Age | Commit message (Expand) | Author |
2020-09-17 | validate_url: relax requirements for URLs, limit additional port/loopback fil... | Andrew Dolgov |
2020-09-17 | replace FALSE with false so that static analyzer shuts up about it | Andrew Dolgov |
2020-09-17 | rename gettext.inc to gettext.inc.php (cosmetic) | Andrew Dolgov |
2020-09-17 | fetch_file_contents: validate effective URL (after redirects) without CURL | Andrew Dolgov |
2020-09-17 | fetch_file_contents: validate effective URL (after redirects) if using CURL | Andrew Dolgov |
2020-09-17 | don't try to call hash_equals() on unset user token | Andrew Dolgov |
2020-09-17 | use hash_equals() correctly | Andrew Dolgov |
2020-09-17 | fix several cases of Db class being invoked as wrong name (as DB) | Andrew Dolgov |
2020-09-17 | replace some plain http links with https | Andrew Dolgov |
2020-09-17 | * use get_random_bytes() for CSRF token | Andrew Dolgov |
2020-09-17 | fix OTP QR code not displayed because of CSRF token passed as a query | Andrew Dolgov |
2020-09-17 | amend previous to 127/8 subnet | Andrew Dolgov |
2020-09-17 | fetch_file_contents: resolve requested hosts and check for possible | Andrew Dolgov |
2020-09-16 | build_url: also put query parameters and fragment in resulting URL | Andrew Dolgov |
2020-09-16 | cached_url: block SVG images because of potential javascript inside | Andrew Dolgov |
2020-09-15 | don't pass csrf token as a GET parameter to Article | Andrew Dolgov |
2020-09-15 | rewrite_relative_url: validate resulting absolutized URLs | Andrew Dolgov |
2020-09-15 | validate_url: only allow safe ports (80, 443), disallow access to loopback | Andrew Dolgov |
2020-09-15 | validate_url: add clean() | Andrew Dolgov |
2020-09-15 | rename base64_img() to image_to_base64() | Andrew Dolgov |
2020-09-15 | cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ... | Andrew Dolgov |
2020-09-14 | remove csrf token from rpc method sanityCheck | Andrew Dolgov |
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov |
2020-06-15 | better support for image srcset attributes as discussed in https://community.... | Andrew Dolgov |
2020-05-23 | only bind up/down in 3 panel mode | Andrew Dolgov |
2020-05-23 | Revert "unbind up/down by default (use native scrolling for consistency with ... | Andrew Dolgov |
2020-05-23 | unbind up/down by default (use native scrolling for consistency with pgup/pgdn) | Andrew Dolgov |
2020-05-17 | implement keyboard-related changes discussed in https://community.tt-rss.org/... | Andrew Dolgov |
2020-05-15 | Make iframes size responsively. | JustAMacUser |
2020-05-09 | sanitize: forbid "allow" attribute | Andrew Dolgov |
2020-05-09 | add hotkey "\" to cancel current search | Andrew Dolgov |
2020-04-29 | sanitize: simplify initial attribute processing | Andrew Dolgov |
2020-04-29 | sanitize: remove srcset plain-http hack, globally disallow width and height a... | Andrew Dolgov |
2020-04-29 | sanitize: handle picture[@srcset] elements properly, i.e. rewrite relative URLs | Andrew Dolgov |
2020-03-25 | Fix documentation for _noexpand commands | Martin Stone |
2020-03-02 | In get_version() disable DIRECTORY_SEPARATOR check, permit using git on Windo... | Toby Simmons |
2020-02-28 | af_readability: allow get full text button to work as a toggle; in cdm, scrol... | Andrew Dolgov |
2020-02-27 | update toggle_embed_original hotkey to invoke readability embed instead of re... | Andrew Dolgov |
2020-02-22 | don't generate default.css, replace with themes/light.css as a default root C... | Andrew Dolgov |
2020-02-13 | add support for image loading=lazy attribute | Andrew Dolgov |
2020-01-24 | scrap counter cache system; rework counters to sum() booleans instead | Andrew Dolgov |
2020-01-17 | disable MAX_FETCH_REQUESTS_PER_HOST warnings for the time being | Andrew Dolgov |
2020-01-14 | get_version: don't rely on exec() exit code to determine whether output is valid | Andrew Dolgov |
2019-12-20 | get_version: fix commit/timestamp lost on subsequent invocations because of m... | Andrew Dolgov |
2019-12-19 | force-disable php display_errors/display_startup_errors on startup | Andrew Dolgov |
2019-12-19 | get_version: filter out Darwin | Andrew Dolgov |
2019-12-18 | get_version: always return unsupported on windows | Andrew Dolgov |
2019-12-18 | SELF_USER_AGENT: switch to get_version() | Andrew Dolgov |
2019-12-18 | get_version: don't pass useless root dir to git, instead log it in case of fa... | Andrew Dolgov |
2019-12-18 | remove version.php and VERSION global constant, do version-related things in ... | Andrew Dolgov |