">Click here to edit it</a>.} escaped_name = Rack::Utils.escape_html name
flash[:success] = %{#{escaped_name} was created! <a style="color: #FFFFFF; text-decoration: underline" href="/site_files/text_editor/#{escaped_name}">Click here to edit it</a>.}
redirect redirect_uri redirect redirect_uri
end end

8
views/dashboard.erb
View file

@ -122,7 +122,6 @@
<div class="upload-Boundary <%= @file_list.length <= 5 ? 'with-instruction' : '' %>"> <div class="upload-Boundary <%= @file_list.length <= 5 ? 'with-instruction' : '' %>">
<% @file_list.each do |file| %> <% @file_list.each do |file| %>
<div class="file filehover"> <div class="file filehover">
<!-- <input type="checkbox" name="" value="" /> -->
<% if file[:is_html] && current_site.screenshot_exists?(file[:path], '210x158') %> <% if file[:is_html] && current_site.screenshot_exists?(file[:path], '210x158') %>
<div class="html-thumbnail html fileimagehover"> <div class="html-thumbnail html fileimagehover">
<img src="<%= current_site.screenshot_url(file[:path], '210x158') %>" alt=""> <img src="<%= current_site.screenshot_url(file[:path], '210x158') %>" alt="">
@ -160,6 +159,7 @@
</div> </div>
<div class="overlay"> <div class="overlay">
<div id="<%= Digest::SHA256.hexdigest file[:path] %>" style="display: none"><%= file[:path] %></div>
<% if file[:is_editable] %> <% if file[:is_editable] %>
<a href="/site_files/text_editor<%= file[:path] %>"><i class="fa fa-edit" title="Edit"></i> Edit</a> <a href="/site_files/text_editor<%= file[:path] %>"><i class="fa fa-edit" title="Edit"></i> Edit</a>
<% end %> <% end %>
@ -167,7 +167,7 @@
<a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a> <a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a>
<% end %> <% end %>
<% if !file[:is_root_index] %> <% if !file[:is_root_index] %>
<a href="#" onclick="confirmFileDelete('<%== file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a> <a href="#" onclick="confirmFileDelete($('#<%= Digest::SHA256.hexdigest file[:path] %>').text())"><i class="fa fa-trash" title="Delete"></i> Delete</a>
<% end %> <% end %>
<% if file[:is_directory] %> <% if file[:is_directory] %>
<a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a> <a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a>
@ -262,7 +262,7 @@
<script> <script>
function confirmFileDelete(name) { function confirmFileDelete(name) {
$('#deleteFileName').html(name.replace('/','')); $('#deleteFileName').text(name.replace('/',''));
$('#deleteConfirmModal').modal(); $('#deleteConfirmModal').modal();
} }
@ -305,7 +305,7 @@
if(file.status == 'error' && file.name.match(/.+\..+/) == null && errorMessage == 'Server responded with 0 code.') { if(file.status == 'error' && file.name.match(/.+\..+/) == null && errorMessage == 'Server responded with 0 code.') {
alert('Recursive directory upload is only supported by the Chrome web browser.') alert('Recursive directory upload is only supported by the Chrome web browser.')
} else { } else {
location.href = '/dashboard<%= @dir ? "?dir=#{@dir}" : "" %>' location.href = '/dashboard<%= @dir ? "?dir=#{Rack::Utils.escape @dir}" : "" %>'
} }
}) })

4
views/site_files/text_editor.erb
View file

@ -154,9 +154,8 @@
var editor = {} var editor = {}
$.get('/site_files/download/<%= @filename %>', function(resp) {
$(document).ready(function() { $(document).ready(function() {
$.get('/site_files/download/<%= @filename %>', function(resp) { $.get("/site_files/download/<%= Addressable::URI.parse(@filename).normalized_path.to_s %>", function(resp) {
editor = ace.edit("editor") editor = ace.edit("editor")
setTheme() setTheme()
<% if @ace_mode %> <% if @ace_mode %>
@ -190,7 +189,6 @@
}) })
}) })
}) })
})
window.onbeforeunload = function() { window.onbeforeunload = function() {
if(unsavedChanges == true) if(unsavedChanges == true)