No longer rely on Referer header for the comments return URL.
This commit is contained in:
parent
061d4c8a8f
commit
0c9bac473b
6 changed files with 23 additions and 25 deletions
|
|
@ -3,9 +3,7 @@ namespace Misuzu;
|
||||||
|
|
||||||
use RuntimeException;
|
use RuntimeException;
|
||||||
|
|
||||||
// basing whether or not this is an xhr request on whether a referrer header is present
|
$redirect = filter_input(INPUT_GET, 'return') ?? $_SERVER['HTTP_REFERER'] ?? url('index');
|
||||||
// this page is never directy accessed, under normal circumstances
|
|
||||||
$redirect = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : url('index');
|
|
||||||
|
|
||||||
if(!is_local_url($redirect)) {
|
if(!is_local_url($redirect)) {
|
||||||
echo render_info('Possible request forgery detected.', 403);
|
echo render_info('Possible request forgery detected.', 403);
|
||||||
|
|
|
||||||
12
src/url.php
12
src/url.php
|
|
@ -80,12 +80,12 @@ define('MSZ_URLS', [
|
||||||
'settings-logs' => ['/settings/logs.php'],
|
'settings-logs' => ['/settings/logs.php'],
|
||||||
'settings-data' => ['/settings/data.php'],
|
'settings-data' => ['/settings/data.php'],
|
||||||
|
|
||||||
'comment-create' => ['/comments.php', ['m' => 'create']],
|
'comment-create' => ['/comments.php', ['m' => 'create', 'return' => '<return>']],
|
||||||
'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>']],
|
'comment-vote' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'vote', 'v' => '<vote>', 'return' => '<return>']],
|
||||||
'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete']],
|
'comment-delete' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'delete', 'return' => '<return>']],
|
||||||
'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore']],
|
'comment-restore' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'restore', 'return' => '<return>']],
|
||||||
'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin']],
|
'comment-pin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'pin', 'return' => '<return>']],
|
||||||
'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin']],
|
'comment-unpin' => ['/comments.php', ['c' => '<comment>', 'csrf' => '{csrf}', 'm' => 'unpin', 'return' => '<return>']],
|
||||||
|
|
||||||
'manage-index' => ['/manage'],
|
'manage-index' => ['/manage'],
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
{% macro comments_input(category, user, perms, reply_to) %}
|
{% macro comments_input(category, user, perms, reply_to, return_url) %}
|
||||||
{% set reply_mode = reply_to is not null %}
|
{% set reply_mode = reply_to is not null %}
|
||||||
|
|
||||||
{% from 'macros.twig' import avatar %}
|
{% from 'macros.twig' import avatar %}
|
||||||
{% from '_layout/input.twig' import input_hidden, input_csrf, input_checkbox %}
|
{% from '_layout/input.twig' import input_hidden, input_csrf, input_checkbox %}
|
||||||
|
|
||||||
<form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}"
|
<form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}"
|
||||||
method="post" action="{{ url('comment-create') }}"
|
method="post" action="{{ url('comment-create', {'return': return_url}) }}"
|
||||||
id="comment-{{ reply_mode ? 'reply-' ~ reply_to.id : 'create-' ~ category.id }}">
|
id="comment-{{ reply_mode ? 'reply-' ~ reply_to.id : 'create-' ~ category.id }}">
|
||||||
{{ input_hidden('comment[category]', category.id) }}
|
{{ input_hidden('comment[category]', category.id) }}
|
||||||
{{ input_csrf() }}
|
{{ input_csrf() }}
|
||||||
|
|
@ -40,7 +40,7 @@
|
||||||
</form>
|
</form>
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
{% macro comments_entry(comment, indent, category, user, colour, perms) %}
|
{% macro comments_entry(comment, indent, category, user, colour, perms, return_url) %}
|
||||||
{% from 'macros.twig' import avatar %}
|
{% from 'macros.twig' import avatar %}
|
||||||
{% from '_layout/input.twig' import input_checkbox_raw %}
|
{% from '_layout/input.twig' import input_checkbox_raw %}
|
||||||
|
|
||||||
|
|
@ -113,14 +113,14 @@
|
||||||
{% set dislike_vote_state = userVote < 0 ? 0 : -1 %}
|
{% set dislike_vote_state = userVote < 0 ? 0 : -1 %}
|
||||||
|
|
||||||
<a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}"
|
<a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}"
|
||||||
href="{{ url('comment-vote', {'comment':comment.id,'vote':like_vote_state}) }}">
|
href="{{ url('comment-vote', {'comment': comment.id, 'vote': like_vote_state, 'return': return_url}) }}">
|
||||||
Like
|
Like
|
||||||
{% if likes > 0 %}
|
{% if likes > 0 %}
|
||||||
({{ likes|number_format }})
|
({{ likes|number_format }})
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</a>
|
</a>
|
||||||
<a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}"
|
<a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}"
|
||||||
href="{{ url('comment-vote', {'comment':comment.id,'vote':dislike_vote_state}) }}">
|
href="{{ url('comment-vote', {'comment': comment.id, 'vote':dislike_vote_state, 'return': return_url}) }}">
|
||||||
Dislike
|
Dislike
|
||||||
{% if dislikes > 0 %}
|
{% if dislikes > 0 %}
|
||||||
({{ dislikes|number_format }})
|
({{ dislikes|number_format }})
|
||||||
|
|
@ -131,16 +131,16 @@
|
||||||
