summaryrefslogtreecommitdiffstats
path: root/web/template/pkg_comments.php
AgeCommit message (Collapse)AuthorFilesLines
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-0/+1
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in package comment templates.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer1-6/+8
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-01-19Make external links in comments clickable (FS#20137).Lukas Fleischer1-1/+1
Comments are now split at link boundaries and links are converted separately. I find this to be a much cleaner way than re-converting comments that have already been converted using htmlspecialchars(). This also doesn't require any callback procedure. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2010-11-21Auto redirect from confirmation screens.Dan Vratil1-9/+14
Finally move comment deletion and category editing into functions and remove pkgedit.php Signed-off-by: Loui Chang <louipc.ist@gmail.com> -Fix indentation -Fix variable naming conflict $id vs $cid
2010-04-15pkg_comments: Only display 10 comments by default.Loui Chang1-1/+11
Add a mechanism to view all comments. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-04-13Don't hit the database twice per comment on packageDan McGee1-1/+2
It's performance improvement day today. For non-superusers, we were hitting the database twice per comment on a package- once to get the UID, and once to check the owner of the comment. The best part is we already knew the owner of the comment, and we only need to get our own UID once. For viewing a package like yaourt, this cuts a single pageview from over 700 queries to around 18, which is still not great but a pretty big improvement. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-02-19Revamp markup and styles for comments.Loui Chang1-24/+14
Make post date consistent with other dates. Look Ma, no tables! Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-23Change comment style so long lines wrap.Loui Chang1-1/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-23Fix translated comment messages.Loui Chang1-5/+4
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-05Move package comments to a template.Loui Chang1-0/+38
Change layout in the process. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-12-03 09:34:21 +0100