stian/gallery3
1
0
Fork 0
mirror of https://github.com/Pathduck/gallery3.git synced 2026-05-30 16:29:10 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,993 Commits 4 Branches 0 Tags
80bb78fa4ef3fe718cdee56fc98d5584dcd7d5b2
Commit Graph

122 Commits

Author SHA1 Message Date
Chad Kieffer
d581bbbd1e Renamed more CSS selectors from gName to g-name. 2009-10-04 15:53:00 -06:00
Chad Kieffer
3e6ba7acc3 Renamed most, if not all css selectors from gName to g-name. Moved a few shared images from wind to lib. Deleted unused images in the admin_wind. This will likely break a few ajax features. 2009-10-04 00:27:22 -06:00
Chad Kieffer
9145331fd4 Renamed and moved gOdd/gEven CSS classes. 2009-10-03 12:33:53 -06:00
Tim Almdal
970158f4d9 Fix unit tests by updating the xss golden file and declaring gallery_error::error_handler as static 2009-09-24 16:59:33 -07:00
Tim Almdal
65051a4bf7 Rename the default themes to wind and admin_wind. Change xss_data.txt file to reflect this move. Not completely moved yet, but the git st is rather large so lets commit this now as a base for the cleanup. 2009-09-23 15:06:17 -07:00
Tim Almdal
719b111219 Correct indentation 2009-09-23 14:38:38 -07:00
Andy Staudacher
2e23ae98c4 - Add theme->movie_menu() to whitelisted methods. 
- xss_data checkpoint
 2009-09-17 14:12:43 -07:00
Andy Staudacher
39632c4689 Also check for rss feeds in controller auth check 2009-09-15 23:01:26 -07:00
Andy Staudacher
7608870537 Controller auth / CSRF fixes 2009-09-15 22:51:49 -07:00
Andy Staudacher
dc3d45e760 Add exception for REST controllers (no fixes necessary). 2009-09-15 22:01:59 -07:00
Andy Staudacher
e168e0dfae CSRF / auth fixes, golden data file checkpoint 2009-09-15 21:50:48 -07:00
Andy Staudacher
61bbe1d78c First functional version of Controller_Auth_Test 2009-09-15 21:03:23 -07:00
Andy Staudacher
17254799d1 Initial skeleton of Controller_Auth code audit test (non functional). 2009-09-15 20:27:04 -07:00
Andy Staudacher
59eadacc67 Improve language preference (Acccept-Language header matching): Boost same-language match over exact locale match for lower qvalue. 2009-09-15 11:19:32 -07:00
Bharat Mediratta
823fa2fc83 Updated for url format changes applied in 2aad580f53. 2009-09-12 10:33:46 -07:00
Bharat Mediratta
7ec490b600 rawurlencode() path components in relative_path_cache and 
relative_url_cache so that they're safe for browser use.
 2009-09-11 11:04:35 -07:00
Bharat Mediratta
752c857116 Rename ORM_MPTT::is_descendant() to ORM_MPTT::contains() to make the 
API a little clearer.  Write a test for it, too.
 2009-09-10 10:28:43 -07:00
Bharat Mediratta
6e65a8208f Fix a thinko-- of course we want urls to be the path to the file itself. 2009-09-08 21:52:15 -07:00
Bharat Mediratta
0709f7526d Change $this->_photo to just $photo 2009-09-08 21:33:45 -07:00
Bharat Mediratta
5d76a73596 Fix test to support new slug code. 2009-09-08 21:32:21 -07:00
Bharat Mediratta
48becbe017 Update item::convert_filename_to_slug() to eliminate leading and 
trailing hyphens.
 2009-09-08 20:03:55 -07:00
Bharat Mediratta
2f666f4c52 Add item::validate_url_safe() with a test. 2009-09-07 20:07:37 -07:00
Bharat Mediratta
991bb0c063 Update golden file. 2009-09-07 16:21:58 -07:00
Bharat Mediratta
3f997562de Add support for a per-item "slug" which will be the user-visible url 
component for that given item.  Album hierarchies are represented by
nested slugs.  By default, we convert the filename to a slug when you
create an album, photo or movie.
 2009-09-07 15:42:08 -07:00
Andy Staudacher
b3d0cb5a4c Bugfixes for locales::locale_from_http_request(), and adding tests. 
(And the tests should illustrate that kohana 2.4's API doesn't quite fit our purpose of simply getting the best match between the accepted (client) and the installed (g3) locales.)
 2009-09-05 18:55:44 -07:00
Andy Staudacher
b01596c0f0 Update XSS test golden data file. 2009-09-05 18:19:13 -07:00
Andy Staudacher
f63766556a XSS test golden data file update 2009-09-04 11:20:02 -07:00
Andy Staudacher
c453c0ef82 Simplifying SafeString a bit: From a XSS HTML security point of view, treat clean() and purify() the same. 
No longer run a safe HTML string through the HTML purifier (since it's already marked as safe).

