nodiscc
eaefcba724
Merge remote-tracking branch 'ArthurHoaro/input-escape' into next
...
Conflicts:
index.php
2015-06-24 00:51:38 +02:00
VirtualTam
9f15ca9ee7
LinkDB: add 'hidePublicLinks' parameter to the constructor
...
Fixes #236
Relates to #237
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2015-06-24 00:26:59 +02:00
ArthurHoaro
c68da3ffbf
Page title if there is a single link
...
Fixes #232
2015-06-23 20:22:02 +02:00
ArthurHoaro
5f85fcd863
Working on shaarli/Shaarli#224
...
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
2015-06-23 16:35:36 +02:00
nodiscc
4a5827ff5a
Merge remote-tracking branch 'ArthurHoaro/daily-date' into next
2015-06-23 15:07:03 +02:00
nodiscc
38a0c256d2
Merge remote-tracking branch 'virtualtam/test/link-db' into next
...
Conflicts:
index.php
2015-06-23 14:38:43 +02:00
nodiscc
0fe36414c8
Merge remote-tracking branch 'ArthurHoaro/search-tag-awesomplete' into next
2015-06-23 14:18:31 +02:00
ArthurHoaro
4de71445d3
Daily page: date format in template
...
It only concerns the date of the day in the main title.
Fixes #182
Note that daily RSS feed is not generated through templates. Date are still hard formatted in that case.
2015-06-19 20:23:58 +02:00
VirtualTam
ca74886f30
LinkDB: move to a proper file, add test coverage
...
Relates to #71
LinkDB
- move to application/LinkDB.php
- code cleanup
- indentation
- whitespaces
- formatting
- comment cleanup
- add missing documentation
- unify formatting
Test coverage for LinkDB
- constructor
- public / private access
- link-related methods
Shaarli utilities (LinkDB dependencies)
- move startsWith() and endsWith() functions to application/Utils.php
- add test coverage
Dev utilities
- Composer: add PHPUnit to dev dependencies
- Makefile:
- update lint targets
- add test targets
- generate coverage reports
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2015-06-11 00:45:45 +02:00
ArthurHoaro
a037ac6963
Do not load links if they're hidden (also fix shaarli/Shaarli#202 )
2015-06-09 14:58:54 +02:00
ArthurHoaro
65d6251744
Add awesomplete to tag search shaarli/Shaarli#49
2015-06-09 14:23:28 +02:00
nodiscc
cbecab7735
split annoyingpatterns list on multpile lines, add new patterns for removal:
...
* utm_content=
* fb=
* xtor=
closes https://github.com/shaarli/Shaarli/issues/136
2015-06-03 15:58:58 +02:00
nodiscc
f95d0428f6
Merge branch 'really-hide' of https://github.com/pikzen/Shaarli into next
2015-05-22 21:07:00 +02:00
nodiscc
8b3c67fccb
Merge remote-tracking branch 'Marsup/firefox-social' into next
2015-05-22 21:04:36 +02:00
Marsup
d33c5d4c3b
Add Firefox Social API to the tools. Fixes #101 .
2015-05-15 16:18:54 +00:00
feula
59c90f5808
Properly hide all links
...
>searchtags
2015-05-11 20:08:38 +02:00
Jonathan Druart
f5b059254f
Display date as today if no articles published
...
On "The Daily Shaarli" page (index.php?do=daily), the date is "Tuesday
30, November 1999" if no articles have been published/shared.
This patch checks the parameter ($linkdate) before the mktime call to
prevent and generate the "day 0" string.
mktime(0,0,0,0,0,0) returns 943916400 (hum?)
2015-05-11 11:16:19 +01:00
nodiscc
caee7ff9cc
change wording and variable names for "Hide public links" feature
2015-04-10 20:52:12 +02:00
nodiscc
0c45b01cc2
Merge remote-tracking branch 'pikzen/disable-public' into next
2015-04-10 20:30:33 +02:00
nodiscc
507849290c
Merge remote-tracking branch 'ArthurHoaro/localecharset' into next
2015-04-10 20:30:15 +02:00
nodiscc
1caf200551
Merge commit '326ae54' into next
2015-04-10 20:28:24 +02:00
feula
8fa1ebd605
Allow disabling all public links, fixes #188
2015-04-09 18:13:11 +02:00
ArthurHoaro
da49603b86
#193 add UTF8 by default to autoLocale
2015-04-08 06:53:34 +02:00
ArthurHoaro
8438a2e5d0
Fixes autoLocale function by trying several way to find a correct one.
...
Fix https://github.com/shaarli/Shaarli/issues/184
2015-04-05 22:01:43 +02:00
dimtion
326ae54d08
Fix missing permalink title when logged in
2015-04-05 18:18:15 +02:00
Florian Eula
b47f515ad3
Display notes as absolute URLs
2015-04-01 11:47:04 +02:00
ArthurHoaro
a5752e776c
Fix bad merge commit
...
Define date format in templates instead of index.php.
Conflicts:
index.php
tpl/dailyrss.html
2015-04-01 00:32:47 +02:00
pikzen
d3b2b456e1
Display notes as absolute urls
...
Fixes https://github.com/shaarli/Shaarli/issues/177
Merge commit '3ea318dad05954e2043d5bb2f8572b103d7c3930' into notes-absolute-url
Conflicts:
index.php
2015-03-31 20:16:06 +02:00
ArthurHoaro
880cbf92ca
Fixes autoLocale function by trying several way to find a correct one.
2015-03-31 13:22:20 +02:00
ArthurHoaro
bec1870180
Define date format in templates instead of index.php.
2015-03-31 13:19:07 +02:00
feula
3ea318dad0
Display notes as absolute urls.
...
The deletion is related to Windows not handling quotes in filenames, see
#179 . It shouldn't delete the real file. Probably. Check it out.
2015-03-29 17:31:38 +02:00
nodiscc
129ff3c2e5
bump version to 0.0.45beta
2015-03-16 16:17:31 +01:00
nodiscc
b4b7d3343a
Merge branch 'picwall-direct-link' into next
2015-03-15 14:24:51 +01:00
nodiscc
aa22244027
bump version to 0.0.44beta
2015-03-15 14:23:55 +01:00
nodiscc
9a631bab7f
Merge remote-tracking branch 'ArthurHoaro/autocomplete' into next
2015-03-15 14:21:59 +01:00
ArthurHoaro
bdd1715b24
Use awesomplete as autocomplete lib and remove jQuery - shaarli/Shaarli#148
...
* Add awesomplete dependancy (source + min + CSS)
* Remove jQuery and jQuery-UI dependancy
* Few CSS ajustements
* Use tags complete list as RainTPL var (and display it as HTML)
* Remove "disable jQuery" feature
* Remove tag list web service
2015-03-12 20:27:16 +01:00
nodiscc
4a1a1190a6
picwall: link directly to the target URL (not the permalink)
2015-03-11 19:19:18 +01:00
nodiscc
3ef1da28e8
Merge pull request #119 from ArthurHoaro/js-link
...
allow 'javascript:' links sharing (bookmarklets)
2015-03-11 19:17:13 +01:00
nodiscc
35c2c4db5b
Redirect to homepage after adding a link via "Add Link" dialog
...
* Fixes https://github.com/shaarli/Shaarli/issues/115
2015-03-05 13:43:53 +01:00
nodiscc
01b8f52718
Merge pull request #141 from nodiscc/cleanurl-filters
...
Add URL cleaning filters + refactoring
2015-03-05 13:42:38 +01:00
nodiscc
baf5cbf27d
Improve URL cleaning:
...
* also remove action_type_map, action_ref_map and action_object maps params used by facebook
2015-03-05 13:40:43 +01:00
nodiscc
403a199409
Improve annoying URL parameters cleaning:
...
* Use regular expressions to avoid suplicating params depending on their position in the URL (¶m=,?param=)
* Only remove the relevant URL pattern and don't remove following params, fixes https://github.com/shaarli/Shaarli/issues/136
* Credits to Marcus Rohrmoser (https://github.com/mro )
2015-03-05 13:33:30 +01:00
nodiscc
ad2a397c66
cleanup: refactor annoying URL patterns in a single loop
...
* fixes https://github.com/shaarli/Shaarli/issues/133
2015-03-04 20:11:39 +01:00
Alexis J
bc1ef5b94a
Add some filters to clean URLs
2015-03-04 20:02:04 +01:00
ArthurHoaro
34047d23fb
Lazy load images with the light lib bLazy.js instead of jQuery:
...
