groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-01-26 20:19:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
2212 commits 17 branches 75 tags 115 MiB
Commit graph

69 commits

Author SHA1 Message Date
Sascha Lenk
3becdd976d
vulnerability Path-relative stylesheet import (PRSSI) fix 
Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative
stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target
location for all the relative URLs.
The vulnerability can also be mitigated by using the following best practices to harden the web pages:
• Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
• Set response header X-Frame-Options: deny
• Set response header X-Content-Type-Options: nosniff.

-----------
To me the easiest way to fix this, was adding the base URL. :)
 2023-02-25 23:56:59 +01:00
Jan Böhmer
3546385ed2 Moved favicon.ico to web root folder, as this is the location where a browser expects it 
This prevents that the browser calls the PHP router to search for the (non-existing) favicon.icon
 2023-02-05 00:18:07 +01:00
Jan Böhmer
08c97282a3 Allow to configure which themes should be available via parameters.yaml 2023-02-01 23:15:02 +01:00
Jan Böhmer
489b3e2c21 Use webpack entrypoints for bootstrap and bootswatch themes 
This allows us to utilize the webpack versioning mechanism, to avoid display issues, when upgrading bootstrap
 2023-02-01 22:58:39 +01:00
Jan Böhmer
7ecc460925 Hide sidebar collapse button on screens smaller than sm (sidebar is always collapsed then) 2023-01-10 00:10:59 +01:00
Jan Böhmer
055752a24d Update the navbar on logout 2022-10-09 19:47:03 +02:00
Jan Böhmer
068daeda75 Use jbtronics/2fa-webauthn for u2f two factor authentication 2022-10-03 23:09:50 +02:00
Jan Böhmer
92e477775a Use relative path in templates instead of full pathes 
This fixes problems with HTTP/HTTPS mixing
 2022-08-04 21:00:42 +02:00
Jan Böhmer
7dfbb4c536 Fixed mobile view for bootstrap5 2022-08-03 23:46:44 +02:00
Jan Böhmer
591f51432d Turbo shall not cache the pages. This fixes back/forward movements in history 2022-08-03 21:43:58 +02:00
Jan Böhmer
565cb3a790 Implement sidebar collapse with stimulus. 2022-07-31 22:07:27 +02:00
Jan Böhmer
e26f6e5394 Mark sidebar and navbar as permanent between Turbo history navigations. 2022-07-31 21:29:00 +02:00
Jan Böhmer
1f890efc97 Implemented scroll to top using stimulus. 2022-07-30 00:47:51 +02:00
Jan Böhmer
b18284cfd7 Set the language of the CKEDITOR5 elements based on the page locale. 2022-07-26 01:43:30 +02:00
Jan Böhmer
582f8e4c5f Fix tabs and pills for bootstrap 5 2022-07-24 18:14:33 +02:00
Jan Böhmer
365c7c60e4 Started to upgrade from bootstrap 4 to 5. 2022-07-24 18:08:21 +02:00
Jan Böhmer
1a9dfee0ed Disable turbo on login/logout forms, so page is fully reloaded. 2022-07-24 16:03:07 +02:00
Jan Böhmer
0b31a3b095 Fixed issue that page title were reformatted unintended. 2022-07-24 15:25:06 +02:00
Jan Böhmer
fa5f5bce28 Change the document title according to the title of the main frame. 2022-07-24 15:19:05 +02:00
Jan Böhmer
ea6357c259 Use stimulus for global reloading 2022-07-24 14:41:28 +02:00
Jan Böhmer
390deca544 Toasts now work with turbo 2022-07-24 14:20:20 +02:00
Jan Böhmer
79a1715290 Merge branch 'master' into turbo 2022-07-24 01:26:22 +02:00
Jan Böhmer
7bf730dda2 Rename /icons folder in public as it is aliased by apache. 
