Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-09-17 | fix OTP QR code not displayed because of CSRF token passed as a query | Andrew Dolgov | |
parameter use type-strict comparison when validating CSRF token on the backend | |||
2020-09-16 | subscribe: allow pre-filling feed URL if passed via query string | Andrew Dolgov | |
2020-09-16 | pass CSRF token to opml import and feed icon replace dialogs | Andrew Dolgov | |
2020-09-15 | editarticletags: load dialog via XHR | Andrew Dolgov | |
2020-09-15 | handler: default base csrf_ignore() to false | Andrew Dolgov | |
2020-09-15 | backend handler: require CSRF, remove obsolete code | Andrew Dolgov | |
2020-09-15 | public/logout: require valid CSRF token | Andrew Dolgov | |
2020-09-15 | Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection | Andrew Dolgov | |
2020-09-15 | - backend: require CSRF token to be passed via POST | Andrew Dolgov | |
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST | |||
2020-09-15 | require CSRF token for Article/redirect | Andrew Dolgov | |
2020-09-15 | - enable CSRF support earlier | Andrew Dolgov | |
- remove rpc/sanityCheck from CSRF-excluded calls | |||
2020-09-15 | af_proxy_http: never print received data directly, always redirect to cached_url | Andrew Dolgov | |
cache/getUrl: basename() passed filename just in case | |||
2020-09-14 | user preferences: forbid < and > characters when changing passwords (were ↵ | Andrew Dolgov | |
silently stripped on save because of clean()) | |||
2020-09-14 | public/subscribe: require valid CSRF token when validating the form | Andrew Dolgov | |
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov | |
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions | |||
2020-09-11 | order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins ↵ | Andrew Dolgov | |
to override built-in sorting | |||
2020-08-29 | properly return counters for labels with zero assigned articles | Andrew Dolgov | |
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766 | |||
2020-08-14 | Silence php 7.2 error message generated in `session_set_cookie_params`. | Rodney Stromlund | |
2020-08-13 | pluginhost: allow overriding default sort modes via ↵ | Andrew Dolgov | |
HOOK_HEADLINES_CUSTOM_SORT_MAP etc | |||
2020-08-13 | move order_by to SQL override logic into a separate function | Andrew Dolgov | |
2020-08-11 | instead of taking batch timestamp and score (?) into account, make oldest ↵ | Andrew Dolgov | |
first sorting work consistently with newest first - i.e. rely on feed-provided timestamp | |||
2020-08-10 | OPML: export/import per-feed purge interval | Andrew Dolgov | |
2020-08-01 | more int/string type mismatches on getCategories | Paco Esteban | |
2020-07-31 | make sure all ints are casted (to int) on getCategories | Paco Esteban | |
2020-07-01 | Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master | fox | |
2020-07-01 | when exporting OPML via web UI, add user login to the filename | Andrew Dolgov | |
2020-07-01 | prefs: show disabled filters properly on mysql | Andrew Dolgov | |
2020-07-01 | prefs: show root of filter tree as enabled so it's not grayed out | Andrew Dolgov | |
2020-06-27 | Properly check if OPML file was loaded during import. | wn_ | |
2020-06-24 | core: pass found enclosures to HOOK_ARTICLE_FILTER | Andrew Dolgov | |
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail | |||
2020-06-15 | better support for image srcset attributes as discussed in ↵ | Andrew Dolgov | |
https://community.tt-rss.org/t/problem-with-img-srcset/3519 | |||
2020-06-05 | eslint-related fixes; move a few things from global context to App | Andrew Dolgov | |
2020-05-22 | when removing favicon, reset its auto-refresh timer | Andrew Dolgov | |
2020-05-17 | calculate_article_hash: don't die() on previous, woops | Andrew Dolgov | |
2020-05-17 | calculate_article_hash: ignore some useless or read-only fields (i.e. GUID) ↵ | Andrew Dolgov | |
when calculating hash | |||
2020-05-17 | * store UID in article hashed GUID separately so it could be migrated ↵ | Andrew Dolgov | |
cleanly to a different instance * store resulting GUID as a JSON object so it could be extended easier if needed | |||
2020-05-13 | add --opml-export to update.php | Andrew Dolgov | |
2020-05-12 | DiskCache: append fake file extension when sending cached files based on ↵ | Andrew Dolgov | |
mime type to make saving files easier | |||
2020-04-29 | DiskCache: properly deal with srcset attributes | Andrew Dolgov | |
2020-04-29 | remove unneeded var_dump() | Andrew Dolgov | |
2020-04-29 | * add HOOK_ENCLOSURE_IMPORTED | Andrew Dolgov | |
* pass feed id to HOOK_FEED_PARSED | |||
2020-04-04 | search: add support for label:XXX search keyword | Andrew Dolgov | |
Labels: enforce case-insensitive lookups when creating/looking for labels | |||
2020-03-13 | allow overriding built-in templates via templates.local | Andrew Dolgov | |
2020-03-12 | add support for video[@src] in media cache | lllusion3418 | |
it's a valid alternative to a source[@src] child element: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/video | |||
2020-03-12 | actually download <video> posters to media cache | lllusion3418 | |
video[@poster] is already supported in the rewriting logic but never actually downloaded | |||
2020-03-12 | fix url rewriting for videos with poster and src | lllusion3418 | |
if a poster attribute was present only that would have been rewritten and the (arguably more important) src attribute would be left as-is | |||
2020-03-10 | PluginHost/save_data: use separate PDO connection to prevent issues with ↵ | Andrew Dolgov | |
nested transactions | |||
2020-02-28 | batchSubscribe: use validationtextarea | Andrew Dolgov | |
2020-02-28 | add validationtextarea control, use it for filter match editor | Andrew Dolgov | |
2020-02-28 | filter test dialog: pass contents via xhr POST | Andrew Dolgov | |