da98ba662e
public/subscribe: require valid CSRF token when validating the form
2020-09-14 20:21:22 +03:00
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
88ced02622
Silence php 7.2 error message generated in `session_set_cookie_params`.
2020-08-14 10:47:46 -05:00
dfa65e9374
move order_by to SQL override logic into a separate function
2020-08-13 11:52:32 +03:00
48be005774
instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
2020-08-11 13:29:09 +03:00
1f2a721905
allow overriding built-in templates via templates.local
2020-03-13 14:40:35 +03:00
bdb1e475e7
external subscribe dialog: support dark theme
2020-02-27 13:40:32 +03:00
b2876f6c72
share anything dialog: support dark theme
2020-02-27 13:38:24 +03:00
4ab3854aed
don't generate default.css, replace with themes/light.css as a default root CSS file
2020-02-22 16:22:44 +03:00
aa56bcaf44
support night mode when using share by URL
2020-01-19 10:51:08 +03:00
f47998f569
generate_syndicated_feed: use local media in generated feeds if it is available
2020-01-13 17:02:14 +03:00
72d0fac80c
remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way
2019-12-18 14:27:40 +03:00
ef514bc4bd
add notifications for mail and password changes
...
update and shorten some other message templates
2019-10-09 09:04:51 +03:00
958c4dc124
Removed extra php end tag that was showing in the page title
2019-09-17 09:11:30 -05:00
3e4701116d
af_readability: add missing file
2019-08-16 15:29:24 +03:00
0e3b71c535
public/pluginhandler: log invalid requests
2019-08-15 17:17:25 +03:00
d4df57e1a4
Article::get_article_image() - also return stream URI if possible
2019-08-14 17:04:14 +03:00
68e2b05f65
* move get_article_image to Article; implement better og:image detection (similar to android app)
...
* pass article image to API clients in headlines row object
2019-08-14 16:55:38 +03:00
39f459eb04
public/cached_url: forbid sending files with extensions
2019-08-14 10:45:46 +03:00
3c075bfd21
DiskCache: more strict checking for input filenames, getUrl() is no longer static
2019-08-14 09:49:18 +03:00
fdb6066bf6
* HOOK_ENCLOSURE_ENTRY: pass article_id to handler
...
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
2019-08-13 16:40:21 +03:00
133c2b482b
move rewrite_cached_urls to DiskCache::rewriteUrls()
2019-08-13 12:46:57 +03:00
b1dd38f880
add DiskCache.getUrl() and use it in a bunch of places
2019-08-13 12:39:21 +03:00
ea30061cce
public: fix share() returning random unshared articles if uuid is not given
2019-07-05 16:02:51 +03:00
4fa9aee4e7
move several more global functions to more appropriate classes
2019-06-20 08:14:06 +03:00
6d746453c7
get_feeds_from_html: remove XML preamble hack
...
move several related helper functions to Feeds class
2019-06-20 07:51:48 +03:00
671f4cee65
domdocument: remove old meta charset unicode hacks, replace with shorter xml preamble utf8 hack (on loadhtml where it makes sense)
...
af_readability: better (?) charset hack for non-unicode pages
2019-03-21 21:08:02 +03:00
6ae0a3dd3e
share: further improve og:description excerpt logic, minor layout stuff
2019-03-19 20:41:38 +03:00
74e8661351
share: decode entities in metadata fields so that length limits would make more sense
2019-03-19 15:53:32 +03:00
19f162dbe3
css: insensitive -> text-muted
2019-03-08 10:11:57 +03:00
44858ca2dd
Merge branch 'master' of git.fakecake.org:tt-rss
2019-03-07 06:45:04 +03:00
e91223ec7d
update CLI schema updater with newer warnings
2019-03-07 06:44:59 +03:00
609662d48c
oops, fix typo
2019-03-06 22:48:10 +03:00
91cfd9c391
dbupdater: add mysql transaction warning
2019-03-06 22:46:31 +03:00
0881d0a00d
some dbupdater improvements; fix schema 136 syntax for mysql
2019-03-06 19:42:27 +03:00
38e01270d8
archived feeds: expire old entries (schema bump)
2019-03-06 19:06:05 +03:00
ef6d2b8a4e
update notifications to make them more visible
...
cleanup some minor stuff in pref-users
2019-03-05 20:09:06 +03:00
5b3a73e574
login: switch to absolute redirect urls
2019-03-04 20:38:39 +03:00
925065b1fe
Revert "login: only allow relative URLs in return="
...
