groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-01-26 12:09:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
Part-DB-server/templates/base.html.twig
Sascha Lenk 3becdd976d
vulnerability Path-relative stylesheet import (PRSSI) fix 
Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative
stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target
location for all the relative URLs.
The vulnerability can also be mitigated by using the following best practices to harden the web pages:
• Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
• Set response header X-Frame-Options: deny
• Set response header X-Content-Type-Options: nosniff.

-----------
To me the easiest way to fix this, was adding the base URL. :)
2023-02-25 23:56:59 +01:00

125 lines
5.1 KiB
Twig
Raw Blame History

<!DOCTYPE html>
<html lang="{{ app.request.locale }}">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<base href="{{ app.request.getSchemeAndHttpHost() }}">
<link rel="manifest" href="{{ asset('manifest.json') }}">
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="application-name" content="Part-DB">
<meta name="apple-mobile-web-app-title" content="Part-DB">
<meta name="msapplication-config" content="{{ asset('icon/browserconfig.xml') }}">
<meta name="theme-color" content="#ffffff">
<meta name="theme-color" content="#ffffff">
<meta name="msapplication-navbutton-color" content="#ffffff">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="msapplication-starturl" content="/en/">
<meta name="turbo-cache-control" content="no-cache">
<link rel="shortcut icon" type="image/x-icon" href="{{ asset('favicon.ico') }}">
<link rel="apple-touch-icon" sizes="180x180" href="{{ asset('icon/apple-touch-icon.png') }}">
<link rel="icon" type="image/png" href="{{ asset('icon/favicon-32x32.png') }}" sizes="32x32">
<link rel="icon" type="image/png" href="{{ asset('icon/favicon-16x16.png') }}" sizes="16x16">
<link rel="mask-icon" href="{{ asset('icon/safari-pinned-tab.svg') }}" color="#5bbad5">
<title>{% apply trim %}{% block title %}{{ partdb_title}}{% endblock %}{% endapply %}</title>
{% set current_page_title = block("title") %}
{% block stylesheets %}
{# Include the main bootstrap theme based on user/global setting #}
{% if not app.user.theme is defined %}
{% set theme = global_theme %}
{% else %}
{% set theme = app.user.theme %}
{% endif %}
{% if theme and theme in available_themes and encore_entry_exists('theme_' ~ theme) %}
{{ encore_entry_link_tags('theme_' ~ theme) }}
{% else %}
{{ encore_entry_link_tags('theme_bootstrap') }}
{% endif %}
{{ encore_entry_link_tags('app') }}
{% endblock %}
{% block javascripts %}
{{ encore_entry_script_tags('app') }}
{{ encore_entry_script_tags('webauthn_tfa') }}
{# load translation files for ckeditor #}
{% set two_chars_locale = app.request.locale|default("en")|slice(0,2) %}
{% if two_chars_locale != "en" %}
<script src="{{ asset("build/ckeditor_translations/" ~ two_chars_locale ~ ".js") }}"></script>
{% endif %}
{% endblock %}
</head>
<body data-base-url="{{ path('homepage', {'_locale': app.request.locale}) }}" data-locale="{{ app.request.locale|default("en")|slice(0,2) }}">
{% block body %}
<header>
<turbo-frame id="navbar-frame" target="content" data-turbo-action="advance">
{% include "_navbar.html.twig" %}
</turbo-frame>
</header>
<main>
<div class="container-fluid">
<div class="row">
{% include "_toast_container.html.twig" %}
<div class="collapse d-md-block" id="sidebar-container">
<nav class="fixed-sidebar col-md-3 col-lg-2 bg-body" id="fixed-sidebar">
<turbo-frame id="sidebar" target="content" data-turbo-action="advance" data-turbo-permanent>
{% include "_sidebar.html.twig" %}
</turbo-frame>
<noscript><b>{% trans %}vendor.base.javascript_hint{% endtrans %}</b></noscript>
</nav>
</div>
<div class="col-md-9 col-lg-10 offset-md-3 offset-lg-2 ps-0" id="main">
<div class="container-fluid me-0 pe-0" id="content-container">
<turbo-frame id="content" data-turbo-action="advance">
{# Here will be the real content be injected#}
{% block content %}
{% endblock %}
{% include "_turbo_control.html.twig" %}
</turbo-frame>
{% block scripts %}
{% endblock %}
</div>
</div>
</div>
</div>
</main>
{# Back to top buton #}
<!-- Back to top button -->
<button id="back-to-top" class="btn btn-primary back-to-top" role="button" title="{% trans %}back_to_top{% endtrans %}"
{{ stimulus_controller('common/back_to_top') }} {{ stimulus_action('common/back_to_top', 'backToTop') }}>
<i class="fas fa-angle-up fa-fw"></i>
</button>
{# Must be outside of the sidebar or it will be hidden too #}
<button class="btn btn-outline-dark btn-sm p-0 d-md-block d-none" type="button" id="sidebar-toggle-button" title="{% trans %}sidebar.big.toggle{% endtrans %}"
{{ stimulus_controller('common/hide_sidebar') }} {{ stimulus_action('common/hide_sidebar', 'toggleSidebar') }}>
<i class="fas fa-angle-left"></i>
</button>
{% endblock %}
</body>
</html>
Reference in a new issue View git blame Copy permalink