Disallow setting non-existent theme (#7722) - FreshRSS (Customized) - Customized version of FreshRSS, a self-hosted RSS feed aggregator

diff options

author	Inverle <inverle@proton.me>	2025-07-07 23:32:35 +0200
committer	GitHub <noreply@github.com>	2025-07-07 23:32:35 +0200
commit	6549932d59aef3b72a9da29294af0f30ffb77af5 (patch)
tree	e116708c29d14232295a0d7994dd24c9f977b437 /Docker
parent	ce22997dfbe4a8f2a6efa6f77d5b0bfc7b2dabd1 (diff)

Disallow setting non-existent theme (#7722)

Related: https://github.com/FreshRSS/xExtension-Demo/pull/2, https://github.com/FreshRSS/FreshRSS/pull/7559#issuecomment-2858083635 Mostly to make sure that no one is able to break the demo instance But the issues below could possibly be exploited in other scenarios too: * Setting a theme like `../../lib/core-extensions/UserJS`: this directory contains `metadata.json` like themes do, so FreshRSS treats it as a theme after setting it and doesn't load any CSS * Setting a theme like `x dropdown-menu`: the `dropdown-menu` class was able to get injected into the `<body>` element since https://github.com/FreshRSS/FreshRSS/pull/7559 and turn every page blank

Diffstat (limited to 'Docker')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: