Skip to content

Instantly share code, notes, and snippets.

@thibaudcolas

thibaudcolas/README.md Secret

Last active March 16, 2017 15:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thibaudcolas/9edd4614a716ac7fbc9633f10908f316 to your computer and use it in GitHub Desktop.
Save thibaudcolas/9edd4614a716ac7fbc9633f10908f316 to your computer and use it in GitHub Desktop.
Download ZIP
New explorer self-XSS tester
Raw
README.md

New explorer self-XSS tester

Copy/pastable script to try out the latest version of the Wagtail explorer on any Wagtail site that runs the admin API v2.

⚠️ This is an XSS injection. Use at your own risk. None of the scripts loaded will alter any data, but they certainly have the power to do so.

Usage

  1. Log into a Wagtail site's admin interface
  2. Open the developer tools
  3. Copy/paste the following into the console:
startPage = 1; extraParams = ''; s = document.createElement('script'); s.src = 'https://rawgit.com/thibaudcolas/9edd4614a716ac7fbc9633f10908f316/raw/cd155015128a7885458c50c7763688c6d3594ee0/s.js'; document.querySelector('head').appendChild(s);

Further customisation:

  • startPage can be any page ID.
  • extraParams is appended at the end of the API call's query string. For example, set it to &order=-id to order pages in the explorer by decreasing ID.

This will load all static assets from the dist/react-explorer-wip branch on Springload's Wagtail fork (which runs at https://wagtaildemo-springload.herokuapp.com/). This is buggy but good enough to look at how the explorer behaves on any site's content.

Development

git diff-tree --no-commit-id --name-only -r dcbe17d91b81018fd814541a31272b2d52b11672
Raw
s.js
(function(d) {
var commit = 'dist/react-explorer-wip';
var toggle = document.querySelector('[data-explorer-menu-url]');
toggle.setAttribute('data-explorer-start-page', window.startPage);
toggle.parentNode.setAttribute('data-explorer-menu-item', true);
window.wagtailConfig = {
ADMIN_API: {
DOCUMENTS: '/admin/api/v2beta/documents/',
IMAGES: '/admin/api/v2beta/images/',
PAGES: '/admin/api/v2beta/pages/',
EXTRA_CHILDREN_PARAMETERS: window.extraParams,
},
ADMIN_URLS: {
PAGES: '/admin/pages/',
},
DATE_FORMATTING: {
DATE_FORMAT: 'MMM. D, YYYY',
SHORT_DATE_FORMAT: 'DD/MM/YYYY',
},
STRINGS: {
PAGE: 'Page',
PAGES: 'Pages',
LOADING: 'Loading...',
SERVER_ERROR: 'Server Error',
NO_RESULTS: 'No results',
SEE_CHILDREN: 'See Children',
NO_DATE: 'No date',
EXPLORE_ALL_IN: 'Explore all in',
},
};
window.wagtailVersion = '1.6a1';
Array.prototype.slice.call(document.querySelectorAll('[rel="stylesheet"]')).forEach(function(stylesheet) {
stylesheet.parentNode.removeChild(stylesheet);
});
function loadCSS(href) {
var link = d.createElement('link');
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = href;
link.media = 'all';
d.getElementsByTagName('head')[0].appendChild(link);
}
function loadJS(src, callback) {
var script = d.createElement('script');
script.type = 'text/javascript';
script.onload = callback;
script.src = src;
d.getElementsByTagName('head')[0].appendChild(script);
}
loadCSS('https://rawgit.com/springload/wagtail/' + commit + '/wagtail/wagtailadmin/static/wagtailadmin/css/core.css');
loadJS('https://rawgit.com/springload/wagtail/' + commit + '/wagtail/wagtailadmin/static/wagtailadmin/js/vendor.js', function() {
loadJS('https://rawgit.com/springload/wagtail/' + commit + '/wagtail/wagtailadmin/static/wagtailadmin/js/wagtailadmin.js', function () {
var DOMContentLoaded_event = document.createEvent("Event")
DOMContentLoaded_event.initEvent("DOMContentLoaded", true, true);
window.document.dispatchEvent(DOMContentLoaded_event);
});
});
}(document));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment