summaryrefslogtreecommitdiffstats
path: root/web/html/addvote.php
AgeCommit message (Collapse)AuthorFilesLines
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-1/+6
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-5/+5
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-1/+1
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17test return value from db_query before assuming it is validelij1-2/+14
make the sql query form consistent in usage by cleaning up instances where db_query's result was not inspected before attempting to fetch row data from the handle Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer1-6/+10
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2009-11-23Bring TU addvote into the current layout.Loui Chang1-13/+19
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-08-11Use include_once where applicableDan McGee1-1/+1
All of these are sourcing function libraries so we don't need to include them more than once. Things that insert actual HTML into the output were left calling include(). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-06-18submit button i18nSergej Pupykin1-1/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-19Use new conglomerated translation files.Loui Chang1-1/+0
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-12-22Make some translatable strings friendlier to common usage.Loui Chang1-3/+3
Removing trailing colons and whitespace makes them more usable. Signed-off-by: Loui Chang <louipc.ist@gmail.com> Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
2008-12-21Introduce function include_lang for translations.Loui Chang1-2/+2
This includes only the requested language for each page and makes top level language include files obsolete. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-11-10Tweak TU interface for appearance.Loui Chang1-1/+0
Show ten votes per page instead of five. Change the vote preview to 75 characters so entries fit better in the table. Remove [More] links and make the description itself a link. Clean up a couple notices. Send unauthorised users to index.php. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-10-09Setup translation for addvote.phpCallan Barrett1-15/+15
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-06-17Remove all vim mode lines. Add HACKING file.Loui Chang1-1/+0
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-01-20Add support for variable length votes in voting applicationCallan Barrett1-11/+27
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
2008-01-20AUR Voting ApplicationCallan Barrett1-0/+79
Added support for TU voting through AUR Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>