Age | Commit message (Collapse) | Author |
|
private)
|
|
|
|
|
|
|
|
|
|
classes instead
|
|
|
|
|
|
parameter
use type-strict comparison when validating CSRF token on the backend
|
|
|
|
|
|
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
|
|
|
|
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
|
|
|
|
|
|
first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
|
|
|
|
|
|
|
|
CSS file
|
|
|
|
|
|
a slightly less ridiculous way
|
|
update and shorten some other message templates
|
|
|
|
|
|
|
|
|
|
(similar to android app)
* pass article image to API clients in headlines row object
|
|
|
|
static
|
|
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
|
|
|
|
|
|
|
|
|
|
move several related helper functions to Feeds class
|
|
preamble utf8 hack (on loadhtml where it makes sense)
af_readability: better (?) charset hack for non-unicode pages
|
|
|
|
more sense
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cleanup some minor stuff in pref-users
|
|
|