FreshRSS (Customized)/lib, branch 1.26.2

Fix file serving for symlinked extensions (#7545)

2025-05-02T07:47:57+00:00

* Fix file serving for symlinked extensions from ext.php * Don't resolve symlink when deleting extension * Minor syntax --------- Co-authored-by: Alexandre Alapetite

Update phpmailer/phpmailer requirement from 6.9.3 to 6.10.0 in /lib (#7541)

2025-05-01T19:54:20+00:00

Updates the requirements on [phpmailer/phpmailer](https://github.com/PHPMailer/PHPMailer) to permit the latest version. - [Release notes](https://github.com/PHPMailer/PHPMailer/releases) - [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md) - [Commits](https://github.com/PHPMailer/PHPMailer/compare/v6.9.3...v6.10.0) --- updated-dependencies: - dependency-name: phpmailer/phpmailer dependency-version: 6.10.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump phpstan/phpstan from 2.1.11 to 2.1.13 (#7534)

2025-05-01T09:50:12+00:00

* Bump phpstan/phpstan from 2.1.11 to 2.1.13 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 2.1.11 to 2.1.13. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/2.1.x/CHANGELOG.md) - [Commits](https://github.com/phpstan/phpstan/compare/2.1.11...2.1.13) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-version: 2.1.13 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Bump phpstan/phpstan from 2.1.11 to 2.1.13 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 2.1.11 to 2.1.13. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/2.1.x/CHANGELOG.md) - [Commits](https://github.com/phpstan/phpstan/compare/2.1.11...2.1.13) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-version: 2.1.13 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Fix PHPStan --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alexandre Alapetite

HTTP Auth disallow multiple headers (#7528)

2025-04-28T20:51:54+00:00

When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.

SimplePie: Fix support for feeds with XML preample + DTD (#7515)

2025-04-18T12:59:46+00:00

Regression from https://github.com/FreshRSS/FreshRSS/pull/4374 fix: https://github.com/FreshRSS/FreshRSS/issues/7514 https://github.com/FreshRSS/simplepie/pull/35 Upstream PR: https://github.com/simplepie/simplepie/pull/914

SimplePie forbit formaction attribute (#7506)

2025-04-12T22:01:09+00:00

Sanitize buttons with a form or formaction attribute.

Secure serving of user files from extensions (#7495)

2025-04-07T06:47:42+00:00

* Secure serving of user files from extensions fix https://github.com/FreshRSS/FreshRSS/issues/4930 * More fixes * Typo

Web scraping forbid security headers in cURL (#7496)

2025-04-07T06:33:13+00:00

Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.

Disallow iframe srcdoc for now (#7494)

2025-04-05T22:47:45+00:00

We do not sanitize this attribute well enough, so striped for now. It is rarely used: I have not seen any use of it in any of my many test feeds. Can be added back when we can handle its inherent security issues better.

Catch extension exceptions in override (#7475)

2025-04-01T15:55:20+00:00

* Catch extension exceptions in override https://github.com/FreshRSS/Extensions/pull/300#issuecomment-2768578464 * Fix error message