Customized version of FreshRSS, a self-hosted RSS feed aggregator https://git.rdnlsmith.com/fresh-rss-custom/atom?h=1.26.3 2025-05-23T20:12:05+00:00 2025-05-23T20:12:05+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-05-23T20:12:05+00:00 urn:sha1:5f45df3168d7733c401c13d12f97ff8030211f0a Strip `bgcolor`, `text`, `background`, `link`, `alink`, `vlink` fix https://github.com/FreshRSS/FreshRSS/issues/7604 2025-05-10T21:17:25+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-05-10T21:17:25+00:00 urn:sha1:532d229d3396817f702c1ecae79fb7f9bdad9a64 * Fix newest articles not shown Case when processing was faster than 1 second. fix https://github.com/FreshRSS/FreshRSS/issues/7412 Regression from https://github.com/FreshRSS/FreshRSS/pull/7149 * Simplify uTimeString() PHPStan has become a bit smarter 2025-05-07T08:47:09+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-05-07T08:47:09+00:00 urn:sha1:3f187395eaed8d6e455adb454a65f9e2503f390a It is too late to check for minimum version check in `lib_rss.php` because that file already contains some relatively new PHP language constructs, which will lead to a syntax error - when running with an old PHP version - instead of the expected error message. Moved to `constants.php` for now. Example of syntax error with PHP 7.4: ``` PHP Parse error: syntax error, unexpected '|', expecting '{' in /var/www/FreshRSS/lib/lib_rss.php on line 166 ``` Should help users like in: * https://github.com/FreshRSS/FreshRSS/discussions/7539 * https://github.com/FreshRSS/FreshRSS/issues/7557 2025-05-02T07:47:57+00:00 Inverle inverle@proton.me 2025-05-02T07:47:57+00:00 urn:sha1:4568111c00813756a3a34a381d684b8354fc4438 * Fix file serving for symlinked extensions from ext.php * Don't resolve symlink when deleting extension * Minor syntax --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-28T20:51:54+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-04-28T20:51:54+00:00 urn:sha1:6bb8680ae0051b9a2ff344f17814f4fa5d844628 When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more. 2025-04-12T22:01:09+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-04-12T22:01:09+00:00 urn:sha1:f58dea6a5abec4da2b14eb808221b3f28d6160d0 Sanitize buttons with a form or formaction attribute. 2025-04-07T06:33:13+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-04-07T06:33:13+00:00 urn:sha1:d3d9acca9f905fc03d6151f6ad75567256310831 Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping. 2025-04-05T22:47:45+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-04-05T22:47:45+00:00 urn:sha1:54e2f9107d03c5b3bb260f38fdb2736bce449fd4 We do not sanitize this attribute well enough, so striped for now. It is rarely used: I have not seen any use of it in any of my many test feeds. Can be added back when we can handle its inherent security issues better. 2025-04-01T10:23:56+00:00 maTh 1645099+math-GH@users.noreply.github.com 2025-04-01T10:23:56+00:00 urn:sha1:1f624bc5e2fc720b7f570b4b217860747ef5dc65 * Referrer-Policy: same-origin * same-origin for our own images --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> 2025-01-26T22:19:44+00:00 Alexandre Alapetite alexandre@alapetite.fr 2025-01-26T22:19:44+00:00 urn:sha1:d7ca2f8768fed347f6132a4cb98bd54c4d7163bb * Doc force-https https://github.com/FreshRSS/FreshRSS/discussions/7252#discussioncomment-11951183 * Forgotten ^ * More proper support for comments