This reverts commit c68ac04020
2019-03-04 07:02:58 +03:00
c68ac04020
login: only allow relative URLs in return=
2019-03-03 07:53:42 +03:00
cc57ed3775
public/subscribe: add basic dialog to enter feed urls
2019-03-03 06:18:19 +03:00
54c1b5c611
fill in some missing doctypes; use short doctype where it wasn't
2019-02-23 13:49:40 +03:00
d60038d48b
simplify some public.php prompts; prevent from submitting forgotpass form repeatedly if check succeeds
2019-02-21 12:50:15 +03:00
6701497879
public.php: markup cleanup
2019-02-20 13:12:55 +03:00
be322d6fc8
cleanup sharepopup dialog
2019-02-20 13:05:12 +03:00
d9e20f8b16
update external subscribe dialog
2019-02-20 12:32:52 +03:00
5ce55faa3b
installer: reduce margins; misc fixes
2019-02-19 21:23:03 +03:00
420e71280a
dbupdater: dojoify, add some missing translations
2019-02-19 20:55:02 +03:00
f7a4a45bde
pwd reset: use dijit controls
2019-02-19 20:43:45 +03:00
59df261fb8
forgotpass: slightly better anti-bot protection
2019-02-19 20:25:48 +03:00
8cd7f31bde
utility css updates
2019-02-19 19:46:09 +03:00
c11f32ac38
center and rework some utility screens
2019-02-19 14:59:29 +03:00
b1f9ebe46e
get_article_image: ignore data: schema images, other minor fixes
2019-01-10 08:42:31 +03:00
e70d42237a
edit options after subscribe: use correct method name
2018-12-25 16:22:12 +03:00
d0d05e4079
zoom mode: hide .attachments
2018-12-10 07:20:13 +03:00
6a6af964df
feed template, ARTICLE_OG_IMAGE: set as optional
2018-12-09 17:18:29 +03:00
851f62dc4a
syndicated feeds:
...
1. properly reset enclosure template variables if there's no enclosures
2. add ARTICLE_OG_IMAGE which sets flavor image for article using common code with article render etc
2018-12-09 17:07:17 +03:00
b2c079893b
move Article::format_article() to Handler_Public
2018-12-09 11:13:02 +03:00
966fe6d612
#sharepopup: update css
2018-12-09 10:56:39 +03:00
19e24b4fe2
force cast profile id to integer when assigning to session variable
2018-12-06 07:08:54 +03:00
29c890b495
login form: use dojo, remove profile hacks
2018-12-04 23:17:35 +03:00
79c5035920
reset password: use updated mailer parameters properly
2018-11-26 12:44:36 +03:00
57932e1837
remove PHPMailer and related directives from config.php-dist; add pluggable Mailer class
2018-11-22 14:45:14 +03:00
253dbd4856
generate_syndicated_feed: add support for virtual feeds provided by plugins
2018-11-07 14:21:39 +03:00
5f66f872b6
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks
2018-10-16 14:07:42 +03:00
f8fc1ac543
login: check for stale session in login handler, instead of authenticate_user()
2018-10-16 11:39:12 +03:00
f730d7bb0a
another attempt to enforce session ID regeneration on login
2018-10-16 09:11:32 +03:00
65e98f4086
force regenerate session id on successful login, remove previous blank SID check
2018-10-15 15:47:50 +03:00
88adf3da1b
send_local_file: add application/octet-stream hack
...
cached_url: return original requested filename to save as
2018-08-16 12:16:51 +03:00
e6532439d6
force strip_tags() on all user input unless explicitly allowed
2017-12-03 23:35:38 +03:00
df5d2a0665
pluginhost: do not connect via legacy DB api until requested
...
log all initiated legacy database connections
2017-12-03 14:49:18 +03:00
b51d44a5e6
further stylesheet simplification related fixes (2)
2017-12-03 13:26:26 +03:00
09bc54c690
further stylesheet simplification related fixes
2017-12-03 13:25:34 +03:00
5e68e24679
css/less updates
2017-12-03 12:50:07 +03:00
187abfe732
main classes: remove sql_bool_to_bool() kludge
2017-12-03 09:35:59 +03:00
1d92297a96
dbupdater: use PDO
2017-12-02 01:28:30 +03:00
cb13089af1
public: use PDO headlines result (2)
2017-12-01 20:57:55 +03:00
dc393a580b
public: use PDO headlines result
2017-12-01 20:57:05 +03:00
1271407eea
public: partial conversion to PDO, misc fixes
2017-12-01 18:57:34 +03:00
9dd336a2c3
generate base css files using lessc
2017-11-29 18:55:12 +03:00
2352c320c2
fix possible sql injection in public/forgotpass
2017-11-20 08:48:18 +03:00
81d96c0dee
makes 'order by title' to sort by title and by ascending date
...
