...
 
Commits (7)
......@@ -48,6 +48,11 @@ prepare:fpm:
--build-arg SENTRY_DSN=$SENTRY_DSN \
.
- docker push $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID
- >
if [ $CI_COMMIT_BRANCH == "master" ]; then
docker tag $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID $CI_REGISTRY_IMAGE/fpm:latest &&
docker push $CI_REGISTRY_IMAGE/fpm:latest
fi
prepare:runners:
stage: prepare
......@@ -64,6 +69,11 @@ prepare:runners:
--build-arg SENTRY_DSN=$SENTRY_DSN \
.
- docker push $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID
- >
if [ $CI_COMMIT_BRANCH == "master" ]; then
docker tag $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID $CI_REGISTRY_IMAGE/runners:latest &&
docker push $CI_REGISTRY_IMAGE/runners:latest
fi
prepare:all:sentry:
stage: prepare
......
......@@ -70,7 +70,6 @@ class channel implements Interfaces\Api
$response['channel']['briefdescription'] = $response['channel']['briefdescription'] ?: '';
$response['channel']['city'] = $response['channel']['city'] ?: "";
$response['channel']['gender'] = $response['channel']['gender'] ?: "";
$response['channel']['dob'] = $response['channel']['dob'] ?: "";
if (!$user->merchant || !$supporters_count) {
$db = new Core\Data\Call('entities_by_time');
......@@ -234,7 +233,7 @@ class channel implements Interfaces\Api
$update = [];
foreach (['name', 'website', 'briefdescription', 'gender',
'dob', 'city', 'coordinates', 'monetized'] as $field) {
'city', 'coordinates', 'monetized'] as $field) {
if (isset($_POST[$field])) {
$update[$field] = $_POST[$field];
$owner->$field = $_POST[$field];
......
......@@ -123,6 +123,9 @@ class Exported
if ($pro = $this->proDomain->lookup($_SERVER['HTTP_HOST'] ?? null)) {
$exported['pro'] = $pro;
} elseif (!$this->proDomain->isRoot($_SERVER['HTTP_HOST'] ?? null)) {
// If not a pro site and not root then tell frontend to redirect
$exported['redirect_to_root_on_init'] = true;
}
return $exported;
......
......@@ -17,8 +17,8 @@ class XSRF
public static function validateRequest()
{
if (!Core\Session::isLoggedIn() && $_SERVER['REQUEST_METHOD'] === 'GET') {
return true; // If logged out and GET request we can accept
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
return true; // XSRF only needed for modifiers
}
if (!isset($_SERVER['HTTP_X_XSRF_TOKEN'])) {
......
......@@ -163,7 +163,7 @@ class GenericRule implements Interfaces\XSSRule
//make all urls force open in a new tab/window
if ($element->nodeName == 'a') {
$element->setAttribute('target', '_blank');
$element->setAttribute('rel', 'noopener noreferrer nofollow'); //nofollow hurts spammers
$element->setAttribute('rel', 'noopener noreferrer nofollow ugc'); //nofollow hurts spammers
}
}
......
......@@ -1216,7 +1216,6 @@ class User extends \ElggUser
return array_merge(parent::getExportableValues(), [
'website',
'briefdescription',
'dob',
'gender',
'city',
'merchant',
......
......@@ -39,25 +39,25 @@ class XSSSpec extends ObjectBehavior
public function it_should_dissallow_onClick_attributes()
{
$dirty = "<a onclick=\"console.log('hmmm...')\">click me</a>";
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a target=\"_blank\" rel=\"noopener noreferrer nofollow\">click me</a>");
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a target=\"_blank\" rel=\"noopener noreferrer nofollow ugc\">click me</a>");
}
public function it_should_allow_href_on_anchor_tags()
{
$dirty = "<a href=\"https://www.minds.com\">take me home</a>";
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"https://www.minds.com\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">take me home</a>");
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"https://www.minds.com\" target=\"_blank\" rel=\"noopener noreferrer nofollow ugc\">take me home</a>");
}
public function it_should_not_allow_bad_url_schemes()
{
$dirty = "<a href=\"javascript:alert('HEYHO')\">bad scheme here</a>";
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"alert('HEYHO')\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">bad scheme here</a>");
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"alert('HEYHO')\" target=\"_blank\" rel=\"noopener noreferrer nofollow ugc\">bad scheme here</a>");
}
public function it_should_not_allow_bad_url_schemes_with_case_hacks()
{
$dirty = "<a href=\"Javascript:alert('HEYHO')\">bad scheme here</a>";
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"alert('HEYHO')\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">bad scheme here</a>");
$this->clean($dirty)->shouldReturn('<?xml encoding="utf-8" ?>'."<a href=\"alert('HEYHO')\" target=\"_blank\" rel=\"noopener noreferrer nofollow ugc\">bad scheme here</a>");
}
public function it_should_not_allow_bad_url_schemes_from_multiple_keywords()
......
......@@ -6,7 +6,7 @@ ADD --chown=www-data . /var/www/Minds/engine
# Remove the local settings file (if it exists)
RUN rm -f /var/www/Minds/engine/settings.php
# RUN rm -f /var/www/Minds/engine/settings.php
# Setup our supervisor service
......