Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-09-16 | cached_url: block SVG images because of potential javascript inside | Andrew Dolgov | |
2020-09-16 | pass CSRF token to opml import and feed icon replace dialogs | Andrew Dolgov | |
2020-09-16 | fix default password nag dialog, load via xhr | Andrew Dolgov | |
2020-09-15 | editFeed: only try to reload feed tree in preferences if its actually there | Andrew Dolgov | |
2020-09-15 | comments link: load in new tab | Andrew Dolgov | |
2020-09-15 | editarticletags: load dialog via XHR | Andrew Dolgov | |
2020-09-15 | handler: default base csrf_ignore() to false | Andrew Dolgov | |
2020-09-15 | backend handler: require CSRF, remove obsolete code | Andrew Dolgov | |
2020-09-15 | public/logout: require valid CSRF token | Andrew Dolgov | |
2020-09-15 | Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection | Andrew Dolgov | |
2020-09-15 | - backend: require CSRF token to be passed via POST | Andrew Dolgov | |
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST | |||
2020-09-15 | don't pass csrf token as a GET parameter to Article | Andrew Dolgov | |
2020-09-15 | require CSRF token for Article/redirect | Andrew Dolgov | |
2020-09-15 | - enable CSRF support earlier | Andrew Dolgov | |
- remove rpc/sanityCheck from CSRF-excluded calls | |||
2020-09-15 | af_proxy_http: require separate token to access imgproxy | Andrew Dolgov | |
2020-09-15 | rewrite_relative_url: validate resulting absolutized URLs | Andrew Dolgov | |
2020-09-15 | validate_url: only allow safe ports (80, 443), disallow access to loopback | Andrew Dolgov | |
2020-09-15 | validate_url: add clean() | Andrew Dolgov | |
2020-09-15 | rename base64_img() to image_to_base64() | Andrew Dolgov | |
2020-09-15 | af_proxy_http: never print received data directly, always redirect to cached_url | Andrew Dolgov | |
cache/getUrl: basename() passed filename just in case | |||
2020-09-15 | cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ↵ | Andrew Dolgov | |
hooks | |||
2020-09-15 | af_redditimgur: don't add embedded blank gif image for rewritten videos | Andrew Dolgov | |
2020-09-14 | user preferences: forbid < and > characters when changing passwords (were ↵ | Andrew Dolgov | |
silently stripped on save because of clean()) | |||
2020-09-14 | public/subscribe: require valid CSRF token when validating the form | Andrew Dolgov | |
2020-09-14 | remove csrf token from rpc method sanityCheck | Andrew Dolgov | |
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov | |
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions | |||
2020-09-11 | Merge branch 'weblate-integration' | Andrew Dolgov | |
2020-09-11 | order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins ↵ | Andrew Dolgov | |
to override built-in sorting | |||
2020-08-29 | properly return counters for labels with zero assigned articles | Andrew Dolgov | |
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766 | |||
2020-08-14 | Merge branch 'master' of rodneys_mission/tt-rss into master | fox | |
2020-08-14 | Silence php 7.2 error message generated in `session_set_cookie_params`. | Rodney Stromlund | |
2020-08-13 | pluginhost: allow overriding default sort modes via ↵ | Andrew Dolgov | |
HOOK_HEADLINES_CUSTOM_SORT_MAP etc | |||
2020-08-13 | move order_by to SQL override logic into a separate function | Andrew Dolgov | |
2020-08-11 | instead of taking batch timestamp and score (?) into account, make oldest ↵ | Andrew Dolgov | |
first sorting work consistently with newest first - i.e. rely on feed-provided timestamp | |||
2020-08-10 | OPML: export/import per-feed purge interval | Andrew Dolgov | |
2020-08-01 | Merge branch 'master' of e1e0/tt-rss into master | fox | |
2020-08-01 | more int/string type mismatches on getCategories | Paco Esteban | |
2020-08-01 | Merge branch 'master' of e1e0/tt-rss into master | fox | |
2020-07-31 | Translated using Weblate (Czech) | Marek Pavelka | |
Currently translated at 100.0% (727 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/ | |||
2020-07-31 | make sure all ints are casted (to int) on getCategories | Paco Esteban | |
2020-07-19 | Translated using Weblate (Norwegian Bokmål) | Jan Espen Pedersen | |
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/ | |||
2020-07-13 | Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into master | fox | |
2020-07-13 | Update wiki and forums links in error message. | Rodney Stromlund | |
2020-07-09 | Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into master | fox | |
2020-07-09 | Store FeedTree data in localStorage | nanaya | |
Patching internal functions of dijit.Tree as they don't provide option on where to store the data. It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit. Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth. This patch will also migrate current data in cookie to local storage accordingly. | |||
2020-07-03 | Translated using Weblate (Norwegian Bokmål) | Jan Espen Pedersen | |
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/ | |||
2020-07-03 | Translated using Weblate (Norwegian Bokmål) | Anonymous | |
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/ | |||
2020-07-02 | Translated using Weblate (Norwegian Bokmål) | Jan Espen Pedersen | |
Currently translated at 44.4% (323 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/ | |||
2020-07-01 | Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master | fox | |
2020-07-01 | when exporting OPML via web UI, add user login to the filename | Andrew Dolgov | |