<label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label>
|
<label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %}
|
{% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %}
|
||||||
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment':comment.id}) }}">Delete</a>
|
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment': comment.id, 'return': return_url}) }}">Delete</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{# if user is not null %}
|
{# if user is not null %}
|
||||||
<a class="comment__action comment__action--link comment__action--hide" href="#">Report</a>
|
<a class="comment__action comment__action--link comment__action--hide" href="#">Report</a>
|
||||||
{% endif #}
|
{% endif #}
|
||||||
{% if not isReply and perms.can_pin|default(false) %}
|
{% if not isReply and perms.can_pin|default(false) %}
|
||||||
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment':comment.id}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
|
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment': comment.id, 'return': return_url}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% elseif perms.can_delete_any|default(false) %}
|
{% elseif perms.can_delete_any|default(false) %}
|
||||||
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment':comment.id}) }}">Restore</a>
|
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment': comment.id, 'return': return_url}) }}">Restore</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
@ -150,11 +150,11 @@
|
||||||
{% from _self import comments_entry, comments_input %}
|
{% from _self import comments_entry, comments_input %}
|
||||||
{% if user|default(null) is not null and category|default(null) is not null and perms.can_post|default(false) %}
|
{% if user|default(null) is not null and category|default(null) is not null and perms.can_post|default(false) %}
|
||||||
{{ input_checkbox_raw('', false, 'comment__reply-toggle', '', false, {'id':'comment-reply-toggle-' ~ comment.id}) }}
|
{{ input_checkbox_raw('', false, 'comment__reply-toggle', '', false, {'id':'comment-reply-toggle-' ~ comment.id}) }}
|
||||||
{{ comments_input(category, user, perms, comment) }}
|
{{ comments_input(category, user, perms, comment, return_url) }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if replies|length > 0 %}
|
{% if replies|length > 0 %}
|
||||||
{% for reply in replies %}
|
{% for reply in replies %}
|
||||||
{{ comments_entry(reply, indent + 1, category, user, colour, perms) }}
|
{{ comments_entry(reply, indent + 1, category, user, colour, perms, return_url) }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
|
|
@ -162,7 +162,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
{% macro comments_section(category) %}
|
{% macro comments_section(category, return_url) %}
|
||||||
{% set user = category.user %}
|
{% set user = category.user %}
|
||||||
{% set colour = category.colour %}
|
{% set colour = category.colour %}
|
||||||
{% set posts = category.posts %}
|
{% set posts = category.posts %}
|
||||||
|
|
@ -189,7 +189,7 @@
|
||||||
</div>
|
</div>
|
||||||
{% else %}
|
{% else %}
|
||||||
{% from _self import comments_input %}
|
{% from _self import comments_input %}
|
||||||
{{ comments_input(category, user, perms) }}
|
{{ comments_input(category, user, perms, null, return_url) }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
@ -203,7 +203,7 @@
|
||||||
{% if posts|length > 0 %}
|
{% if posts|length > 0 %}
|
||||||
{% from _self import comments_entry %}
|
{% from _self import comments_entry %}
|
||||||
{% for comment in posts %}
|
{% for comment in posts %}
|
||||||
{{ comments_entry(comment, 1, category, user, colour, perms) }}
|
{{ comments_entry(comment, 1, category, user, colour, perms, return_url) }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% else %}
|
{% else %}
|
||||||
<div class="comments__none" id="_no_comments_notice_{{ category.id }}">
|
<div class="comments__none" id="_no_comments_notice_{{ category.id }}">
|
||||||
|
|
|
||||||
|
|
@ -69,6 +69,6 @@
|
||||||
|
|
||||||
<div class="container">
|
<div class="container">
|
||||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments for ' ~ change_info.date) }}
|
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments for ' ~ change_info.date) }}
|
||||||
{{ comments_section(comments_info) }}
|
{{ comments_section(comments_info, canonical_url) }}
|
||||||
</div>
|
</div>
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@
|
||||||
{% if is_date %}
|
{% if is_date %}
|
||||||
<div class="container">
|
<div class="container">
|
||||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
||||||
{{ comments_section(comments_info) }}
|
{{ comments_section(comments_info, canonical_url) }}
|
||||||
</div>
|
</div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
{% if comments_info is defined %}
|
{% if comments_info is defined %}
|
||||||
<div class="container">
|
<div class="container">
|
||||||
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
{{ container_title('<i class="fas fa-comments fa-fw"></i> Comments') }}
|
||||||
{{ comments_section(comments_info) }}
|
{{ comments_section(comments_info, canonical_url) }}
|
||||||
</div>
|
</div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue