diff options
| author |  Inverle <inverle@proton.me>
| 2025-11-02 00:28:35 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-11-02 00:28:35 +0100 |
| commit | 500d05f3c5ec3a3dffa7791f7447bc0d31d6f7e0 (patch) | |
| tree | a59a20582ecfa1ba6fc8d3df74b8d9edd3b901d8 /docs | |
| parent | baf84575d4aa3fa7a73950cd2e91059b5f651906 (diff) | |
Implement whitelist for SimplePie sanitizer (#7924)
* Implement whitelist for SimplePie sanitizer
ref: https://github.com/FreshRSS/FreshRSS/pull/7770#issuecomment-3140334326
https://github.com/FreshRSS/simplepie/pull/53
https://github.com/simplepie/simplepie/pull/947
* Remove `<plaintext>` from whitelist
* Improve order
* Remove some tags from whitelist
* Revert partially
* sync
* Display contents of `<noscript>` and `<noembed>`
* sync
* Allow use of `<track>`
* sync again
* Sync to SimplePie fork
https://github.com/FreshRSS/simplepie/pull/53
* Alphabetic order
* Reduce list of stripped attributes
* Temporarily strip some attributes
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/en/admins/10_ServerConfig.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/en/admins/10_ServerConfig.md b/docs/en/admins/10_ServerConfig.md index 54f4f0fb4..c907221ea 100644 --- a/docs/en/admins/10_ServerConfig.md +++ b/docs/en/admins/10_ServerConfig.md @@ -116,9 +116,9 @@ server { ## Security Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."` -This will likely make your FreshRSS instance vulnerable to event handler XSS attacks, since FreshRSS does not yet blacklist all event attributes. -✅ Example of good CSP: `default-src 'self' frame-ancestors 'self'` +✅ Example of good CSP: `default-src 'self'; frame-ancestors 'self'` + ❌ Bad CSP: `upgrade-insecure-requests` Debug CSP header: |