Commit Graph

40 Commits (21d6aded47d306fb44a60c1a8ad9331933cac855)

Author SHA1 Message Date
Joey Hess 7ca39f49db forgot to add wmd tag here 2009-03-07 18:52:14 -05:00
Joey Hess d76c10cba2 Split out error messages from editpage.tmpl into several separate templates. 2008-07-22 19:58:34 -04:00
Joey Hess 96c529826d skeleton rename plugin 2008-07-21 22:30:43 -04:00
Joey Hess a1df39ed4a simplified confirmation form
also, there's no titlepage conversion issues
2008-07-21 14:22:57 -04:00
Joey Hess 3da279ddd4 editpage: Don't show attachments link when attachments are disabled. 2008-07-21 12:15:55 -04:00
Joey Hess badfb9a5c9 add br at top
firefox 3 smooshed the page location dropdown up to the page title,
obscuring descenders and underscores. Maybe that's a bug, since the CSS
didn't ask it to, but I think adding the extra space of a br at the top
looks better anyway.
2008-07-06 14:54:38 -04:00
Joey Hess edfbd7e1aa toggle: Add javascript to top of page, not to end. This avoids flicker since closed toggles will not be displayed as the page is loading. 2008-07-02 16:14:18 -04:00
Joey Hess 1289beb53b xhtml fixes 2008-07-02 16:08:48 -04:00
Joey Hess d593533af5 attachments interface visibility toggling 2008-07-02 15:42:32 -04:00
Joey Hess c1e9e121b7 basic attachment list 2008-07-01 17:19:38 -04:00
Joey Hess 6643db0cd2 add support for an attachment upload field
FormBuilder makes it annoyingly hard to move a submit button to a
nonstandard place. The button name has to be "_submit" or FormBuilder will
ignore it.
2008-06-30 21:29:37 -04:00
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
joey ce7596dad9 * Applied Jeremie Koenig's pluggable editpage buttons patch:
- add a title to the editpage form;
  - pass a reference to the list of buttons to the formbuilder_setup
    hooks, so we can add ours;
  - relax asumption about the possible submit values (use "Save Page"
    explicitly);
  - de-hardcode the submit buttons from the editpage template
    (This was needed for compatability with a bug in CGI::FormBuilder
    3.0401, but ikiwiki already needs a newer version.)
* Pass buttons to all other formbuilder_setup hooks too.
2007-08-17 05:34:59 +00:00
joey c92ab9cddd * Wrap the editpage template in the standard misctemplate, this allows the
pagetemplate hook to work for that page.
* Above change fixes the favicon plugin to work on edit pages.
2007-07-16 05:24:31 +00:00
joey 190202dd4e * Make all templates have a footer div to ease themeing. Required template
and style sheet updates, and unless you're using customised versions,
  you'll want to rebuild wikis on upgrade to this version to avoid
  inconsistencies.
* Allow WIKINAME to to used in footers, as an example of something to put
  there.
2007-05-11 20:09:58 +00:00
joey 21bc9abfcf wording 2007-03-17 23:58:34 +00:00
joey 26213f8ee4 * Detect the case of two people independently creating the same page at the
same time, and let the second person resolve the conflict.
2007-03-17 23:57:03 +00:00
joey 072967e62a * Patch from Ethan to improve behavior if a page is deleted or moved while
someone is editing it.
* Some cleanup of field setting in the failed edit and conflict handling
  code.
2007-02-24 00:39:06 +00:00
joey d4c61b7281 * Many changes to make ikiwiki very resistant to write failures
including out of disk space situations. ikiwiki should never leave
  truncated files, and if the error occurs during a web-based file edit,
  the user will be given an opportunity to retry.
  Inspired by the many ways Moin Moin destroys itself when out of disk. :-)
* Fix syslogging of errors.
2007-02-15 02:22:08 +00:00
joey 1626831cc8 typos 2006-11-15 20:49:10 +00:00
joey 96eb9bb3fa * Work around a strange bug in CGI::FormBuilder 3.0401 that makes
FORM-SUBMIT unusable on customised formbuilder templates. For now,
  hardcode the submit buttons in editpage.tmpl instead of using the
  template variable, which is ok, since the buttons are static.
2006-11-10 07:46:41 +00:00
joey fb670513bf fix mime type 2006-09-17 17:46:51 +00:00
joey fa96eab120 * Updated ikiwiki.svgz from Recai, includes an icon and is used to generate
a multi-resolution favicon.ico.
2006-09-16 15:12:01 +00:00
joey 0f25ec8eb6 * pagetemplate hooks are now also called when generating cgi pages.
* Add a favicon plugin, which simply adds a link tag for an icon to each
  page (and cgis).
2006-09-16 00:52:26 +00:00
joey 56d0ceee2e * Make all pages pull in a local.css style sheet, if present. This won't
be included in ikiwiki, but can be created to make local styling changes
  w/o needing to merge in every new change to the distributed style.css.
2006-08-24 20:45:09 +00:00
joey cf3021ef3f * Fixed a bug with previews of subpages having broken links to top-level
pages.
* Change how the stylesheet url is determined in the templates: Remove
  STYLEURL and add BASEURL to all templates (some already had it). This
  new more general variable can be used to link to other things (eg, images)
  from the template, as well as stylesheets.
2006-08-21 22:27:02 +00:00
joey b187641376 * Patch from Recai to allow selection of page type when creating a new page.
Default page type is inherited from the link clicked on to create the new
  page.
2006-07-26 21:23:06 +00:00
joey 1452b3adf3 so make sure to let perl know it should be handled as utf8. Also,
* Improve layout of edit page so formatting help link is always visible w/o
  getting in the way of the preview.
2006-07-02 17:44:43 +00:00
joey c20c406631 * Add -refresh option to ikiwiki-mass-rebuild and use that on upgrades that
do not need a full rebuild, in order to update any basewiki pages.
2006-05-27 19:04:46 +00:00
joey 03c98d3c79 header can appear more than one time, so is a class, not an id 2006-05-26 01:42:00 +00:00
joey 5466a1daf9 * The page name and parent links has switched from using a <h1> to a styled
<span>, so pages can use <h1> internally instead of needing to use <h2>.
* Updated all of ikiwiki's own wiki pages for that.
* Add pagetemplate hook, which can be used by plugins that want to mess
  around with adding new stuff to the page template.
* Remove headercontent; the search plugin now adds the search box to the
  header by registering a pagetemplate hook, and other plugins should do
  similarly.
2006-05-26 01:10:58 +00:00
joey c4e0e8c36c - add <base> to cgi output, this is especially useful for output containing
wikilinks since the urls should work now in more situations
- drop --limit from svn log run, since a) it needs a fairly new svn and 
  b) in some cases, it would limit it to too few entries to display the
  requested number of changes
- Use driver:DB_File and not driver:db_file for better compatability with
  old versions of CGI::Session.
- Note that HTML::Template 3.02.02 is needed.
2006-04-02 22:24:08 +00:00
joey 5591d621b9 css support 2006-03-29 07:24:03 +00:00
joey e41dd1e24e html validation fixes:
- escape & in urls (also clean up cgi url generation)
 - since markdown wraps inlined pages in <p></p>, close and re-open
   the paragraph tags when generating the embedded html
 - added XHTML 1.0 doctypes to templates
 - fixed <hr /> and <br /> in templates
 - add an alt attribute to inline images, based on the WikiLink to the
   image. Allows things like [[my_image|img.png]] to customise alt text.
2006-03-29 03:18:21 +00:00
joey 1d82816082 link to helponformatting from the edit page 2006-03-19 21:31:11 +00:00
joey 6b6fd778c7 conflict detection, merging, etc should be done now, I think 2006-03-19 20:34:59 +00:00
joey 3c239b14bc first cut at svn merge and conflict 2006-03-19 19:09:57 +00:00
joey 685475ba8c add a header to page preview section 2006-03-16 21:47:48 +00:00
joey 44eefb7f22 dd page preview 2006-03-16 21:39:45 +00:00
joey 798c48a1a6 - use templates for signin form, error messages
- use FormBuilder for edit page forms (also use template)
- print debug to stderr in cgi mode to avoid breaking http headers
- fix links to page in parentlinks if $url is unset
- reorganise how wikilink is used in templates
- only make recentchanes link if svn is enabled
- change session id cookie to something we control
- add support for logging committer name for web commits from signed in
  users (untested)
- probably more changes I forgot
2006-03-12 16:37:26 +00:00