Changes in action.php

49d7ec0a0f9385eb9dab3ae4b2747fe04548a000 - Fix stored XSS in JSINFO embed and self-deadlocking write lock

Wed, 03 Jun 2026 17:37:45 +0000

Fix stored XSS in JSINFO embed and self-deadlocking write lockTwo serious bugs found during review, plus three minor fixes:- Stored XSS: the inline-embedded annotation payload was encoded with JSON_UNESCAPED_SLASHES and appended into the page's inline " closed the script element and injected arbitrary HTML, executing in every viewer's browser. Anyone who can annotate (AUTH_READ + login) could exploit it. Add JSON_HEX_TAG so < and > are escaped, neutralising every tag-based breakout.- Write lock: mutate() held io_lock($file) and then called io_saveFile($file), which takes io_lock($file) again internally. The inner lock collided with the outer, busy-waiting ~3s for the stale-lock timeout on every create/edit/delete/resolve/clear and defeating mutual exclusion. Lock on a sentinel key ($file.lock) instead, leaving io_saveFile's own lock uncontended (matches DokuWiki TaskRunner idiom).- style.css: the :root colour fallbacks were self-referential (var(--x) of themselves), i.e. cyclic and invalid, not a fallback. Replace with the literal config-default triplets.- action.php: drop hsc() from a JSON error string (wrong context).- script.js: refresh the open orphan drawer after a thread mutation so an edited body shows there too.Co-Authored-By: Claude Opus 4.8 List of files: /plugin/annotations/action.php

86c7806d6d41bce7c6d00acbee1316c62845cabb - Add config, selection guards, annotation overlap detection, and glow button

Wed, 03 Jun 2026 09:48:21 +0000

Add config, selection guards, annotation overlap detection, and glow button- Config: color_open / color_resolved (hex, drives CSS vars); embed_max_bytes, context_length, body_cap move from constants to conf/default + metadata. action.php injects --ann-open-rgb / --ann-resolved-rgb as CSS custom props; style.css escapes every rgba(var(…)) with LESS ~"…" so lesserphp doesn't bake them to #000000 at compile time.- Selection guards: Annotate button suppressed inside .ann-* UI, #dw__toc, .docInfo, .secedit; the old endpoint-only isInsideHighlight is replaced by selectionHitsHighlight (range.intersectsNode over all highlight spans) so a selection overrunning an existing annotation on either side opens it instead of offering a new overlapping one.- Glow: static amber box-shadow on .ann-tooltip .ann-btn (no animation).- Removed email line from plugin.info.txt; updated GeneralTest accordingly.- context_length fed to JS via JSINFO.annotations.contextLen so capture and PHP trimming stay in sync.- conf/ + lang/*/settings.php + README/DESIGN updated.Co-Authored-By: Claude Sonnet 4.6 List of files: /plugin/annotations/action.php

108f92bd856af52ccb9e86517ad03d96f4a9273a - Eliminate load round-trip by embedding annotations in JSINFO

Wed, 03 Jun 2026 05:41:55 +0000

Eliminate load round-trip by embedding annotations in JSINFOaction.php now reads the annotation list once during page render andships it inline as JSINFO.annotations.annotations, so script.js rendersimmediately at DOMContentLoaded with no second AJAX bootstrap (~300 mssaved per view). The embedded list also removes the double file readthat existed before (getStats called getAnnotations internally, then theclient fetched the same file again).helper.php adds statsFor(array) so action.php can derive stats from thealready-loaded list instead of re-reading through getStats(). getStatsnow delegates to it.script.js uses the embedded list when present; falls back to the GETload endpoint only when the list was too large to embed (>128 KB cap).Adds a window.load repositionMarkers call so gutter markers re-alignafter late-loading images shift the layout.Co-Authored-By: Claude Sonnet 4.6 List of files: /plugin/annotations/action.php

ee9dbf1506bc8a2e17701b4e3c1bc1caf77e1561 - Add nested reply threading; sync docs

Wed, 03 Jun 2026 05:12:45 +0000

Add nested reply threading; sync docsReplies can now be threaded under one another instead of only sittingflat under their annotation.Backend:- helper.php: addReply() takes an optional parentId, stored on each reply after sanitising it to hex; an empty or unknown parent simply falls back to a top-level reply. Replies remain a flat list, with the parent link carried as data.- action.php: the reply action forwards parentId and returns the full updated annotation (not just the new reply) so the client re-renders the whole thread in one round-trip. Also fix a stray-indented docblock and drop the inaccurate "and exit" wording on the JSON responders.Docs / manifest:- DESIGN.md: document the parentId field, the flat-storage-plus-client-tree model, and the full-annotation reply response.- README.md: note that replies can nest.- plugin.info.txt: bump the date.Co-Authored-By: Claude Opus 4.8 List of files: /plugin/annotations/action.php

da56206cc13612db0df36be97c0f01d8f3c5e9f4 - Fix highlight off-by-one, localise the UI, add tests

Tue, 02 Jun 2026 16:47:05 +0000

Fix highlight off-by-one, localise the UI, add testsAnchoring (the core bug):- Replace buildNormToRaw with normalizeWithMap so the normalised search string and the normalised->raw index map are built in one pass and share the same trimming. DokuWiki indents its content markup, so the collected text starts with a whitespace text node; the old untrimmed map shifted every highlight by a character. Verified on the live wiki: a quote now re-anchors exactly, including across element boundaries.- Locate all matches first, then wrap last-to-first, so wrapping (which splits text nodes) never disturbs a not-yet-wrapped offset.- Fix a pre-existing orphan double-count: renderAll passed an orphan total into updateCounter, which then recounted it from the _orphaned flags.Localisation:- Move front-end strings to $lang['js'] (exposed as LANG.plugins.annotations) and read them via t()/fmt() with English fallbacks.- Add de, ru and ja translations alongside en.Conventions / cleanup:- action.php: read request data via $INPUT; pass the CSRF token straight to checkSecurityToken($token) instead of poking $_POST/$_REQUEST; unify admin detection on auth_isadmin().- helper.php: write annotation files with JSON_UNESCAPED_UNICODE | _SLASHES.- Drop the dead ann-highlight-orphaned constant; set panel data-status so the resolved accent in style.css applies.Tests:- Add _test/GeneralTest.php (manifest + conf invariant) and _test/HelperTest.php (permission rules, CRUD, input cleaning, findOrphaned). 15 tests pass.Docs: sync DESIGN.md and README.md; bump plugin.info.txt date.Co-Authored-By: Claude Opus 4.8 List of files: /plugin/annotations/action.php

f58805fb9cf627da9470aa65cb6297e32c24dbdf - Accept the CSRF token from the JSON request body

Sat, 23 May 2026 05:08:07 +0000

Accept the CSRF token from the JSON request bodycheckSecurityToken() reads the token from $_REQUEST, which is empty whenthe AJAX request body is application/json. Copy the payload's sectok into$_POST / $_REQUEST before the check so state-changing JSON requestsvalidate instead of being rejected as forged.Co-Authored-By: Claude Opus 4.8 List of files: /plugin/annotations/action.php

7d2714c77fd8ba61fdbfa0765e160acc24014017 - Expose current user, admin flag and CSRF token to the front-end

Sat, 23 May 2026 04:48:12 +0000

Expose current user, admin flag and CSRF token to the front-endDokuWiki's JSINFO carries no user identity, so script.js could not tellwho was logged in and could not gate the edit/delete/resolve UI. Injectuser, isAdmin and the security token into JSINFO.annotations fromaction.php, and read them from there instead of the non-existentJSINFO.userinfo object and the #dw__token hidden field.Co-Authored-By: Claude Opus 4.8 List of files: /plugin/annotations/action.php

b8076f00444ff4b3b435c7112dca9c194858e3f7 - Fix JSINFO injection timing and gutter marker positioning

Sat, 23 May 2026 04:36:01 +0000

Fix JSINFO injection timing and gutter marker positioninghandleMetaHeader() wrote the annotation payload to $JSINFO, buttpl_metaheaders() has already serialised JSINFO into the inline