* Remove jquery.lazyload lib
* Add blazy lib
* Add a bit of CSS animation
* Delete unused picwall2 template
2015-03-01 11:23:03 +01:00
nodiscc
dbcad7406e
Prevent visitors from reading shaarli version
...
* fixes https://github.com/shaarli/Shaarli/issues/122
* the shaarli version is now in a php comment block, which prevents
visitors from reading it when it is place on a PHP-enabled server, but
still allows the update mechanism to read it from the source on github.
2015-02-25 13:25:45 +01:00
ArthurHoaro
329e076879
shaarli/Shaarli#34 : Make update check optional
...
* Add a check box at installation (checked by default)
* Add a check box in configuration page
2015-02-20 22:49:41 +01:00
ArthurHoaro
f81139c9b2
Fixes shaarli/Shaarli#46 : allow 'javascript:' links sharing
2015-02-20 21:46:21 +01:00
nodiscc
be3f0b4ec3
bump version to 0.0.43beta
2015-02-20 19:41:53 +01:00
Florian Eula
ff69d87ed9
Only verify login state at the beginning of the request.
...
Moved login check into a function
2015-02-18 21:51:32 +01:00
feula
d528433d73
redirect to previous search (if any) when deleting a link
...
* Fixes https://github.com/shaarli/Shaarli/issues/110
2015-02-17 21:03:22 +01:00
Florian Eula
ed5b38ddd2
Feature: enable/disable permalinks for RSS
...
The option to see the shortlinks or permalinks has been added to the configuration panel. It is a simple checkbox
This option is disabled by default (meaning that shortlinks are the default)
Updated writeConfig() to save this option
Also fixed a slight typo in config.html.
Removed useless CSS & fixed a comment
Enabled permalinks for the ATOM feed and fixed the isPermaLink attribute for the <guid> tag
Reverted to default behavior and clarified its meaning
EnableRssPermalinks is an oddly behaving option: when enabled, it shows a
permalink in the description and a full link in the element title, and
swaps it around when disabled. This clarifies the option for end-users
Also, moved enable_rss_permalinks to $GLOBALS['config'] because it is a
config option.
fix indent
2015-02-07 03:21:30 +01:00
nodiscc
09850e6a20
Merge pull request #98 from ArthurHoaro/port
...
Fix port/server config problems by using php SERVER_NAME instead of HTTP_HOST
2015-01-26 14:49:56 +01:00
nodiscc
852613dece
Merge pull request #100 from virtualtam/daily-timestamp
...
daily: display link timestamps
2015-01-26 13:40:37 +01:00
VirtualTam
04751e0441
w3c: fix HTML syntax errors
...
Fixes #64
All pages:
- add `urlencode` when passing the version to a custom stylesheet;
- set meaningful values of `alt` and `title` for QR-Code images.
Install page:
- the form's `action` attribute must be non-empty;
- the `valign` attribute is deprecated.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
2015-01-20 02:53:53 +01:00
VirtualTam
38a2d03e34
daily: display link timestamps
...
Fixes #26
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
2015-01-15 00:05:26 +01:00
ArthurHoaro
2f32d0746b
Fixes Port/server config problems - see: https://github.com/shaarli/Shaarli/issues/17
...
* Use SERVER_NAME instead of HTTP_HOST to define current URL (in serverUrl()
* Use SERVER_NAME instead of HTTP_HOST while setting up cookies
2015-01-09 11:46:25 +01:00
ArthurHoaro
fe16b01edb
* removed the language attribute on the script element since it is obsolete and we can safely omit it.
...
* make QRCode JS works with IE :
* behave as a normal link if canvas aren't supported (<=IE8)
* default parameter values in JS aren't widely supported (see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Default_parameters ), use this method instead: http://stackoverflow.com/a/148918/1484919
* dataset isn't supported in IE9 use getAttribute instead
* addEventListener works with IE9+ and other browsers
2015-01-09 09:47:48 +01:00
Emilien Klein
657837af11
Redirect to home page after deleting a link
...
Fixes issue 87
2015-01-04 15:19:14 -05:00
nodiscc
f8d83b35b6
Merge pull request #85 from nodiscc/tagcloud-scaling
...
improve tag cloud font size scaling
2014-12-29 03:00:25 +01:00
nodiscc
1e3b2740e5
improve tag cloud font size scaling
...
* use logarithmic scales
* remove bold style
2014-12-29 02:59:35 +01:00
nodiscc
3259f1a814
Merge pull request #82 from pikzen/fix-search
...
