| Age | Commit message (Collapse) | Author |
|---|
|
Rework #7979
Forgot to change `httpGet()`, which is used in multiple places
|
|
Follow-up of #7636
I found it's the only missing element that needs to be lazy loaded by putting HTML of https://github.com/cure53/HTTPLeaks/blob/main/leak.html into a feed
|
|
A couple of places, which have been forgotten when we moved to using `str_starts_with()` instead of `strpos()`.
|
|
* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856
* Revert contentSelectorPreviewAction
* Same for f.php and api
* Fix double init in f.php
* No sandbox for API page
|
|
Discussion: https://github.com/FreshRSS/FreshRSS/discussions/7973
Changes proposed in this pull request:
- Add new extension hook "entry_before_add"
- Add new extension hook "entry_before_update"
How to test the feature manually:
1. Create extension that uses the hooks and confirm they are invoked correctly.
Extension to use for testing
https://github.com/rnkln/freshrss-xExtension-Discord/pull/2
|
|
For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
|
|
* https://github.com/simplepie/simplepie/pull/936 (Normalize encoding uppercase)
|
|
Main change is https://github.com/simplepie/simplepie/pull/937 (PHP 8.5: Conditionally call deprecated functions)
P.S. a sync with SimplePie upstream was already done recently, hence the limited changes:
* https://github.com/FreshRSS/FreshRSS/pull/7775
|
|
This replace the use of `en` through out the code.
|
|
1. `include`, `include_once`, `require` and `require_once` are expressions not functions, parentheses are not necessary.
2. to move up the directory tree, it's better to use the `dirname` function instead of relying on `/..`.
|
|
* Fix log CRLF injection
* empty -> space
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Follow-up to #7762
* Regenerate session ID on login
* Send only one cookie
* Improvements
* Delete old session file
* Simplify
* Make function consistent with others
|
|
The set language is used inside paths and can lead to issues by including PHP files from other locations
|
|
* Fix curl response parsing
* Specify redirect count with `\SimplePie\HTTP\Parser::prepareHeaders()` instead
Simply notify SimplePie of the redirect count before parsing
* Better error check
* Simplify
|
|
Otherwise, it is only called when calling `httpGet()` which can be rare for users not using Web Scraping.
https://github.com/FreshRSS/FreshRSS/discussions/7784#discussioncomment-14109207
|
|
https://github.com/php/php-src/blob/php-8.5.0beta1/NEWS
https://php.net/function.curl-close
> This function has no effect. Prior to PHP 8.0.0, this function was used to close the resource.
|
|
Fix regression (bad merge) from https://github.com/FreshRSS/FreshRSS/pull/7775
* https://github.com/FreshRSS/simplepie/pull/50
|
|
https://github.com/FreshRSS/simplepie/pull/48
and merge upstream https://github.com/FreshRSS/simplepie/pull/49
fix https://github.com/FreshRSS/FreshRSS/issues/7807
We had a risk of hitting `Backtrack limit was exhausted` in case of open XML comment `<!--` not closed and followed by a very long document.
Fixed by:
* Limiting the max length of the comment
* Stopping at an apparent end of CDATA section `]]>` as it is likely an error
It does not matter much if there are rare cases when the regex does not work perfectly, as it is only used for a cache hint.
|
|
* Show warning when unsafe CSP policy is in use
* Fix bare markdown URL
* i18n: fr
* Minor i18n: fr
* Add target="_blank" to i18n strings
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Instead of a repeating pattern like: `<input type="text" value="something" data-leave-validation="something">`, you can now put a `data-auto-leave-validation="1"` attribute on a `<form>` for example, and it will automatically set the `data-leave-validation` attributes inside the form elements.
`data_auto_leave_validation(parent)` from `extra.js` is called on slider open and page load.
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: Frans de Jonge <fransdejonge@gmail.com>
|
|
As well as reportPossiblyNonexistentConstantArrayOffset.
And disable PHPStan-next from GitHub Action, since the work is completed for now.
|
|
* Bump SimplePie with PHPStan Level 8
* https://github.com/FreshRSS/simplepie/pull/45
SimplePie increased to PHPStan Level 8:
* https://github.com/simplepie/simplepie/pull/857
* Merge upstream
Including my two PRs:
* https://github.com/simplepie/simplepie/pull/932
* https://github.com/simplepie/simplepie/pull/933
* Resolve upstream sync of Expose HTTP status
* https://github.com/FreshRSS/simplepie/pull/47
Finalise merge, following:
* https://github.com/simplepie/simplepie/pull/905#issuecomment-3007605779
* https://github.com/simplepie/simplepie/pull/909
* https://github.com/FreshRSS/FreshRSS/issues/7038
|
|
Replacing failing Dependabot PRs:
* https://github.com/FreshRSS/FreshRSS/pull/7779
* https://github.com/FreshRSS/FreshRSS/pull/7780
* https://github.com/FreshRSS/FreshRSS/pull/7778
|
|
* Use main function `httpGet()` instead of local one;
* Use HTTP cache, also between users;
* Do not default to feed URL when there is no website URL
TODO for later: consider supporting Atom's `<icon>` and RSS 2.0's `<image>` https://github.com/FreshRSS/FreshRSS/issues/7774
|
|
|
|
* Implement sudo mode / reauthentication
* i18n: fr
* generate flags
* Improvements
* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/7761
Partially avoid calls to deprecated functions.
