| Age | Commit message (Collapse) | Author |
|---|
|
https://php.watch/versions/8.4/Deprecated
And enfore it with PHPUnit + PHPStan.
Especially useful for extensions.
|
|
https://github.com/FreshRSS/FreshRSS/discussions/8314#discussioncomment-15261119
|
|
* Housekeeping lib_rss.php
`lib_rss.php` had become much too large, especially after https://github.com/FreshRSS/FreshRSS/pull/7924
Moved most functions to other places.
Mostly no change of code otherwise (see comments).
* Extension: composer run-script phpstan-third-party
|
|
* Create separate `Retry-After` files for proxies
Bad proxies are able to send a false `Retry-After` header and affect the availability of feeds (domain-wide) for other users.
This PR starts including the address of the proxy if present in filenames for `Retry-After` to mitigate the issue.
* Reduce code changes
* Sync SimplePie fork
https://github.com/FreshRSS/simplepie/pull/62
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Implement whitelist for SimplePie sanitizer
ref: https://github.com/FreshRSS/FreshRSS/pull/7770#issuecomment-3140334326
https://github.com/FreshRSS/simplepie/pull/53
https://github.com/simplepie/simplepie/pull/947
* Remove `<plaintext>` from whitelist
* Improve order
* Remove some tags from whitelist
* Revert partially
* sync
* Display contents of `<noscript>` and `<noembed>`
* sync
* Allow use of `<track>`
* sync again
* Sync to SimplePie fork
https://github.com/FreshRSS/simplepie/pull/53
* Alphabetic order
* Reduce list of stripped attributes
* Temporarily strip some attributes
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Bump phpstan/phpstan from 2.1.29 to 2.1.31
Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan-phar-composer-source) from 2.1.29 to 2.1.31.
- [Commits](https://github.com/phpstan/phpstan-phar-composer-source/commits)
---
updated-dependencies:
- dependency-name: phpstan/phpstan
dependency-version: 2.1.31
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fixes
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Fix drag&drop of user query losing information
Information about RSS sharing was lost after a drag&drop
* Fix related type cast
|
|
* Fix SimplePie support of HTTP trailer headers
fix https://github.com/FreshRSS/FreshRSS/discussions/7981
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Trailer
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing
We need to use content-length to know where the body stops, but content-length is wrong is any compression was used.
So let cURL perform the separation of HTTP headers and body instead of using the SimplePie parser.
* Minor whitespace
* Same change for lib_rss
* Move changes to SimplePie repo
https://github.com/FreshRSS/simplepie/pull/55
https://github.com/FreshRSS/simplepie/pull/57
|
|
Rework #7979
Forgot to change `httpGet()`, which is used in multiple places
|
|
Follow-up of #7636
I found it's the only missing element that needs to be lazy loaded by putting HTML of https://github.com/cure53/HTTPLeaks/blob/main/leak.html into a feed
|
|
A couple of places, which have been forgotten when we moved to using `str_starts_with()` instead of `strpos()`.
|
|
* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856
* Revert contentSelectorPreviewAction
* Same for f.php and api
* Fix double init in f.php
* No sandbox for API page
|
|
For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
|
|
1. `include`, `include_once`, `require` and `require_once` are expressions not functions, parentheses are not necessary.
2. to move up the directory tree, it's better to use the `dirname` function instead of relying on `/..`.
|
|
* Fix curl response parsing
* Specify redirect count with `\SimplePie\HTTP\Parser::prepareHeaders()` instead
Simply notify SimplePie of the redirect count before parsing
* Better error check
* Simplify
|
|
Otherwise, it is only called when calling `httpGet()` which can be rare for users not using Web Scraping.
https://github.com/FreshRSS/FreshRSS/discussions/7784#discussioncomment-14109207
|
|
https://github.com/php/php-src/blob/php-8.5.0beta1/NEWS
https://php.net/function.curl-close
> This function has no effect. Prior to PHP 8.0.0, this function was used to close the resource.
|
|
As well as reportPossiblyNonexistentConstantArrayOffset.
And disable PHPStan-next from GitHub Action, since the work is completed for now.
|
|
* Use main function `httpGet()` instead of local one;
* Use HTTP cache, also between users;
* Do not default to feed URL when there is no website URL
TODO for later: consider supporting Atom's `<icon>` and RSS 2.0's `<image>` https://github.com/FreshRSS/FreshRSS/issues/7774
|
|
|
|
* Implement support for HTTP 429 Too Many Requests
Will obey the corresponding HTTP `Retry-After` header at domain level.
* Implement 503 Service Unavailable
* Sanitize Retry-After
* Reduce default value when Retry-After is absent
And make configuration parameter
* Retry-After also for favicons
|
|
Follow-up to https://github.com/FreshRSS/FreshRSS/pull/7654#discussion_r2208901108
Changes proposed in this pull request:
- `DOMNode::insertBefore()` needs to be called on an element that is the parent of the `$child` param being passed
- Update code to call this on `$doc->documentElement` instead of directly on the `$doc` (`DOMDocument`)
How to test the feature manually:
1. Set up an HTML + XPath feed for a URL that contains partial HTML content (eg. https://victoria.citified.ca/modules/blog/news.php?n=7&c=8)
1. Observe that the feed is processed successfully without error, and that the `<base>` is still inserted
|
|
Fix https://github.com/FreshRSS/FreshRSS/issues/7699
|
|
* Handle redirects when scraping feed from HTML
* pass codesniffer
* pass PHPStan
* Optimize
* Another approach relying on HTML base
Standard way to save an HTML document with relative references
* Fix case of existing HTML base
which should not be overriden
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
|
|
* Include remaining tags/attributes for lazy loading
* Suggested change
|
|
Strip `bgcolor`, `text`, `background`, `link`, `alink`, `vlink`
fix https://github.com/FreshRSS/FreshRSS/issues/7604
|
|
* Fix newest articles not shown
Case when processing was faster than 1 second.
fix https://github.com/FreshRSS/FreshRSS/issues/7412
Regression from https://github.com/FreshRSS/FreshRSS/pull/7149
* Simplify uTimeString()
PHPStan has become a bit smarter
|
|
It is too late to check for minimum version check in `lib_rss.php` because that file already contains some relatively new PHP language constructs, which will lead to a syntax error - when running with an old PHP version - instead of the expected error message.
Moved to `constants.php` for now.
Example of syntax error with PHP 7.4:
```
PHP Parse error: syntax error, unexpected '|', expecting '{' in /var/www/FreshRSS/lib/lib_rss.php on line 166
```
Should help users like in:
* https://github.com/FreshRSS/FreshRSS/discussions/7539
* https://github.com/FreshRSS/FreshRSS/issues/7557
|
|
* Fix file serving for symlinked extensions from ext.php
* Don't resolve symlink when deleting extension
* Minor syntax
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
|
|
Sanitize buttons with a form or formaction attribute.
|
|
Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.
|
|
We do not sanitize this attribute well enough, so striped for now.
It is rarely used: I have not seen any use of it in any of my many test feeds.
Can be added back when we can handle its inherent security issues better.
|
|
* Referrer-Policy: same-origin
* same-origin for our own images
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Doc force-https
https://github.com/FreshRSS/FreshRSS/discussions/7252#discussioncomment-11951183
* Forgotten ^
* More proper support for comments
|
|
3 is now used for CURLPROXY_HTTPS2
https://github.com/curl/curl/blob/f07612cd9ae1ec50b9bedd749171ad75203c9e7e/include/curl/curl.h#L789
Related to https://github.com/FreshRSS/FreshRSS/issues/7209
|
|
* Add some missing PHP native types
Replaces https://github.com/FreshRSS/FreshRSS/pull/7184
* Clean some types
|
|
* PHPStan 2.0
fix https://github.com/FreshRSS/FreshRSS/issues/6989
https://github.com/phpstan/phpstan/releases/tag/2.0.0
https://github.com/phpstan/phpstan/blob/2.0.x/UPGRADING.md
* More
* More
* Done
* fix i18n CLI
* Restore a PHPStan Next test
For work towards PHPStan Level 10
* 4 more on Level 10
* fix getTagsForEntry
* API at Level 10
* More Level 10
* Finish Minz at Level 10
* Finish CLI at Level 10
* Finish Controllers at Level 10
* More Level 10
* More
* Pass bleedingEdge
* Clean PHPStan options and add TODOs
* Level 10 for main config
* More
* Consitency array vs. list
* Sanitize themes get_infos
* Simplify TagDAO->getTagsForEntries()
* Finish reportAnyTypeWideningInVarTag
* Prepare checkBenevolentUnionTypes and checkImplicitMixed
* Fixes
* Refix
* Another fix
* Casing of __METHOD__ constant
|
|
* revert
Fix code indentation
Fix code
Upgrade code to php 8.1
* fix remarques
* code review
* code review
* code review
* Apply suggestions from code review
* code review
* Fixes
* Many remainging updates of array syntax
* Lost case 'reading-list'
* Uneeded PHPDoc
---------
Co-authored-by: Luc Sanchez <l.sanchez-prestataire@alptis.fr>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* SimplePie support for HTTP cache policies
Discussion in https://github.com/FreshRSS/simplepie/pull/26
* Bump SimplePie commit
* Typos
* Typos
* Simpler logic
* Explicitly disable cache for non-GET flows
* Bump SimplePie commit
* Bump SimplePie commit
* Bump SimplePie commit
* Bump SimplePie commit
|
|
* rename lib/SimplePie to lib/CustomSimplePie
* add test for autoloading SimplePie with PSR-0
* install SimplePie 1.6.0
* Add SimplePie CHANGELOG.md, ignore irrelevant files
* remove unmodified custom classes
* rename all customized SimplePie classes
* Add autoloading for SimplePie PSR-0 and CustomSimplePie classes
* let CustomSimplePie extends SimplePie, remove unchanged code
* let CustomSimplePieMisc extends SimplePie\Misc, remove unchanged code
* Add tests for autoloading
* let CustomSimplePieContentTypeSniffer extends Sniffer, remove unchanged code
* remove unchanged CustomSimplePieEnclosure class
The fixed typos are commited to SimplePie
See https://github.com/simplepie/simplepie/pull/722/commits/133eac158cddaf5d2ddf9d9e5f42d92f944f885d
* let CustomSimplePieFile extends SimplePie\File, remove unchanged code
* let CustomSimplePieParser extends SimplePie\Parser, remove unchanged code
* let CustomSimplePieSanitize extends SimplePie\Sanitize, remove unchanged code
* let CustomSimplePieHttpParser extends SimplePie\HTTP\Parser, remove unchanged code
* Remove CustomSimplePie
* Switch SimplePie repo to https://github.com/FreshRSS/simplepie.git
* move to latest branch, update all SimplePie source files
* Use namespaced SimplePie classes, remove SimplePie library folder
* Update to latest SimplePie version with FreshRSS modifications
* Bump SimplePie
Tests expected to fail due to missing a backport of functionalities
* Add fork-specific readme
* Re-implement initial syslog SimplePie GET
https://github.com/FreshRSS/FreshRSS/pull/815
Lacks https://github.com/FreshRSS/FreshRSS/pull/6061
* Closer backport of syslog SimplePie GET
https://github.com/FreshRSS/FreshRSS/pull/6061
But the requests logs will be in the wrong order in case of redirections
* Fixes
* lib update
* SimplePie include a few more files
* Try with cache-hash branch
* Point to newer commit
* Point to newer commit
* Finalise logs
* Finalise
* Bump SimplePie commit
* Bump SimplePie commit
* Readme SimplePie fork
* Bump SimplePie commit
* Better logging
* Bump SimplePie commit
* Reworked approach to work with SimplePie cache
Simpler FreshRSS patches
* Bump SimplePie commit
https://github.com/FreshRSS/simplepie/pull/22
* Simplepie846
https://github.com/FreshRSS/simplepie/pull/23
And additional fixes
* Remove log
* Cherry pick relevant unmerged SimplePie PRs
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* PHPStan booleansInConditions
* Uniformisation
|
|
* Upgrade to PHP 8.1
As discussed in https://github.com/FreshRSS/FreshRSS/discussions/5474
https://www.php.net/releases/8.0/en.php
https://www.php.net/releases/8.1/en.php
Upgrade to available native type declarations
https://php.net/language.types.declarations
Upgrade to https://phpunit.de/announcements/phpunit-10.html which requires PHP 8.1+ (good timing, as version 9 was not maintained anymore)
Upgrade `:oldest` Docker dev image to oldest Alpine version supporting PHP 8.1: Alpine 3.16, which includes PHP 8.1.22.
* Include 6736
https://github.com/FreshRSS/FreshRSS/pull/6736
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/6717
|
|
* Minor update whitespace PHPCS rules
To simplify our configuration, apply more rules, and be clearer about what is added or removed compared with PSR12.
Does not change our current conventions, but just a bit more consistent.
* Forgotten *.phtml
* Sort exclusion patterns + add a few for Extensions repo
* Relaxed some rules
|
|
* More PHPStan
* More, passing
* 4 more files
* Update to PHPStan 1.11.4
Needed for fixed bug: Consider numeric-string types after string concat
https://github.com/phpstan/phpstan/releases/tag/1.11.4
* Pass PHPStan level 9
Start tracking booleansInConditions
* Fix mark as read
* Fix doctype
* ctype_digit
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/6491
Regression from https://github.com/FreshRSS/FreshRSS/pull/6177
|
|
* PHPStan 1.11 + minor update dev dependencies
https://github.com/phpstan/phpstan/releases/tag/1.11.0
* Comment style
|
|
* SimplePie strip iframe allow attribute
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow
Besides security, the `allow autoplay` atttribute is especially problematic on mobile (Firefox on Android) as it asks to open the YouTube app as soon as the article is opened.
Example of code before:
```html
<iframe data-original="https://www.youtube.com/embed/??????feature=oembed" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
```
* Replace allow attribute
* Allow more
|
Alexandre Alapetite
Inverle
dependabot[bot]
Alexis Degrugillier
Sam Edwards
maTh
Luc SANCHEZ
Artur Weigandt
