flashii/misuzu
1
1
Fork 0
Code Issues 1 Pull requests Releases 140 Activity

No longer rely on Referer header for the comments return URL.

Browse source
This commit is contained in:
flash 2023-08-31 14:39:50 +00:00
parent 061d4c8a8f
commit 0c9bac473b
6 changed files with 23 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
public-legacy/comments.php
View file

@ -3,9 +3,7 @@ namespace Misuzu;
use RuntimeException; use RuntimeException;
// basing whether or not this is an xhr request on whether a referrer header is present $redirect = filter_input(INPUT_GET, 'return') ?? $_SERVER['HTTP_REFERER'] ?? url('index');
// this page is never directy accessed, under normal circumstances
$redirect = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : url('index');
if(!is_local_url($redirect)) { if(!is_local_url($redirect)) {
echo render_info('Possible request forgery detected.', 403); echo render_info('Possible request forgery detected.', 403);

12
src/url.php
View file

@ -80,12 +80,12 @@ define('MSZ_URLS', [
'settings-logs' => ['/settings/logs.php'], 'settings-logs' => ['/settings/logs.php'],
'settings-data' => ['/settings/data.php'], 'settings-data' => ['/settings/data.php'],
'comment-create' => ['/comments.php', ['m' => 'create']], 'comment-create' => ['/comments.php', ['m' => 'create', 'return' => '<return>']],
'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>']], 'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>', 'return' => '<return>']],
'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete']], 'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete', 'return' => '<return>']],
'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore']], 'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore', 'return' => '<return>']],
'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin']], 'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin', 'return' => '<return>']],
'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin']], 'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin', 'return' => '<return>']],
'manage-index' => ['/manage'], 'manage-index' => ['/manage'],

26
templates/_layout/comments.twig
View file

@ -1,11 +1,11 @@
{% macro comments_input(category, user, perms, reply_to) %} {% macro comments_input(category, user, perms, reply_to, return_url) %}
{% set reply_mode = reply_to is not null %} {% set reply_mode = reply_to is not null %}
{% from 'macros.twig' import avatar %} {% from 'macros.twig' import avatar %}
{% from '_layout/input.twig' import input_hidden, input_csrf, input_checkbox %} {% from '_layout/input.twig' import input_hidden, input_csrf, input_checkbox %}
<form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}" <form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}"
method="post" action="{{ url('comment-create') }}" method="post" action="{{ url('comment-create', {'return': return_url}) }}"
id="comment-{{ reply_mode ? 'reply-' ~ reply_to.id : 'create-' ~ category.id }}"> id="comment-{{ reply_mode ? 'reply-' ~ reply_to.id : 'create-' ~ category.id }}">
{{ input_hidden('comment[category]', category.id) }} {{ input_hidden('comment[category]', category.id) }}
{{ input_csrf() }} {{ input_csrf() }}
@ -40,7 +40,7 @@
</form> </form>
{% endmacro %} {% endmacro %}
{% macro comments_entry(comment, indent, category, user, colour, perms) %} {% macro comments_entry(comment, indent, category, user, colour, perms, return_url) %}
{% from 'macros.twig' import avatar %} {% from 'macros.twig' import avatar %}
{% from '_layout/input.twig' import input_checkbox_raw %} {% from '_layout/input.twig' import input_checkbox_raw %}
@ -113,14 +113,14 @@
{% set dislike_vote_state = userVote < 0 ? 0 : -1 %} {% set dislike_vote_state = userVote < 0 ? 0 : -1 %}
<a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}" <a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}"
href="{{ url('comment-vote', {'comment':comment.id,'vote':like_vote_state}) }}"> href="{{ url('comment-vote', {'comment': comment.id, 'vote': like_vote_state, 'return': return_url}) }}">
Like Like
{% if likes > 0 %} {% if likes > 0 %}
({{ likes|number_format }}) ({{ likes|number_format }})
{% endif %} {% endif %}
</a> </a>
<a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}" <a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}"
href="{{ url('comment-vote', {'comment':comment.id,'vote':dislike_vote_state}) }}"> href="{{ url('comment-vote', {'comment': comment.id, 'vote':dislike_vote_state, 'return': return_url}) }}">
Dislike Dislike
{% if dislikes > 0 %} {% if dislikes > 0 %}
({{ dislikes|number_format }}) ({{ dislikes|number_format }})
@ -131,16 +131,16 @@
<label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label> <label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label>
{% endif %} {% endif %}
{% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %} {% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %}
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment':comment.id}) }}">Delete</a> <a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment': comment.id, 'return': return_url}) }}">Delete</a>
{% endif %} {% endif %}
{# if user is not null %} {# if user is not null %}
<a class="comment__action comment__action--link comment__action--hide" href="#">Report</a> <a class="comment__action comment__action--link comment__action--hide" href="#">Report</a>
{% endif #} {% endif #}
{% if not isReply and perms.can_pin|default(false) %} {% if not isReply and perms.can_pin|default(false) %}
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment':comment.id}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a> <a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment': comment.id, 'return': return_url}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
{% endif %} {% endif %}
{% elseif perms.can_delete_any|default(false) %} {% elseif perms.can_delete_any|default(false) %}
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment':comment.id}) }}">Restore</a> <a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment': comment.id, 'return': return_url}) }}">Restore</a>
{% endif %} {% endif %}
</div> </div>
</div> </div>
@ -150,11 +150,11 @@
{% from _self import comments_entry, comments_input %} {% from _self import comments_entry, comments_input %}
{% if user|default(null) is not null and category|default(null) is not null and perms.can_post|default(false) %} {% if user|default(null) is not null and category|default(null) is not null and perms.can_post|default(false) %}
{{ input_checkbox_raw('', false, 'comment__reply-toggle', '', false, {'id':'comment-reply-toggle-' ~ comment.id}) }} {{ input_checkbox_raw('', false, 'comment__reply-toggle', '', false, {'id':'comment-reply-toggle-' ~ comment.id}) }}
{{ comments_input(category, user, perms, comment) }} {{ comments_input(category, user, perms, comment, return_url) }}
{% endif %} {% endif %}
{% if replies|length > 0 %} {% if replies|length > 0 %}
{% for reply in replies %} {% for reply in replies %}
{{ comments_entry(reply, indent + 1, category, user, colour, perms) }} {{ comments_entry(reply, indent + 1, category, user, colour, perms, return_url) }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
</div> </div>
@ -162,7 +162,7 @@
{% endif %} {% endif %}
{% endmacro %} {% endmacro %}
{% macro comments_section(category) %} {% macro comments_section(category, return_url) %}
{% set user = category.user %} {% set user = category.user %}
{% set colour = category.colour %} {% set colour = category.colour %}
{% set posts = category.posts %} {% set posts = category.posts %}
@ -189,7 +189,7 @@
</div> </div>
{% else %} {% else %}
{% from _self import comments_input %} {% from _self import comments_input %}
{{ comments_input(category, user, perms) }} {{ comments_input(category, user, perms, null, return_url) }}
{% endif %} {% endif %}
</div> </div>
@ -203,7 +203,7 @@
{% if posts|length > 0 %} {% if posts|length > 0 %}
{% from _self import comments_entry %} {% from _self import comments_entry %}
{% for comment in posts %} {% for comment in posts %}
{{ comments_entry(comment, 1, category, user, colour, perms) }} {{ comments_entry(comment, 1, category, user, colour, perms, return_url) }}
{% endfor %} {% endfor %}
{% else %} {% else %}
<div class="comments__none" id="_no_comments_notice_{{ category.id }}"> <div class="comments__none" id="_no_comments_notice_{{ category.id }}">

2
templates/changelog/change.twig
View file

@ -69,6 +69,6 @@
<div class="container"> <div class="container">
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments for ' ~ change_info.date) }} {{ container_title('<i class="fas fa-comments fa-fw"></i> Comments for ' ~ change_info.date) }}
{{ comments_section(comments_info) }} {{ comments_section(comments_info, canonical_url) }}
</div> </div>
{% endblock %} {% endblock %}

2
templates/changelog/index.twig
View file

@ -58,7 +58,7 @@
{% if is_date %} {% if is_date %}
<div class="container"> <div class="container">
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }} {{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
{{ comments_section(comments_info) }} {{ comments_section(comments_info, canonical_url) }}
</div> </div>
{% endif %} {% endif %}
{% endblock %} {% endblock %}

2
templates/news/post.twig
View file

@ -13,7 +13,7 @@
{% if comments_info is defined %} {% if comments_info is defined %}
<div class="container"> <div class="container">
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }} {{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
{{ comments_section(comments_info) }} {{ comments_section(comments_info, canonical_url) }}
</div> </div>
{% endif %} {% endif %}
{% endblock %} {% endblock %}