Avoid warnings:
```
[warning] --- old_entries does not exist in configuration
[warning] --- keep_history_default does not exist in configuration
```
|
|
* Implement support for HTTP 429 Too Many Requests
Will obey the corresponding HTTP `Retry-After` header at domain level.
* Implement 503 Service Unavailable
* Sanitize Retry-After
* Reduce default value when Retry-After is absent
And make configuration parameter
* Retry-After also for favicons
|
|
* `before_login_btn` hook + system conf attributes
* phpstan fix
* Refactoring
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Follow-up to https://github.com/FreshRSS/FreshRSS/pull/7654#discussion_r2208901108
Changes proposed in this pull request:
- `DOMNode::insertBefore()` needs to be called on an element that is the parent of the `$child` param being passed
- Update code to call this on `$doc->documentElement` instead of directly on the `$doc` (`DOMDocument`)
How to test the feature manually:
1. Set up an HTML + XPath feed for a URL that contains partial HTML content (eg. https://victoria.citified.ca/modules/blog/news.php?n=7&c=8)
1. Observe that the feed is processed successfully without error, and that the `<base>` is still inserted
|
|
https://github.com/FreshRSS/simplepie/pull/43
|
|
Closes #3789, #6503
Icon setting when no custom icon is set yet:
- `Change...` button opens a file dialog, and after selecting a file shows the chosen icon in the preview on the left. `Submit` must be clicked after selecting the icon.
- `Reset to default` changes the preview icon to the default one, and also requires `Submit` to be clicked to apply the changes.
Full list of changes:
- CSP now includes `blob:` in `img-src` for
- `indexAction()` and `feedAction()` in `subscriptionController.php`
- all of the view actions in `indexController.php`
- Introduce new attribute `customFavicon (boolean)` for feeds that indicates if the feed has a custom favicon
- `hashFavicon()` in `Feed.php` is dependent on this attribute
- `hashFavicon()` has a new parameter called `skipCache (boolean)` that allows the reset of the favicon hash for the Feed object
- `resetFaviconHash()` just calls `hashFavicon(skipCache: true)`
- `f.php` URLs now have the format of `/f.php?h=XXXXX&t=cachebuster`, where the `t` parameter is only used for serving custom favicons
- if `t` parameter is set, `f.php` returns a `Cache-Control: immutable` header
- `stripos` and `strpos` were changed to `str_contains` in various places (refactor)
- JS for handling the custom favicon configuration logic is in `extra.js` inside `init_update_feed()` which is called when feed configuration is opened from the aside or when the subscription management page with the feed is loaded
- Server-side code for uploading the icon in `subscriptionController.php` under `feedAction()`
- Errors that may occur during the setting of a custom favicon:
- Unsupported image file type (handled only server-side with `isImgMime()`)
- When the file is bigger than 1 MiB (default), handled both client-side and server-side
- Standard feed error when `updateFeed()` fails
- JS vars `javascript_vars.phtml` are no longer escaped with `htmlspecialchars()`, instead with json encoding,
- CSS for disabled buttons was added
- Max favicon file size is configurable with the `max_favicon_upload_size` option in `config.php` (not exposed via UI)
- Custom favicons are currently deleted only when they are either reset to the default icon, or the feed gets deleted. They do not get deleted when the user deletes their account without removing their feeds first.
- ` faviconPrepare()` and `faviconRebuild()` are not allowed to be called when the `customFavicon` attribute is `true`
- New i18n strings:
- `'sub.feed.icon' => 'Icon'`
- `'sub.feed.change_favicon' => 'Changeā¦'`
- `'sub.feed.reset_favicon' => 'Reset to default'`
- `'sub.feed.favicon_changed_by_ext' => 'The icon has been set by the <b>%s</b> extension.'`
- `'feedback.sub.feed.favicon.too_large' => 'Uploaded icon is too large. The maximum file size is <em>%s</em>.'`
- `'feedback.sub.feed.favicon.unsupported_format' => 'Unsupported image file format!'`
- Extension hook `custom_favicon_hash`
- `setCustomFavicon()` method
- `resetCustomFavicon()` method
- `customFaviconExt` and `customFaviconDisallowDel` attributes
- example of usage: https://github.com/FreshRSS/Extensions/pull/337
- Extension hook `custom_favicon_btn_url`
- Allows extensions to implement a button for setting a custom favicon for individual feeds by providing an URL. The URL will be sent a POST request with the `extAction` field set to either `query_icon_info` or `update_icon`, along with an `id` field which describes the feed's ID.
|
|
Fix https://github.com/FreshRSS/FreshRSS/issues/7699
|
|
* Fix feeds encoded in UTF-16LE
Fix https://github.com/FreshRSS/FreshRSS/issues/7690
https://github.com/FreshRSS/simplepie/pull/40
The final character `>` of a feed is encoded as `3E00` in UTF-16LE, so calling `trim()` was removing the `\x00`, breaking the multibyte encoding and making the feed invalid.