This also addresses the issue of calling purify() when no purifier is installed. In that case, we'd run clean() on a clean string (double HTML encoding).

If this approach doesn't work out, we can still modify the fallback code of purify() to check if the string is already clean before calling clean() instead of purify().
 2009-09-04 10:11:42 -07:00
Bharat Mediratta
1ffb5b24df Checkpoint. 2009-09-03 11:34:02 -07:00
Bharat Mediratta
1405e8ed9e Fix tests for new purifier API. 2009-09-03 11:29:57 -07:00
Bharat Mediratta
1dca0b9d6b Fix test for new purifier API. 2009-09-03 11:28:42 -07:00
Andy Staudacher
8f6a120b52 Ensure that purify isn't applied twice for an already purified SafeString 2009-09-03 08:39:44 -07:00
Tim Almdal
c4b449add1 Merge branch 'master' into talmdal 2009-09-03 01:11:52 -07:00
Tim Almdal
dcdd44109b fix the expected return value of photos controller 2009-09-03 01:11:28 -07:00
Tim Almdal
41e3773417 fix the expected return value of album controller 2009-09-03 01:07:02 -07:00
Tim Almdal
33bcf11e27 Change the Html_Helper and SafeString tests to change the expeced results based on whether HtmlPurifier module is installed or not 2009-09-03 01:05:03 -07:00
Bharat Mediratta
b842a9d9ca Fix formatting, and use a properly named file in 
change_photo_no_csrf_fails_test() so that GD doesn't bomb.
 2009-09-02 11:58:04 -07:00
Andy Staudacher
fe37483aca Update XSS scanner golden file 2009-09-01 01:29:42 -07:00
Andy Staudacher
d2cea7905e Remove debugging code 2009-09-01 00:53:17 -07:00
Andy Staudacher
c0d4937e43 Fix bug in XSS scanner for <script> block @ position 0 of inline_html 2009-09-01 00:52:21 -07:00
Andy Staudacher
285e2b9cbe Update XSS test golden file 2009-08-31 21:57:15 -07:00
Andy Staudacher
50c8b96405 Add XSS check for HTML attributes 2009-08-31 21:17:35 -07:00
Andy Staudacher
48050aca41 Add XSS check to ensure that html::js_string() is not preceded by a quote. 2009-08-31 19:53:53 -07:00
Andy Staudacher
26f6d8192f Adding XSS test for href="javascript: and onclick="..." 2009-08-31 01:11:50 -07:00
Andy Staudacher
ddb84c84e1 Rename mark_safe() to mark_clean() 2009-08-31 00:42:18 -07:00
Andy Staudacher
afb0111fe6 Updating golden XSS-test data file 2009-08-30 21:36:14 -07:00
Andy Staudacher
0a0c7a78e6 Check for href="<?= $foo ?>" (malicious "javascript:..." string) 2009-08-30 21:25:21 -07:00
Andy Staudacher
3aef420d48 Updating XSS golden file 2009-08-30 18:37:01 -07:00
Andy Staudacher
df38a890a6 Tabs to spaces cleanup 2009-08-30 18:07:13 -07:00
Andy Staudacher
beb711d6a0 Rename clean_js to js_string and have it return a complete JS string (with delimiters) instead of just the string contents. 
Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
 2009-08-30 15:21:02 -07:00