aboutsummaryrefslogtreecommitdiff
path: root/templates
Commit message (Collapse)AuthorAge
* Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess2008-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
* * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.Joey Hess2008-03-03
| | | | | | * rcs_diff is a new function that rcs modules should implement. * Implemented rcs_diff for git, svn, and tla (tla version untested). Mercurial and monotone still todo.
* * The search plugin needs to override <base> to point to the directoryJoey Hess2008-02-14
| | | | | | containing ikiwiki.cgi, but this should not change the urls to the style sheets etc. Add a new forcebareurl parameter to misctemplate to allow it to do that.
* Merge branch 'master' into prefix-directivesJosh Triplett2008-02-09
|\ | | | | | | | | | | | | Conflicts: debian/changelog templates/change.tmpl
| * * Page templates can now use CTIME to show when the page was created.Joey Hess2008-02-09
| |
| * change wordingJoey Hess2008-02-09
| |
| * reword to put the more important info (page names) nearer the frontJoey Hess2008-02-09
| |
* | add ! prefix to some directives in templates, and to the recentchanges pageJoey Hess2008-02-05
|/
* more whitespace nonsenseJoey Hess2008-01-29
|
* more HTML::Template funJoey Hess2008-01-29
| | | | fix whitespace that led to bad wrapping and display
* fix display of diff iconJoey Hess2008-01-29
|
* * meta: Add pagespec functions to match against title, author, authorurl,Joey Hess2008-01-29
| | | | | | | license, and copyright. This can be used to create custom RecentChanges. * meta: To support the pagespec functions, metadata about pages has to be retained as pagestate. * Fix encoding bug when pagestate values contained spaces.
* really use unmunged author in metadataJoey Hess2008-01-29
|
* rename templateJoey Hess2008-01-29
|
* move message to endJoey Hess2008-01-29
|
* more style improvementsJoey Hess2008-01-29
|
* fairly good css style for static recentchanges pageJoey Hess2008-01-29
| | | | | | | The customary 2.5 hours of staring at random css turtorials later, here is a pure css latout for the static recentchanges page that, while not as good as the old table layout, it decent. And it works well in lynx. And should generate some pretty nice rss too.
* non-tabular recentchanges displayJoey Hess2008-01-29
| | | | Doesn't look as good as the old table, but works as a rss feed.
* * Removed support for sending commit notification mails. Along with it wentJoey Hess2008-01-29
| | | | | the svnrepo and notify settings, though both will be ignored if left in setup files.
* proof of concept implementation of static recentchangesJoey Hess2008-01-28
| | | | | Currently hardcoded to write to recentchanges/*, and the page format needs to be rethought to be usable for aggregation, but it basically works.
* addJoey Hess2008-01-28
|
* include license/copyright/author info if availableJoey Hess2008-01-09
|
* * inline: Add copyright/license info on a per-post basis to atomJoey Hess2008-01-09
| | | | | feeds if available. (rss doesn't allow such info on a per-post basis) * meta: Allow copyright/license metadata to contain arbitrary markup.
* * aggregate: Include copyright statements from rss feed as meta copyrightJoey Hess2008-01-08
| | | | | | directives. * aggregate: Yet another state saving fix (sigh). * aggregate: Add hack to support feeds with invalidly escaped html entities.
* Add xmlns attribute on html element in templates; pages can now validate.Josh Triplett2007-11-08
|
* * Fix copyright and licence styling.joey2007-09-20
|
* basic styling for license and copyrightjoey2007-09-15
|
* bugfixesjoey2007-09-15
|
* * meta: Support license and copyright information. The information willjoey2007-09-14
| | | | | | be shown in the page footer. HTML will also be inserted that should support the rel=license microformat as well as the HTML spec's rel=copyright.
* * Applied Jeremie Koenig's pluggable editpage buttons patch:joey2007-08-17
| | | | | | | | | | | | - add a title to the editpage form; - pass a reference to the list of buttons to the formbuilder_setup hooks, so we can add ours; - relax asumption about the possible submit values (use "Save Page" explicitly); - de-hardcode the submit buttons from the editpage template (This was needed for compatability with a bug in CGI::FormBuilder 3.0401, but ikiwiki already needs a newer version.) * Pass buttons to all other formbuilder_setup hooks too.
* * Apply a patch from NicolasLimare adding modification date tags to rss andjoey2007-08-11
| | | | | | atom feeds, and also changing the publication time for a feed to the newest modiciation time (was newest creation time). * The patch also adds dcterms:creator to rss items that have a known author.
* * Wrap the editpage template in the standard misctemplate, this allows thejoey2007-07-16
| | | | | pagetemplate hook to work for that page. * Above change fixes the favicon plugin to work on edit pages.
* * More consistent encoding of titles in rss and atom feeds. Don't usejoey2007-05-28
| | | | | | | | | | | ESCAPE=HTML for titles in the templates for these feeds, and instead escape the title going in to the template. Previously, the title was sometimes double-escaped in a feed (if set via meta title), and sometimes not (if set from the page filename). * In the meta plugin, when a title is set, encode the html entities in it numerically. This works better in the current landscape of a rss spec that doesn't specify encoding, and variously broken feed consumers, according to <http://www.rssboard.org/rss-profile#data-types-characterdata>.
* * Make all templates have a footer div to ease themeing. Required templatejoey2007-05-11
| | | | | | | | and style sheet updates, and unless you're using customised versions, you'll want to rebuild wikis on upgrade to this version to avoid inconsistencies. * Allow WIKINAME to to used in footers, as an example of something to put there.
* Remove img style attribute from recentchanges.tmpl; the default style.css ↵joshtriplett2007-05-08
| | | | covers this.
* don't generate tags span if there are no tags..joey2007-05-01
|
* remove empty footer, doesn't play well with new cssjoey2007-04-29
|
* more footer improvementsjoey2007-04-26
|
* * Move the footer div to enclose tags and links too.joey2007-04-26
| | | | | * More style sheet updates, remove the hack that used the tags div to create the footer border.
* * Minor template improvements by Alessandro.joey2007-04-18
|
* * Add postformtext parameter to inline.joey2007-04-12
|
* use popup balloon for more backlinks, rather than expanding on hover, sincejoey2007-04-06
| | | | | | in some cases it's not possible to move the mouse over the more backlinks using the old method
* * Reorder the icon in the template above the stylesheets, to avoid iconjoey2007-04-06
| | | | flashing during page load.
* * Hide excess backlinks and expand using CSS trick; control quantiy viajoey2007-03-31
| | | | the numbacklinks setting.
* the real bug turned out to be in the meta pluginjoey2007-03-21
|
* forgot to revert thisjoey2007-03-21
|
* oh, this is confusing, it needs escaping in <title>, but not when it's usedjoey2007-03-21
| | | | | inline, already escaped there
* * Fix a few bugs around page titles containing html. The worst of thesejoey2007-03-21
| | | | | is an actual security hole as it allows insertion of html into the title element of a page, which is not processed by the htmlscrubber.
* wordingjoey2007-03-17
|
* * Detect the case of two people independently creating the same page at thejoey2007-03-17
| | | | same time, and let the second person resolve the conflict.