diff --git a/app.php b/app.php
index 4fa803a..dd5d6a2 100644
--- a/app.php
+++ b/app.php
@@ -71,7 +71,7 @@ if (!is_empty($_GET['page'])) {
}
?>
-
+
-
+
diff --git a/mobile/index.php b/mobile/index.php
index e953b7e..f9f593a 100644
--- a/mobile/index.php
+++ b/mobile/index.php
@@ -90,6 +90,7 @@ switch ($VARS['action']) {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
if (account_has_permission($VARS['username'], "INV_VIEW")) {
doLoginUser($VARS['username'], $VARS['password']);
+ $_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)]));
diff --git a/pages/categories.php b/pages/categories.php
index dbc205f..363233d 100644
--- a/pages/categories.php
+++ b/pages/categories.php
@@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
?>
-
+
diff --git a/pages/editcat.php b/pages/editcat.php
index e9e276a..b08db62 100644
--- a/pages/editcat.php
+++ b/pages/editcat.php
@@ -59,7 +59,7 @@ if (!is_empty($VARS['id'])) {
-
+
diff --git a/pages/edititem.php b/pages/edititem.php
index a9427d7..1f51904 100644
--- a/pages/edititem.php
+++ b/pages/edititem.php
@@ -129,7 +129,7 @@ if (!is_empty($VARS['id'])) {
@@ -25,7 +25,7 @@ redirectifnotloggedin();
diff --git a/pages/items.php b/pages/items.php
index f071c08..a99994c 100644
--- a/pages/items.php
+++ b/pages/items.php
@@ -5,14 +5,14 @@ require_once __DIR__ . "/../lib/userinfo.php";
redirectifnotloggedin();
?>
-
+
-
+
var filter = null;\n";
+ echo "\n";
}
?>
diff --git a/pages/locations.php b/pages/locations.php
index e0f449c..94a1e5f 100644
--- a/pages/locations.php
+++ b/pages/locations.php
@@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
?>
-
+
diff --git a/required.php b/required.php
index 14fb684..ac71b36 100644
--- a/required.php
+++ b/required.php
@@ -10,12 +10,43 @@ header('Content-Type: text/html; charset=utf-8');
// l33t $ecurity h4x
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
+header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
+header('X-Frame-Options: "DENY"');
+header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
+$SECURE_NONCE = base64_encode(random_bytes(8));
+
+
$session_length = 60 * 60; // 1 hour
session_set_cookie_params($session_length, "/", null, false, false);
session_start(); // stick some cookies in it
// renew session cookie
setcookie(session_name(), session_id(), time() + $session_length);
+
+if ($_SESSION['mobile'] === TRUE) {
+ header("Content-Security-Policy: "
+ . "default-src 'self';"
+ . "object-src 'none'; "
+ . "img-src * data:; "
+ . "media-src 'self'; "
+ . "frame-src 'none'; "
+ . "font-src 'self'; "
+ . "connect-src *; "
+ . "style-src 'self' 'unsafe-inline'; "
+ . "script-src 'self' 'unsafe-inline'");
+} else {
+ header("Content-Security-Policy: "
+ . "default-src 'self';"
+ . "object-src 'none'; "
+ . "img-src * data:; "
+ . "media-src 'self'; "
+ . "frame-src 'none'; "
+ . "font-src 'self'; "
+ . "connect-src *; "
+ . "style-src 'self' 'nonce-$SECURE_NONCE'; "
+ . "script-src 'self' 'nonce-$SECURE_NONCE'");
+}
+
//
// Composer
require __DIR__ . '/vendor/autoload.php';
@@ -32,7 +63,21 @@ require __DIR__ . '/lang/' . LANGUAGE . ".php";
* @param string $error error message
*/
function sendError($error) {
- die("Error" . htmlspecialchars($error) . "
");
+ global $SECURE_NONCE;
+ die(""
+ . ""
+ . ""
+ . "Error"
+ . ""
+ . "A fatal application error has occurred.
"
+ . "(This isn't your fault.)"
+ . "Details:
"
+ . "". htmlspecialchars($error) . "
");
}
date_default_timezone_set(TIMEZONE);
diff --git a/static/css/app.css b/static/css/app.css
index e07d4d8..ca234cc 100644
--- a/static/css/app.css
+++ b/static/css/app.css
@@ -9,6 +9,28 @@
font-size: 110%;
}
+.navbar-brand img {
+ height: 35px;
+ padding-bottom: 12px;
+ padding-left: 5px;
+}
+
+.pad-75px {
+ height: 75px;
+}
+
+.mgn-btm-10px {
+ margin-bottom: 10px;
+}
+
+.mgn-top-8px {
+ margin-top: 8px;
+}
+
+.black-text {
+ color: black;
+}
+
.footer {
margin-top: 10em;
text-align: center;