Commit Graph

1591 Commits

Author SHA1 Message Date
Andrew Dolgov cbcb10a272 Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection 2020-09-15 16:28:09 +03:00
Andrew Dolgov 8080c525fd - backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov e670ac2ee5 require CSRF token for Article/redirect 2020-09-15 15:35:50 +03:00
Andrew Dolgov 7e50c6c4b5 - enable CSRF support earlier
- remove rpc/sanityCheck from CSRF-excluded calls
2020-09-15 15:32:17 +03:00
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
2020-09-15 08:02:28 +03:00
Andrew Dolgov 4a074111b5 user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean()) 2020-09-14 20:53:00 +03:00
Andrew Dolgov da98ba662e public/subscribe: require valid CSRF token when validating the form 2020-09-14 20:21:22 +03:00
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Andrew Dolgov a922b3cc6d order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting 2020-09-11 07:48:22 +03:00
Andrew Dolgov 67f02e2aa7 properly return counters for labels with zero assigned articles
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
2020-08-29 08:41:52 +03:00
Rodney Stromlund 88ced02622 Silence php 7.2 error message generated in `session_set_cookie_params`. 2020-08-14 10:47:46 -05:00
Andrew Dolgov ddf9227dc4 pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc 2020-08-13 12:23:27 +03:00
Andrew Dolgov dfa65e9374 move order_by to SQL override logic into a separate function 2020-08-13 11:52:32 +03:00
Andrew Dolgov 48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 2020-08-11 13:29:09 +03:00
Andrew Dolgov 05a47e5cf4 OPML: export/import per-feed purge interval 2020-08-10 11:57:39 +03:00
Paco Esteban c4ee0e25a1 more int/string type mismatches on getCategories 2020-08-01 16:30:10 +02:00
Paco Esteban 3da618e0ea make sure all ints are casted (to int) on getCategories 2020-07-31 16:15:16 +02:00
fox 68b78ecd3d Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master 2020-07-01 14:48:02 +00:00
Andrew Dolgov b6372a846d when exporting OPML via web UI, add user login to the filename 2020-07-01 10:02:24 +03:00
Andrew Dolgov fa653f5a43 prefs: show disabled filters properly on mysql 2020-07-01 09:49:53 +03:00
Andrew Dolgov 2996a3942f prefs: show root of filter tree as enabled so it's not grayed out 2020-07-01 09:48:27 +03:00
wn_ 614d3ac1bf Properly check if OPML file was loaded during import. 2020-06-27 15:06:08 -05:00
Andrew Dolgov c352e872e9 core: pass found enclosures to HOOK_ARTICLE_FILTER
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail
2020-06-24 22:54:14 +03:00
Andrew Dolgov 6eb94f1e13 better support for image srcset attributes as discussed in https://community.tt-rss.org/t/problem-with-img-srcset/3519 2020-06-15 11:58:59 +03:00
Andrew Dolgov d01ad09800 eslint-related fixes; move a few things from global context to App 2020-06-05 07:44:57 +03:00
Andrew Dolgov c8cc845d5b when removing favicon, reset its auto-refresh timer 2020-05-22 15:06:52 +03:00
Andrew Dolgov 06d2c65193 calculate_article_hash: don't die() on previous, woops 2020-05-17 17:44:32 +03:00
Andrew Dolgov 3a142cbf58 calculate_article_hash: ignore some useless or read-only fields (i.e. GUID) when calculating hash 2020-05-17 17:42:37 +03:00
Andrew Dolgov cd1f3cb8cc * store UID in article hashed GUID separately so it could be migrated cleanly to a different instance
* store resulting GUID as a JSON object so it could be extended easier if needed
2020-05-17 14:01:16 +03:00
Andrew Dolgov 7a2e9bef77 add --opml-export to update.php 2020-05-13 12:07:31 +03:00
Andrew Dolgov c275a0cd33 DiskCache: append fake file extension when sending cached files based on mime type to make saving files easier 2020-05-12 13:28:54 +03:00
Andrew Dolgov 3a4b9249a9 DiskCache: properly deal with srcset attributes 2020-04-29 19:29:36 +03:00
Andrew Dolgov 4a00f96733 remove unneeded var_dump() 2020-04-29 11:35:02 +03:00
Andrew Dolgov 6573541873 * add HOOK_ENCLOSURE_IMPORTED
* pass feed id to HOOK_FEED_PARSED
2020-04-29 11:33:39 +03:00
Andrew Dolgov 44b1f0fcc0 search: add support for label:XXX search keyword
Labels: enforce case-insensitive lookups when creating/looking for labels
2020-04-04 14:34:08 +03:00
Andrew Dolgov 1f2a721905 allow overriding built-in templates via templates.local 2020-03-13 14:40:35 +03:00
lllusion3418 ec1b0befc7 add support for video[@src] in media cache
it's a valid alternative to a source[@src] child element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/video
2020-03-12 11:08:39 +01:00
lllusion3418 cdde23b4dc actually download <video> posters to media cache
video[@poster] is already supported in the rewriting logic but never
actually downloaded
2020-03-12 11:08:33 +01:00
lllusion3418 b4287a2e98 fix url rewriting for videos with poster and src
if a poster attribute was present only that would have been rewritten
and the (arguably more important) src attribute would be left as-is
2020-03-12 11:08:24 +01:00
Andrew Dolgov 208e02c47d PluginHost/save_data: use separate PDO connection to prevent issues with nested transactions 2020-03-10 08:14:00 +03:00
Andrew Dolgov bcbc5ccc78 batchSubscribe: use validationtextarea 2020-02-28 14:03:29 +03:00
Andrew Dolgov f24ece85a6 add validationtextarea control, use it for filter match editor 2020-02-28 13:53:45 +03:00
Andrew Dolgov 8645f36c5b filter test dialog: pass contents via xhr POST 2020-02-28 12:16:54 +03:00
Andrew Dolgov bdb1e475e7 external subscribe dialog: support dark theme 2020-02-27 13:40:32 +03:00
Andrew Dolgov b2876f6c72 share anything dialog: support dark theme 2020-02-27 13:38:24 +03:00
Andrew Dolgov 4ab3854aed don't generate default.css, replace with themes/light.css as a default root CSS file 2020-02-22 16:22:44 +03:00
Andrew Dolgov 5f30061c92 properly calculate marked counters for feeds in nested categories 2020-02-20 15:54:40 +03:00
Andrew Dolgov 60288f02e8 1. feedtree: show counters for marked articles if view-mode == marked
2. hide/show relevant counter nodes using css
3. cleanup some counter-related code
4. compile default css into light theme to prevent cache-related issues
2020-02-20 14:14:45 +03:00
Andrew Dolgov 5b6d9cee29 prefs layout fixes:
1. prevent layout breakage when using an authenticator which doesn't allow changing passwords
2. show explanatory messages when OTP or password changing is not available
3. allow app (API) passwords when using any auth module
2020-02-18 11:51:04 +03:00
Andrew Dolgov 47135160d1 getCategoryCounters: properly handle categories which don't have any stored feeds/articles 2020-01-27 15:45:04 +03:00