Made tag/title search unicode aware, fixes #75
2014-12-25 01:21:39 +01:00
Florian Eula
cae64e52e4
Refactored the daily column generation (only one loop)
2014-12-25 01:10:58 +01:00
Florian Eula
2e45fdd8ff
Made tag/title search unicode aware, fixes #75
2014-12-22 16:43:37 +01:00
nodiscc
60b83e7cf7
fix quoting error introduced in 712501812b
2014-12-16 19:52:06 +01:00
nodiscc
509762236b
prevent disclosing PHP version on PHP version check error
...
* fixes https://github.com/shaarli/Shaarli/issues/78
* fixes https://github.com/sebsauvage/Shaarli/issues/214
2014-12-16 19:24:37 +01:00
nodiscc
569be2e8d5
prevent disclosing full path when raising "Shaarli directory not writeable" error
...
* work on https://github.com/shaarli/Shaarli/issues/78
2014-12-16 19:23:36 +01:00
Emilien Klein
e5aab50ac4
Fix issue #66 by adding space before "selected"
2014-12-02 23:42:23 +01:00
Florian Eula
aedc912d36
Prevents ?do=addlink from generating a 404 if the user is not logged in
...
Fixes https://github.com/shaarli/Shaarli/issue/47
2014-11-21 18:31:49 +01:00
Florian Eula
732e683bda
Do not add a tag to the search if it's already being searched for
2014-11-21 18:19:37 +01:00
nodiscc
d2f517638c
make archive.org integration optional (ARCHIVE_ORG option, defaults to false)
2014-11-08 18:21:19 +01:00
nodiscc
01ec179148
index.html: add warning message about hostname/cookie storage problems
...
* Fixes https://github.com/sebsauvage/Shaarli/issues/196
* Fixes https://github.com/sebsauvage/Shaarli/issues/97
2014-11-03 13:21:14 +01:00
Emilien Klein
39e41053ad
Merge pull request #36 from nodiscc/https-thumbnails
...
thumbnails: force HTTPS for youtube, imgur, vimeo
2014-10-23 20:06:29 +02:00
nodiscc
1a663a0f2c
thumbnails: force HTTPS for youtube, imgur, vimeo
...
* other services also provide thumbs over HTTPS, but the rewrite expression is more complex, so left out for now
2014-10-23 18:00:21 +02:00
nodiscc
1099d8fcad
Make ATOM toolbar button optional
...
* ATOM button display is now configurable using the SHOW_ATOM variable in index.php or data/options.php (defaults to false)
* Fixes https://github.com/shaarli/Shaarli/issues/24
2014-10-23 17:47:30 +02:00
nodiscc
b11bc5b6f9
update check: check against last version available on github.com/shaarli/Shaarli
...
* fixes https://github.com/shaarli/Shaarli/issues/5
2014-10-21 18:11:16 +02:00
nodiscc
27646ca5b4
add link: in case of empty URL (self-post), prepend "Note: " to the title
...
* Thanks to qwertygc (https://github.com/shaarli/Shaarli/pull/23 )
* Fix small typo
2014-10-21 16:18:25 +02:00
VirtualTam
2f2aa06b95
fix: add missing slash when defining RainTPL's temp dir
...
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
2014-10-19 00:57:41 +02:00
nodiscc
e0cbb07872
Merge pull request #19 from nodiscc/master
...
bookmarklet: use selected text as description when adding a new link
2014-08-19 21:52:36 +02:00
Sbgodin
abc98ab39d
Merge pull request #20 from nodiscc/fix-typos
...
Fix grammar, punctuation, spelling, trailing whitepaces and newlines; Fix typo in css
2014-08-19 21:33:53 +02:00
nodiscc
ad6c27b7b8
Fix grammar, punctuation, spelling, trailing whitepaces and newlines; Fix typo in css
...
Based on respencer's work at https://github.com/respencer/Shaarli/
Closes https://github.com/sebsauvage/Shaarli/pull/103
2014-08-19 18:01:15 +02:00
nodiscc
a1795ddcf3
bookmarklet: use selected text as description when adding a new link
...
