summaryrefslogtreecommitdiffstats
path: root/web/template
AgeCommit message (Collapse)AuthorFilesLines
2012-07-06Wrap everything in a content cotainerLukas Fleischer2-28/+29
For consistency with archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Add archweb style sheetLukas Fleischer1-1/+2
* Add "archweb.css" from the master branch of archweb. We will use this as base style sheet in the future. * Add "aur.css" for AUR-specific extensions to "archweb.css". * Remove the "archnavbar.css" link from the header template since this is included in "archweb.css". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Use sane date format strings everywhereLukas Fleischer4-7/+7
We fixed this for the fields displayed on the package details page in commit b5fffe9a02cd4fd3b7da66e403f02eea89c8fcad. This should fix the remaining ones. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06pkg_details.php: Use sane format for date stringsLukas Fleischer1-3/+3
No need to show a full RFC 2822-compliant date here. Instead, display date, hours and minutes for "Last Updated" and "First Submitted" fields and display the date only for the out-of-date time stamp. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Be consistent in PHP logical operator usagecanyonknight1-3/+3
A mix of logical operator styles are currently in use. The predominant style uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency is minor, but is easily avoided. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight6-2/+10
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-05-31HTML/DOM fixesDario Giovannetti1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to packagesLukas Fleischer2-2/+8
This is more user-friendly than supporting package IDs only and can be used as a basis to support direct links to AUR packages in places where links are computer-produced (e.g. Wiki templates). Addresses FS#21600 and FS#28839. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-08Always set the "To:" header when sending mailLukas Fleischer1-1/+1
Use "undisclosed-recipients: ;" when sending mass notifications (such as comment notifications and the like. Addresses FS#28229. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-02-19Merge branch 'maint'Lukas Fleischer4-7/+7
2012-02-19Escape all output strings in the header and footerLukas Fleischer2-4/+4
Escape each output string using htmlspecialchars(). These aren't exploitable; it's still better to escape them properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-02-19Fix some more XSS vulnerabilitiesLukas Fleischer3-3/+3
Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee3-4/+4
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove a boatload of inline table stylesDan McGee4-24/+24
Replacing with CSS styles where appropriate. A previously unused CSS style is tweaked in the stylesheet to match most of what was done via non-CSS styling. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05web/template/login_form.php: Escape the request URILukas Fleischer1-1/+1
Reported-by: Thomas Bächler <thomas@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Link to current page in the login bar HTTPs linkLukas Fleischer1-2/+2
This is way more convenient if you follow a HTTP link. Implements FS#25757. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Add missing __() to category info in package detailsLukas Fleischer1-3/+3
This makes the "Category" label as well as "Change category" button on the package details page translatable. Fixes FS#25692. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer1-1/+9
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Remove unnecessary atype and uid lookup from package_details()Dan McGee1-0/+2
These were never used in the function. Where they are used is in the pkg_details.php template, so move them closer to their actual usage so as not to confuse poor programmers such as myself. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Allow for merging deleted packages into existing onesLukas Fleischer2-0/+4
Merge all comments and votes of deleted packages into another package if the "Merge with" field is used. Duplicate votes (votes from a user who already voted on the target package or voted on more than one of the deleted packages) are discarded. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee1-1/+1
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25fix incompatibility with php short open tagsFlorian Pritz1-1/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij2-3/+3
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17test return value from db_query before assuming it is validelij2-24/+36
make the sql query form consistent in usage by cleaning up instances where db_query's result was not inspected before attempting to fetch row data from the handle Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-09Added label tags for login form fields.Karlis Lauva1-5/+6
Lukas: Use tabs for indentation instead of spaces. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-20Use HTTPs for links in the main site navigation bar (fixes FS#23832).Lukas Fleischer1-7/+7
Basically just sync with what archweb currently uses, prefixing all relative URLs with "http://www.archlinux.org". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-19Use HTTPs for links in comment notification mails.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-19urlencode() query args for main site package search (fixes FS#23774).Lukas Fleischer1-1/+1
There may be characters in package dependencies that are reserved within URLs (e.g. "+"). Use urlencode() to ensure those are encoded correctly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-06Make "Exact name" search option translatable.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-06Add option to search for exact name matches only (fixes FS#23556).Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Add more stats to the front page tableDan McGee1-2/+18
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Add indentation to stats tableDan McGee1-30/+19
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Remove Dummy Package conceptDan McGee1-14/+7
Instead, we just store dependencies directly in the PackageDepends table. Since we don't use this info anywhere besides the package details page, there is little value in precalculating what is in the AUR vs. what is not. An upgrade path is provided via several SQL statements in the UPGRADING document. There should be no user-visible change from this, but the DB schema gets a bit more sane and we no longer have loads of junk packages in our tables that are never shown to the end user. This should also help the MySQL query planner in several cases as we no longer have to be careful to exclude dummy packages on every query. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Always set ModifiedTS including new packagesDan McGee1-5/+2
Set it equal to the SubmittedTS field, which will be our indication the package is new when we show the logo on the front page of the AUR. This results in the ability to remove the use of the unindexable GREATEST() function from the AUR code everywhere we had to use it before to handle the 0 timestamp case. Note that there is no race condition here in calling UNIX_TIMESTAMP() twice- it always returns the time at the beginning of statment execution: mysql> select unix_timestamp(), sleep(2), unix_timestamp(); +------------------+----------+------------------+ | unix_timestamp() | sleep(2) | unix_timestamp() | +------------------+----------+------------------+ | 1300851746 | 0 | 1300851746 | +------------------+----------+------------------+ 1 row in set (2.00 sec) Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerability in "web/template/header.php".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in package comment templates.Lukas Fleischer2-3/+3
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-24Bump up default per-page value to 50Dan McGee1-1/+1
25 is woefully small for the number of packages many searches can return, and with 28000+ packages in AUR, it makes sense to show a lot more per page by default. The new choices of (50, 100, 250) happen to match those from the main site. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-15Fix main site package search URLDan McGee1-2/+2
I've been wanting to kill this one for a long time. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix XSS vulnerability in package search results and package details.Lukas Fleischer2-10/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer9-108/+114
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10More PHP Notice undefined fixupsDan McGee1-1/+5
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix outdated link in My Statistics paneDan McGee1-1/+1
Regression introduced in commit c39183c3ee7eb1. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Remove dead dependency/required by link codeDan McGee1-24/+7
For some reason we were doing this song and dance "iterate all the known parameters" business. This is totally unnecessary, clutters the links, and was spewing errors all over the place, so kill it. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in pkg_search_formDan McGee1-7/+7
If we were displaying this without coming from a previous query submit, notices were emitted all over the place. Fix them by adding an isset() first to each variable we try to access. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notice: requiredby arrayDan McGee1-3/+2
Required by query does not have a dep condition element. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix main site URLDan McGee1-2/+2
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Small template cleanupDan McGee1-2/+1
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "Packages.SubmitterUID" and "Packages.MaintainerUID" as "NULL".Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>