Before icons were not loaded in most cases when using apache2 with default configuration.
Fixes issue #120
 2022-07-18 00:11:12 +02:00
Jan Böhmer
41e0b251a9 Enabled treeview with turbo frames. 2022-03-05 23:09:55 +01:00
Jan Böhmer
3a21c18ba9 Removed loading modal, as this is now done by turbo. 2022-03-04 21:12:16 +01:00
Jan Böhmer
f60ef33736 Load stimulus controllers properly 2022-03-04 20:59:08 +01:00
Jan Böhmer
37c076c4c8 Show default theme, if database has unknown theme value. 
This prevents from deathlocks if somehow the DB value becomes invalid. This prevents behavior like in issue #76.
 2020-08-21 23:17:17 +02:00
Jan Böhmer
f089a16d74 Fixed Reel calculator when accessing via ajax load. 2020-06-07 17:16:11 +02:00
Jan Böhmer
d91eb334f1 Fixed a preloading warning. 2020-03-30 17:17:08 +02:00
Jan Böhmer
f5ceb9c20a Preload styles and javascripts directly via Webpack-Encore. 
Webpack-encore offers this feature so it is not needed to implment this on our own.
 2020-01-07 19:35:53 +01:00
Jan Böhmer
069293a843 Added 2FA with U2F keys. 2019-12-29 13:35:30 +01:00
Jan Böhmer
6882f91ef2 Use HTTP2 preload for always used CSS and JS files. 2019-11-30 16:46:03 +01:00
Jan Böhmer
5782ef70fb Updated manifest.json 2019-11-30 16:05:36 +01:00
Jan Böhmer
dd1dc54d97 Test the admin pages, if read/list/delete is working. 2019-10-26 22:27:04 +02:00
Jan Böhmer
0b69de332d Implemented different themes for Part-DB. 
We use Bootswatch to provide different themed bootstrap CSS.
 2019-10-13 17:48:18 +02:00
Jan Böhmer
280b2d4427 Fixed some 404 errors when using Part-DB without URL rewriting. 
Fixed problems with the ajaxUI. Also added an ENV option that RedirectController redirects you to index.php/en page version.
 2019-10-03 00:45:02 +02:00
Jan Böhmer
7f6c9b614f Added an button to hide the sidebar. 
Feature wished by Mr.AtiX. That way you can view tables in full screen.
 2019-09-20 13:55:52 +02:00
Jan Böhmer
f36b95c351 Fixed deprecation for twig base.html.twig template 
Using the filter tag is deprecated, replaced with apply tag which does the same thing.
 2019-09-18 16:22:09 +02:00
Jan Böhmer
f402145c51 Split base template into multiple files to improve structure. 2019-09-05 00:09:11 +02:00
Jan Böhmer
1cbbc26e7a Increased show time of the flash messages to 5 seconds. 2019-04-13 19:49:27 +02:00
Jan Böhmer
1c2b155adf Revert "Use base path including the server name and protocol." 
This reverts commit 15a036f2c6.
 2019-04-05 21:13:22 +02:00
Jan Böhmer
15a036f2c6 Use base path including the server name and protocol. 
This should help against the mixed security errors on Heroku.
 2019-04-05 21:09:01 +02:00
Jan Böhmer
058b3a6b6b Added search function to the 3 main trees too. 2019-04-05 19:31:41 +02:00
Jan Böhmer
c8bcec7161 Dont change language, when using the treeview links. 2019-03-27 20:14:54 +01:00
Jan Böhmer
1c7155d4e7 Removed a { from templates. 2019-03-26 17:58:06 +01:00
Jan Böhmer
528be3c000 Added back to top button. 2019-03-26 16:40:05 +01:00
Jan Böhmer
c0f44b76f3 Init datatables even after ajax requests. 2019-03-26 15:49:50 +01:00
Jan Böhmer
ccd4e82aed Dont include the protocol in the base path. This causes problems on servers behind reverse proxies. 2019-03-25 22:39:20 +01:00
Jan Böhmer
afd45d464c Added working treeviews and buttons. 2019-03-25 12:44:44 +01:00
Jan Böhmer
82761a3454 Show flash messages after ajax request too. 2019-03-24 20:28:17 +01:00