Upstream PR https://github.com/simplepie/simplepie/pull/916
* Trim body for all paths
https://github.com/FreshRSS/simplepie/pull/42
https://github.com/simplepie/simplepie/pull/917
Slight refactor of https://github.com/simplepie/simplepie/pull/916 (https://github.com/FreshRSS/simplepie/pull/40) to cover all paths.
Missing paths included the fsock method without gzip (e.g. deflate or plain).
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/7687
https://github.com/FreshRSS/simplepie/pull/37
Upstream: https://github.com/simplepie/simplepie/pull/915
Partial revert of https://github.com/FreshRSS/FreshRSS/pull/7515
HTML entities are normally only allowed in XML when there is a DTD declaring them. SimplePie is even allowing Atom documents with undeclared HTML entities - which I am not sure is on purpose.
|
|
* + Exposed the reading modes for extensions through Minz. Now extensions can add a custom view mode. Graceful fallback to normal view in case the extension was disabled without resetting the view_mode through the uninstall method. In that case the user will be informed via Minz_Request::setBadNotification that the view has been reset to normal.
+ Added translation strings for de, en and en-us for the notification
* + Added missing, generated translations
* Simplify indexAction, performance
* Minor settings htmlspecialchars
* i18n: fr
* Minor wording
* Doc
* Fix i18n
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Handle redirects when scraping feed from HTML
* pass codesniffer
* pass PHPStan
* Optimize
* Another approach relying on HTML base
Standard way to save an HTML document with relative references
* Fix case of existing HTML base
which should not be overriden
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
|
|
* SimplePie: Fix propagation of HTTP error codes
fix https://github.com/FreshRSS/FreshRSS/issues/7038
https://github.com/FreshRSS/simplepie/pull/36
upstream https://github.com/simplepie/simplepie/pull/905
Co-authored-by: Edgar Alvarado <15692727+pe1uca@users.noreply.github.com>
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/7647
|
|
* Add API endpoint for extensions
Useful for https://github.com/FreshRSS/FreshRSS/issues/7572
* Support PATH_INFO
Now also support being invoked like `/api/misc.php/Extension%20Name/`
* More documentation
|
|
* Include remaining tags/attributes for lazy loading
* Suggested change
|
|
Strip `bgcolor`, `text`, `background`, `link`, `alink`, `vlink`
fix https://github.com/FreshRSS/FreshRSS/issues/7604
|
|
* Fix newest articles not shown
Case when processing was faster than 1 second.
fix https://github.com/FreshRSS/FreshRSS/issues/7412
Regression from https://github.com/FreshRSS/FreshRSS/pull/7149
* Simplify uTimeString()
PHPStan has become a bit smarter
|
|
It is too late to check for minimum version check in `lib_rss.php` because that file already contains some relatively new PHP language constructs, which will lead to a syntax error - when running with an old PHP version - instead of the expected error message.
Moved to `constants.php` for now.
Example of syntax error with PHP 7.4:
```
PHP Parse error: syntax error, unexpected '|', expecting '{' in /var/www/FreshRSS/lib/lib_rss.php on line 166
```
Should help users like in:
* https://github.com/FreshRSS/FreshRSS/discussions/7539
* https://github.com/FreshRSS/FreshRSS/issues/7557
|
|
Supplement to https://github.com/FreshRSS/FreshRSS/pull/7541
|
|
* Fix file serving for symlinked extensions from ext.php
* Don't resolve symlink when deleting extension
* Minor syntax
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Updates the requirements on [phpmailer/phpmailer](https://github.com/PHPMailer/PHPMailer) to permit the latest version.
- [Release notes](https://github.com/PHPMailer/PHPMailer/releases)
- [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md)
- [Commits](https://github.com/PHPMailer/PHPMailer/compare/v6.9.3...v6.10.0)
---
updated-dependencies:
- dependency-name: phpmailer/phpmailer
dependency-version: 6.10.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
* Bump phpstan/phpstan from 2.1.11 to 2.1.13
Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 2.1.11 to 2.1.13.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Changelog](https://github.com/phpstan/phpstan/blob/2.1.x/CHANGELOG.md)
- [Commits](https://github.com/phpstan/phpstan/compare/2.1.11...2.1.13)
---
updated-dependencies:
- dependency-name: phpstan/phpstan
dependency-version: 2.1.13
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Bump phpstan/phpstan from 2.1.11 to 2.1.13
Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 2.1.11 to 2.1.13.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Changelog](https://github.com/phpstan/phpstan/blob/2.1.x/CHANGELOG.md)
- [Commits](https://github.com/phpstan/phpstan/compare/2.1.11...2.1.13)
---
updated-dependencies:
- dependency-name: phpstan/phpstan
dependency-version: 2.1.13
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix PHPStan
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
|
Inverle
Alexandre Alapetite
KleinMann
Alexis Degrugillier
Sam Edwards
Stefan
dependabot[bot]
