Changeset 2797:4a5f0d16acd2

Timestamp:

11/17/14 10:30:07 (11 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Add an optional setting (blog pref) to prevent blog from Clickjacking

Files:

• admin/blog_pref.php (modified) (3 diffs)
• inc/public/lib.urlhandlers.php (modified) (1 diff)
• locales/fr/main.po (modified) (1 diff)

admin/blog_pref.php

@@ -234 +234 @@
           $blog_settings->system->put('enable_xmlrpc',!empty($_POST['enable_xmlrpc']));
           $blog_settings->system->put('note_title_tag',$_POST['note_title_tag']);
-
           $blog_settings->system->put('nb_post_for_home',$nb_post_for_home);
           $blog_settings->system->put('nb_post_per_page',$nb_post_per_page);
@@ -250 +249 @@
           $blog_settings->system->put('nb_comment_per_feed',$nb_comment_per_feed);
           $blog_settings->system->put('short_feed_items',!empty($_POST['short_feed_items']));
-
           if (isset($_POST['robots_policy'])) {
                $blog_settings->system->put('robots_policy',$_POST['robots_policy']);
           }
+          $blog_settings->system->put('prevents_clickjacking',!empty($_POST['prevents_clickjacking']));
 
           # --BEHAVIOR-- adminBeforeBlogSettingsUpdate
@@ -606 +605 @@
      echo '</div>';
 
+     echo
+     '<div class="fieldset"><h4>'.__('Blog security').'</h4>'.
+     '<p><label for="prevents_clickjacking" class="classic">'.
+     form::checkbox('prevents_clickjacking','1',$blog_settings->system->prevents_clickjacking).
+     __('Protect the blog from Clickjacking (see <a href="https://en.wikipedia.org/wiki/Clickjacking">Wikipedia</a>)').'</label></p>'.
+     '<br class="clear" />'. //Opera sucks
+     '</div>';
 
      # --BEHAVIOR-- adminBlogPreferencesForm

inc/public/lib.urlhandlers.php

@@ -110 +110 @@
 
           header('Content-Type: '.$_ctx->content_type.'; charset=UTF-8');
+
+          if ($core->blog->settings->system->prevents_clickjacking) {
+               // Prevents Clickjacking as far as possible
+               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
+          }
+
           $result['content'] = $core->tpl->getData($_ctx->current_tpl);
           $result['content_type'] = $_ctx->content_type;

locales/fr/main.po

@@ -3676 +3676 @@
 msgstr "Choisir une date"
 
+msgid "Blog security"
+msgstr "Sécurité du blog"
+
+msgid "Protect the blog from Clickjacking (see <a href=\"https://en.wikipedia.org/wiki/Clickjacking\">Wikipedia</a>)"
+msgstr "Protéger le blog des détournements de clic ou Clickjacking (voir <a href=\"https://fr.wikipedia.org/wiki/Clickjacking\">Wikipedia</a>)"
+
 #~ msgid "You don't have permissions to deactivate this plugin."
 #~ msgstr "Vous n'avez pas les permissions pour désactiver ce plugin."