* this allows to chronologically browse all articles with the
same title.
2017-10-09 22:50:03 +02:00
8b73bd28d8
remove apache-specific x-sendfile stuff
...
implement a hook (HOOK_SEND_LOCAL_FILE) which plugins may use to send files
via httpd-specific implementation to increase performance typically on larger files
2017-10-08 17:14:56 +03:00
b2d42e960b
replace some usages of SELF_URL_PATH with get_self_url_prefix()
2017-07-06 23:01:44 +03:00
5b6ea1ef91
remove pubsubhubbub: dead
2017-05-16 10:41:20 +03:00
2ed0d6c433
move counter cache to a separate class
...
fix references to get_article_tags
2017-05-04 15:22:57 +03:00
aeb1abedb2
move a bunch of functions into Feeds/Article namespaces
...
+ static function catchupArticlesById($ids, $cmode, $owner_uid = false) {
+ static function getLastArticleId() {
+ static function queryFeedHeadlines($params) {
+ static function getParentCategories($cat, $owner_uid) {
+ static function getChildCategories($cat, $owner_uid) {
move the rest of functions2.php back to functions.php as it is of more manageable size, remove the former
2017-05-04 15:13:02 +03:00
a230bf88a9
move to Article:
...
+ static function purge_orphans($do_output = false) {
move to Feeds
+ static function getGlobalUnread($user_id = false) {
+ static function getCategoryTitle($cat_id) {
+ static function getLabelUnread($label_id, $owner_uid = false) {
2017-05-04 15:00:21 +03:00
86a8351ca2
move the following to Feeds:
...
+ static function catchup_feed($feed, $cat_view, $owner_uid = false, $mode = 'all', $search = false) {
+ static function getFeedArticles($feed, $is_cat = false, $unread_only = false,
+ static function subscribe_to_feed($url, $cat_id = 0,
+ static function getFeedIcon($id) {
+ static function getFeedTitle($id, $cat = false) {
+ static function getCategoryUnread($cat, $owner_uid = false) {
+ static function getCategoryChildrenUnread($cat, $owner_uid = false) {
2017-05-04 14:50:56 +03:00
7e5f8d9fb3
move the following to Article:
...
+ static function format_article_enclosures($id, $always_display_enclosures,
+ static function format_article($id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+ static function get_article_tags($id, $owner_uid = 0, $tag_cache = false) {
+ static function format_tags_string($tags) {
+ static function format_article_labels($labels) {
+ static function format_article_note($id, $note, $allow_edit = true) {
+ static function get_article_enclosures($id) {
2017-05-04 14:38:45 +03:00
41bead9baa
remove local file extensions and generalize some method names for cached media
...
file extensions may still be present in urls, but are ignored by the backend
MIGRATION (if you have any cached data worth keeping, not required):
in cache/images run "rename 's/\..*$//' *" i.e. strip file extensions
2017-03-23 14:55:40 +03:00
4daaf23491
allow user plugins to expose public methods out in a limited fashion
2017-02-10 16:04:28 +03:00
38b3998bbc
af_zz_imgproxy: use inline disposition, misc updates
2017-02-10 12:37:21 +03:00
9c7ebaa08c
cached_image: remove unnecessary basename()
2017-02-04 12:02:17 +03:00
0442cbb6c1
image cache: send files as content-disposition: attachment; add .png suffix to image urls
2017-02-04 11:32:24 +03:00
2f1a29d9c8
generate_syndicated_feed: sanitize content excerpt
2016-04-29 22:00:02 +03:00
977cea1438
actually check for failures properly in the dbupdater
2016-04-26 20:04:24 +03:00
9232283815
pass feed information to hook_article_export_feed
2016-03-01 14:42:15 +03:00
399678a14e
add PluginHost.HOOK_ARTICLE_EXPORT_FEED
2016-03-01 14:39:36 +03:00
3261dbfa21
generate_syndicated_feed: pass article id to sanitize()
2016-02-11 20:12:01 +03:00
Andrew Dolgov