No longer rely on Referer header for the comments return URL.
This commit is contained in:
parent
061d4c8a8f
commit
0c9bac473b
6 changed files with 23 additions and 25 deletions
|
|
@ -3,9 +3,7 @@ namespace Misuzu;
|
|||
|
||||
use RuntimeException;
|
||||
|
||||
// basing whether or not this is an xhr request on whether a referrer header is present
|
||||
// this page is never directy accessed, under normal circumstances
|
||||
$redirect = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : url('index');
|
||||
$redirect = filter_input(INPUT_GET, 'return') ?? $_SERVER['HTTP_REFERER'] ?? url('index');
|
||||
|
||||
if(!is_local_url($redirect)) {
|
||||
echo render_info('Possible request forgery detected.', 403);
|
||||
|
|
|
|||
12
src/url.php
12
src/url.php
|
|
@ -80,12 +80,12 @@ define('MSZ_URLS', [
|
|||
'settings-logs' => ['/settings/logs.php'],
|
||||
'settings-data' => ['/settings/data.php'],
|
||||
|
||||
'comment-create' => ['/comments.php', ['m' => 'create']],
|
||||
'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>']],
|
||||
'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete']],
|
||||
'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore']],
|
||||
'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin']],
|
||||
'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin']],
|
||||
'comment-create' => ['/comments.php', ['m' => 'create', 'return' => '<return>']],
|
||||
'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>', 'return' => '<return>']],
|
||||
'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete', 'return' => '<return>']],
|
||||
'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore', 'return' => '<return>']],
|
||||
'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin', 'return' => '<return>']],
|
||||
'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin', 'return' => '<return>']],
|
||||
|
||||
'manage-index' => ['/manage'],
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{% macro comments_input(category, user, perms, reply_to) %}
|
||||
{% macro comments_input(category, user, perms, reply_to, return_url) %}
|
||||
{% set reply_mode = reply_to is not null %}
|
||||
|
||||
{% from 'macros.twig' import avatar %}
|
||||
{% from '_layout/input.twig' import input_hidden, input_csrf, input_checkbox %}
|
||||
|
||||
<form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}"
|
||||
method="post" action="{{ url('comment-create') }}"
|
||||
method="post" action="{{ url('comment-create', {'return': return_url}) }}"
|
||||
id="comment-{{ reply_mode ? 'reply-' ~ reply_to.id : 'create-' ~ category.id }}">
|
||||
{{ input_hidden('comment[category]', category.id) }}
|
||||
{{ input_csrf() }}
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
</form>
|
||||
{% endmacro %}
|
||||
|
||||
{% macro comments_entry(comment, indent, category, user, colour, perms) %}
|
||||
{% macro comments_entry(comment, indent, category, user, colour, perms, return_url) %}
|
||||
{% from 'macros.twig' import avatar %}
|
||||
{% from '_layout/input.twig' import input_checkbox_raw %}
|
||||
|
||||
|
|
@ -113,14 +113,14 @@
|
|||
{% set dislike_vote_state = userVote < 0 ? 0 : -1 %}
|
||||
|
||||
<a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}"
|
||||
href="{{ url('comment-vote', {'comment':comment.id,'vote':like_vote_state}) }}">
|
||||
href="{{ url('comment-vote', {'comment': comment.id, 'vote': like_vote_state, 'return': return_url}) }}">
|
||||
Like
|
||||
{% if likes > 0 %}
|
||||
({{ likes|number_format }})
|
||||
{% endif %}
|
||||
</a>
|
||||
<a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}"
|
||||
href="{{ url('comment-vote', {'comment':comment.id,'vote':dislike_vote_state}) }}">
|
||||
href="{{ url('comment-vote', {'comment': comment.id, 'vote':dislike_vote_state, 'return': return_url}) }}">
|
||||
Dislike
|
||||
{% if dislikes > 0 %}
|
||||
({{ dislikes|number_format }})
|
||||
|
|
@ -131,16 +131,16 @@
|
|||
<label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label>
|
||||
{% endif %}
|
||||
{% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %}
|
||||
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment':comment.id}) }}">Delete</a>
|
||||
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment': comment.id, 'return': return_url}) }}">Delete</a>
|
||||
{% endif %}
|
||||
{# if user is not null %}
|
||||
<a class="comment__action comment__action--link comment__action--hide" href="#">Report</a>
|
||||
{% endif #}
|
||||
{% if not isReply and perms.can_pin|default(false) %}
|
||||
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment':comment.id}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
|
||||
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment': comment.id, 'return': return_url}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
|
||||
{% endif %}
|
||||
{% elseif perms.can_delete_any|default(false) %}
|
||||
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment':comment.id}) }}">Restore</a>
|
||||
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment': comment.id, 'return': return_url}) }}">Restore</a>
|
||||
{% endif %}
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -150,11 +150,11 @@
|
|||
{% from _self import comments_entry, comments_input %}
|
||||
{% if user|default(null) is not null and category|default(null) is not null and perms.can_post|default(false) %}
|
||||
{{ input_checkbox_raw('', false, 'comment__reply-toggle', '', false, {'id':'comment-reply-toggle-' ~ comment.id}) }}
|
||||
{{ comments_input(category, user, perms, comment) }}
|
||||
{{ comments_input(category, user, perms, comment, return_url) }}
|
||||
{% endif %}
|
||||
{% if replies|length > 0 %}
|
||||
{% for reply in replies %}
|
||||
{{ comments_entry(reply, indent + 1, category, user, colour, perms) }}
|
||||
{{ comments_entry(reply, indent + 1, category, user, colour, perms, return_url) }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
</div>
|
||||
|
|
@ -162,7 +162,7 @@
|
|||
{% endif %}
|
||||
{% endmacro %}
|
||||
|
||||
{% macro comments_section(category) %}
|
||||
{% macro comments_section(category, return_url) %}
|
||||
{% set user = category.user %}
|
||||
{% set colour = category.colour %}
|
||||
{% set posts = category.posts %}
|
||||
|
|
@ -189,7 +189,7 @@
|
|||
</div>
|
||||
{% else %}
|
||||
{% from _self import comments_input %}
|
||||
{{ comments_input(category, user, perms) }}
|
||||
{{ comments_input(category, user, perms, null, return_url) }}
|
||||
{% endif %}
|
||||
</div>
|
||||
|
||||
|
|
@ -203,7 +203,7 @@
|
|||
{% if posts|length > 0 %}
|
||||
{% from _self import comments_entry %}
|
||||
{% for comment in posts %}
|
||||
{{ comments_entry(comment, 1, category, user, colour, perms) }}
|
||||
{{ comments_entry(comment, 1, category, user, colour, perms, return_url) }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
<div class="comments__none" id="_no_comments_notice_{{ category.id }}">
|
||||
|
|
|
|||
|
|
@ -69,6 +69,6 @@
|
|||
|
||||
<div class="container">
|
||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments for ' ~ change_info.date) }}
|
||||
{{ comments_section(comments_info) }}
|
||||
{{ comments_section(comments_info, canonical_url) }}
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@
|
|||
{% if is_date %}
|
||||
<div class="container">
|
||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
||||
{{ comments_section(comments_info) }}
|
||||
{{ comments_section(comments_info, canonical_url) }}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% endblock %}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
{% if comments_info is defined %}
|
||||
<div class="container">
|
||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
||||
{{ comments_section(comments_info) }}
|
||||
{{ comments_section(comments_info, canonical_url) }}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% endblock %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue