| Age | Commit message (Collapse) | Author |
|---|
|
Discussion: https://github.com/FreshRSS/FreshRSS/discussions/7973
Changes proposed in this pull request:
- Add new extension hook "entry_before_add"
- Add new extension hook "entry_before_update"
How to test the feature manually:
1. Create extension that uses the hooks and confirm they are invoked correctly.
Extension to use for testing
https://github.com/rnkln/freshrss-xExtension-Discord/pull/2
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/7867
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/7887
We have two concepts: how much a feed is shown or not (controlled by priority), and how often a feed is refreshed (or not, in which case it is archived).
This PR removes the wording *Archived* from the *visibility* parameter, since this is not what it does.
|
|
Regression from #7763
Earlier regression which was fixed before #7626
In addition:
* get rid of `data-toggle` (refactor)
* show invalid login message if deleting account and entered incorrect password instead of redirect to 403
* remove unused reference to `r` parameter
* `forgetOpenCategories()` on login not on any crypto form
|
|
* Recovery: skip broken entries during CLI export/import
fix https://github.com/FreshRSS/FreshRSS/discussions/7927
```
25605/25605 (48 broken)
```
Help with *database malformed* or other corruption.
* Compatibility multiple databases
|
|
(consistency)
Related / follow-up: #7878
|
|
This replace the use of `en` through out the code.
|
|
1. `include`, `include_once`, `require` and `require_once` are expressions not functions, parentheses are not necessary.
2. to move up the directory tree, it's better to use the `dirname` function instead of relying on `/..`.
|
|
* Closes and fixes error from #7885
* `no-cache.txt` is now respected in `f.php`, `ext.php` and `serve` action in `extensionController`
* And in all other places that weren't checking for `no-cache.txt` (some extensions maybe)
|
|
A tag name must be unique and can't be used as a category. There were no error message when creating a tag identical to an existing category. Now, this is addressed.
See #7686
Closes #7686
Changes proposed in this pull request:
- add validation on tag creation
How to test the feature manually:
1. create a new category (ex: `HW`)
2. create a new tag with the same name as the new category (ex: `HW`)
3. validate that the appropriate error message is displayed
|
|
Before
<img width="1034" height="543" alt="image" src="https://github.com/user-attachments/assets/09408f81-42f1-4613-948b-b2c7e3ff2409" />
After
<img width="1031" height="536" alt="image" src="https://github.com/user-attachments/assets/d4dd3702-c8a5-4f8d-9014-b419a982d9ec" />
The current day is now included within statistics.
The `-1` thing started happening after #7752 but I'm not sure whether the correct solution is to display the current day or just fix it in the JS
For reference here's what the chart used to looked like:
<img width="1027" height="536" alt="image" src="https://github.com/user-attachments/assets/47a27bad-6593-4e84-a04f-e4385f601c6a" />
|
|
Follow-up to #7762
* Regenerate session ID on login
* Send only one cookie
* Improvements
* Delete old session file
* Simplify
* Make function consistent with others
|
|
The set language is used inside paths and can lead to issues by including PHP files from other locations
|
|
* Decode dynamic OPML url during fetch
* add ENT_QUOTES
* Store as plaintext instead of decoding
|
|
Otherwise, it is only called when calling `httpGet()` which can be rare for users not using Web Scraping.
https://github.com/FreshRSS/FreshRSS/discussions/7784#discussioncomment-14109207
|
|
https://github.com/php/php-src/blob/php-8.5.0beta1/NEWS
https://php.net/function.curl-close
> This function has no effect. Prior to PHP 8.0.0, this function was used to close the resource.
|
|
* Puts CSP everywhere in `p/api`
* including the HTML query page ❗
* Also in `p/ext.php`
* Puts `X-Content-Type-Options: nosniff` everywhere
* Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds)
* Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed
* Improves CSP of `p/f.php`
* Add `sandbox` directive
|
|
|
|
As well as reportPossiblyNonexistentConstantArrayOffset.
And disable PHPStan-next from GitHub Action, since the work is completed for now.
|
|
* Fix registration regression due to #7753
* Add missing access check
|
|
Makes it easier than having to sign in then go back to the website I clicked the bookmarklet on.
|
|
* Use main function `httpGet()` instead of local one;
* Use HTTP cache, also between users;
* Do not default to feed URL when there is no website URL
TODO for later: consider supporting Atom's `<icon>` and RSS 2.0's `<image>` https://github.com/FreshRSS/FreshRSS/issues/7774
|
|
* Implement sudo mode / reauthentication
* i18n: fr
* generate flags
* Improvements
* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Add missing access checks for feed-related actions
* fix whitespace
|
|
* Require current password when setting new password
* i18n: fr
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Implement support for HTTP 429 Too Many Requests
Will obey the corresponding HTTP `Retry-After` header at domain level.
* Implement 503 Service Unavailable
* Sanitize Retry-After
* Reduce default value when Retry-After is absent
And make configuration parameter
* Retry-After also for favicons
|
|
* `before_login_btn` hook + system conf attributes
* phpstan fix
* Refactoring
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
To make the session cookie no longer usable if hijacked and put in another browser after user logs out
|
|
|
|
|
|
And add support for HTTP Link header for "self" URL
Changing URL based on "self" URL will only be done when coming from a WebSub push
fix https://github.com/FreshRSS/FreshRSS/issues/7737
|
|
* Sort by category name, feed name
fix https://github.com/FreshRSS/FreshRSS/issues/7698
Note that sorting is done with the default SQL collation for now, meaning that lower-case vs. upper-case and diacritics are influencing the sorting order. Improvements left for future work.
Watch out that those sorting criteria are slower due to additional joins, additional requests, and poorer indexes.
* i18n:pl
Co-authored-by: Inverle <inverle@proton.me>
* i18n: nl
Co-authored-by: Frans de Jonge <fransdejonge@gmail.com>
* Fix preserve sort
---------
Co-authored-by: Inverle <inverle@proton.me>
Co-authored-by: Frans de Jonge <fransdejonge@gmail.com>
|
|
Related: https://github.com/FreshRSS/xExtension-Demo/pull/2, https://github.com/FreshRSS/FreshRSS/pull/7559#issuecomment-2858083635
Mostly to make sure that no one is able to break the demo instance
But the issues below could possibly be exploited in other scenarios too:
* Setting a theme like `../../lib/core-extensions/UserJS`: this directory contains `metadata.json` like themes do, so FreshRSS treats it as a theme after setting it and doesn't load any CSS
* Setting a theme like `x dropdown-menu`: the `dropdown-menu` class was able to get injected into the `<body>` element since https://github.com/FreshRSS/FreshRSS/pull/7559 and turn every page blank
|
|
Closes #3789, #6503
Icon setting when no custom icon is set yet:
- `Change...` button opens a file dialog, and after selecting a file shows the chosen icon in the preview on the left. `Submit` must be clicked after selecting the icon.
- `Reset to default` changes the preview icon to the default one, and also requires `Submit` to be clicked to apply the changes.
Full list of changes:
- CSP now includes `blob:` in `img-src` for
- `indexAction()` and `feedAction()` in `subscriptionController.php`
- all of the view actions in `indexController.php`
- Introduce new attribute `customFavicon (boolean)` for feeds that indicates if the feed has a custom favicon
- `hashFavicon()` in `Feed.php` is dependent on this attribute
- `hashFavicon()` has a new parameter called `skipCache (boolean)` that allows the reset of the favicon hash for the Feed object
- `resetFaviconHash()` just calls `hashFavicon(skipCache: true)`
- `f.php` URLs now have the format of `/f.php?h=XXXXX&t=cachebuster`, where the `t` parameter is only used for serving custom favicons
- if `t` parameter is set, `f.php` returns a `Cache-Control: immutable` header
- `stripos` and `strpos` were changed to `str_contains` in various places (refactor)
- JS for handling the custom favicon configuration logic is in `extra.js` inside `init_update_feed()` which is called when feed configuration is opened from the aside or when the subscription management page with the feed is loaded
- Server-side code for uploading the icon in `subscriptionController.php` under `feedAction()`
- Errors that may occur during the setting of a custom favicon:
- Unsupported image file type (handled only server-side with `isImgMime()`)
- When the file is bigger than 1 MiB (default), handled both client-side and server-side
- Standard feed error when `updateFeed()` fails
- JS vars `javascript_vars.phtml` are no longer escaped with `htmlspecialchars()`, instead with json encoding,
- CSS for disabled buttons was added
- Max favicon file size is configurable with the `max_favicon_upload_size` option in `config.php` (not exposed via UI)
- Custom favicons are currently deleted only when they are either reset to the default icon, or the feed gets deleted. They do not get deleted when the user deletes their account without removing their feeds first.
- ` faviconPrepare()` and `faviconRebuild()` are not allowed to be called when the `customFavicon` attribute is `true`
- New i18n strings:
- `'sub.feed.icon' => 'Icon'`
- `'sub.feed.change_favicon' => 'Change…'`
- `'sub.feed.reset_favicon' => 'Reset to default'`
- `'sub.feed.favicon_changed_by_ext' => 'The icon has been set by the <b>%s</b> extension.'`
- `'feedback.sub.feed.favicon.too_large' => 'Uploaded icon is too large. The maximum file size is <em>%s</em>.'`
- `'feedback.sub.feed.favicon.unsupported_format' => 'Unsupported image file format!'`
- Extension hook `custom_favicon_hash`
- `setCustomFavicon()` method
- `resetCustomFavicon()` method
- `customFaviconExt` and `customFaviconDisallowDel` attributes
- example of usage: https://github.com/FreshRSS/Extensions/pull/337
- Extension hook `custom_favicon_btn_url`
- Allows extensions to implement a button for setting a custom favicon for individual feeds by providing an URL. The URL will be sent a POST request with the `extAction` field set to either `query_icon_info` or `update_icon`, along with an `id` field which describes the feed's ID.
|
|
+ Fix for 404 error when trying to refresh the feeds from a view extension. Without this change, this happens:
1. Starting on the extension view: https://freshrss.example.net/i/?c=freshvibes&tab=test&rid=6858299a5c2f0
2. Clicking refresh redirects to https://freshrss.example.net/i/?c=feed&a=actualize with status 302
3. Then to https://freshrss.example.net/i/?get=f_0&rid=685872529cbe9 with status 302
4. Finally, to https://freshrss.example.net/i/?c=error&rid=685872529cbe9 with 404.
|
|
* + Exposed the reading modes for extensions through Minz. Now extensions can add a custom view mode. Graceful fallback to normal view in case the extension was disabled without resetting the view_mode through the uninstall method. In that case the user will be informed via Minz_Request::setBadNotification that the view has been reset to normal.
+ Added translation strings for de, en and en-us for the notification
* + Added missing, generated translations
* Simplify indexAction, performance
* Minor settings htmlspecialchars
* i18n: fr
* Minor wording
* Doc
* Fix i18n
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Restore user config from backup when it doesn't exist
* Supress warnings
* Remove copied config if copy() fails
* `return false` after `unlink()`
* Performance
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Handle redirects when scraping feed from HTML
* pass codesniffer
* pass PHPStan
* Optimize
* Another approach relying on HTML base
Standard way to save an HTML document with relative references
* Fix case of existing HTML base
which should not be overriden
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/7612
|
|
* Fix newest articles not shown
Case when processing was faster than 1 second.
fix https://github.com/FreshRSS/FreshRSS/issues/7412
Regression from https://github.com/FreshRSS/FreshRSS/pull/7149
* Simplify uTimeString()
PHPStan has become a bit smarter
|
|
Using POST with JSON would add `Content-Type: application/json` again and again everytime the feed's settings were saved
|
|
* Secure serving of user files from extensions
fix https://github.com/FreshRSS/FreshRSS/issues/4930
* More fixes
* Typo
|
|
* Use HTTP POST for logout
To avoid potential CSRF risks
* Fixed button font issue
* Minor whitespace
|
|
* Catch extension exceptions in override
https://github.com/FreshRSS/Extensions/pull/300#issuecomment-2768578464
* Fix error message
|
|
The security risks look higher than the minor convinience
Modify https://github.com/FreshRSS/FreshRSS/pull/1024
|
|
* Fix escaping of tag search
fix https://github.com/FreshRSS/FreshRSS/issues/7466
* Minor clarity
|
|
https://github.com/dcodeIO/bcrypt.js/releases/tag/v3.0.0
Can be updated to the latest version with:
`curl -L https://unpkg.com/bcryptjs/umd/index.js > p/scripts/vendor/bcrypt.js`
|
|
* settings
* i18n: mark_read_button
* big, small, none
* fix
* Fixes
* make fix-all
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
compared. (#7416)
Fix issue where $keepMax is defaulted to const when non-zero value is compared.
Fix an issue where $keepMax var is set to ARCHIVING_RETENTION_COUNT_LIMIT
when a user sets "Archiving" -> "Maximum number of articles to keep per
feed" to a non-zero value for a given category.
[EXAMPLE]:
User sets value to 50 (int), This matches the !== comparison and
thus is overridden by ARCHIVING_RETENTION_COUNT_LIMIT.
|
KleinMann
Alexandre Alapetite
Inverle
Alexis Degrugillier
Stefan
maTh
Bryan Butler
