PonyMirrors/ponepaste
1
0
Fork 0
mirror of https://github.com/Neetpone/ponepaste.git synced 2025-03-12 14:40:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix small reflected XSS

Browse source
This commit is contained in:
Floorb 2021-08-20 16:17:13 -04:00
parent 6d518cc008
commit 4103bc48c0
2 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
includes/common.php
View file

@ -154,3 +154,7 @@ $current_user = User::current($conn);
if ($current_user) { if ($current_user) {
$noguests = "off"; $noguests = "off";
} }
/* Security headers */
header('X-Frame-Options: SAMEORIGIN');
header('X-Content-Type-Options: nosniff');

10
theme/bulma/main.php
View file

@ -185,9 +185,9 @@
<p class="control has-icons-left"> <p class="control has-icons-left">
<input type="text" class="input" name="title" onchange="getFileName()" <input type="text" class="input" name="title" onchange="getFileName()"
placeholder="<?php echo $lang['pastetitle']; ?>" placeholder="<?php echo $lang['pastetitle']; ?>"
value="<?php echo (isset($_POST['title'])) ? $_POST['title'] : ''; ?>"> value="<?php echo (isset($_POST['title'])) ? pp_html_escape($_POST['title']) : ''; ?>">
<span class="icon is-small is-left"> <span class="icon is-small is-left">
<i class="fa fa-font"></i></a> <i class="fa fa-font"></i>
</span> </span>
</p> </p>
</div> </div>
@ -234,7 +234,7 @@
<!-- Text area --> <!-- Text area -->
<textarea class="textarea" rows="15" id="code" name="paste_data" onkeyup="countChars(this);" <textarea class="textarea" rows="15" id="code" name="paste_data" onkeyup="countChars(this);"
onkeydown="return catchTab(this,event)" onkeydown="return catchTab(this,event)"
placeholder="Paste Or Drop Text File Here."><?php echo (isset($_POST['paste_data'])) ? $_POST['paste_data'] : ''; ?></textarea> placeholder="Paste Or Drop Text File Here."><?php echo (isset($_POST['paste_data'])) ? pp_html_escape($_POST['paste_data']) : ''; ?></textarea>
<p id="charNum"><b>File Size: </b><span style="color: green;">1000/1000Kb</span></p> <p id="charNum"><b>File Size: </b><span style="color: green;">1000/1000Kb</span></p>
<br> <br>
<!-- Tag system --> <!-- Tag system -->
@ -250,7 +250,7 @@
data-max-chars="40" type="text" data-item-text="name" data-max-chars="40" type="text" data-item-text="name"
data-item-value="name" data-item-value="name"
data-case-sensitive="false" placeholder="10 Tags Maximum" data-case-sensitive="false" placeholder="10 Tags Maximum"
value="<?php echo (isset($_POST['tag_input'])) ? $_POST['tag_input'] : ''; // Pre-populate if we come here on an error" ?>"> value="<?php echo (isset($_POST['tag_input'])) ? pp_html_escape($_POST['tag_input']) : ''; // Pre-populate if we come here on an error" ?>">
</div> </div>
</div> </div>
</div> </div>
@ -353,7 +353,7 @@
<div class="column"> <div class="column">
<input type="text" class="input" name="pass" id="pass" <input type="text" class="input" name="pass" id="pass"
placeholder="<?php echo $lang['pwopt']; ?>" placeholder="<?php echo $lang['pwopt']; ?>"
value="<?php echo (isset($_POST['pass'])) ? $_POST['pass'] : ''; ?>"> value="<?php echo (isset($_POST['pass'])) ? pp_html_escape($_POST['pass']) : ''; ?>">
</div> </div>
</div> </div>
</div> </div>