* Based on romnGit's work at https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/shaarli/Shaarli/issues/18
* Closes https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/sebsauvage/Shaarli/issues/53
* Fixes https://github.com/sebsauvage/Shaarli/issues/129
* Fixes https://github.com/sebsauvage/Shaarli/issues/33
2014-08-11 00:13:29 +02:00
Christophe HENRY
3bb684f59f
Removes htaccess file creation and adds them in the repository
...
I also removed the previously created placeholders, which after all, have no more utility.
2014-08-04 00:42:49 +02:00
Christophe HENRY
e7416aba2c
Adds empty directories: cache, data, pagecache and tmp. Removes mkdirs.
...
They are still in .gitignore because their future content will still be ignored.
2014-08-04 00:41:55 +02:00
Christophe HENRY
c614a35db8
Removed redundant check on RAINTPL_TMP directory
...
The same test is already on line 93
2014-07-31 23:31:58 +02:00
Christophe HENRY
25f5c59db6
Adds configuration variables, TPL and TMP, for RainTPL
...
The path for templates and temporary files are now part of the configuration.
For a custom install, it's possible to put these writable directories elsewhere than in the read-only source code.
2014-07-31 23:31:58 +02:00
Christophe HENRY
ebb2880dfc
Adds a configuration variable "titleLink" which allows to customize the
...
link on the title.
2014-07-27 23:32:41 +02:00
Emilien Klein
4ade7393a3
Release version 0.0.42 beta
2014-07-27 22:57:30 +02:00
Christophe HENRY
ae00595b1c
A real "Stay signed in": keep the connection
...
Instead of trusting the php session, it uses a cookie. The php session
sooner or later is distroyed if not used. It depends upon the server
settings. Using a cookie ensures that one really stays signed in.
Dev notes: I wanted to avoid merge conflicts, stay with the main
developper standards and keep the "index.php" in one file. That's why
the code may not be that nice. My own dev level my also explain.
2013-12-05 22:26:04 +01:00
Sébastien SAUVAGE
ab0638edb0
Merge pull request #145 from Alkarex/patch-1
...
smallHash: simplified and improved performance
2013-11-29 13:01:08 -08:00
Sebastien SAUVAGE
53da201749
XSS flaw correction
...
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
2013-11-29 21:53:20 +01:00
Alexandre Alapetite
c002ca9c6b
smallHash: simplified and improved performance
...
Unchanged behaviour
2013-11-10 22:50:34 +01:00
Sebastien SAUVAGE
7b2186a63e
Corrected field focus in bookmarklet
...
Focus was not properly given to description field when it's empty.
2013-09-27 17:08:31 +02:00
Sébastien SAUVAGE
58a8f4cab4
Default example private link changed
...
Default example private link changed from pastebin to ZeroBin.
2013-09-25 10:41:31 +02:00
Sebastien SAUVAGE
c677013b93
Added nb=all to get all links in RSS/ATOM feed.
2013-09-24 22:39:40 +02:00
Sébastien SAUVAGE
eea58b3d5a
Merge pull request #87 from LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368
...
Added a json_encode implementation for PHP < 5.2 (free.fr)
2013-09-24 02:20:06 -07:00
Sébastien SAUVAGE
3fac0a5257
Added tags+private in shaarli URL
...
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
2013-09-24 11:17:22 +02:00
Sébastien SAUVAGE
85c0205876
Merge pull request #112 from BoboTiG/master
...
RSS/Atom: add a parameter to print only the N last links
2013-09-24 02:10:18 -07:00
Sébastien SAUVAGE
0b88c6022d
Merge pull request #118 from Alkarex/patch-1
...
Corrected error message for lack of write access in ./data
2013-09-24 02:07:21 -07:00
Sébastien SAUVAGE
c4bbb01064
Merge pull request #125 from broncowdd/master
...
Added the possibility to put a description in the bookmarklet's URL
2013-09-24 02:03:26 -07:00
Sébastien SAUVAGE
fdc3c114d1
Merge pull request #126 from Alkarex/Milliseconds
...
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
2013-09-24 02:02:33 -07:00
Alexandre Alapetite
fc93ae1d1a
Import NETSCAPE-Bookmark compatible milliseconds
...
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
2013-09-21 18:15:41 +02:00
Bronco
3057373a25
Added the possibility to put a description in the bookmarklet's URL
2013-09-16 10:32:02 +02:00
lehollandaisvolant
03545ef691
Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA)
2013-09-03 15:55:13 +02:00
Alexandre Alapetite
ff63b7d111
Corrected error message for lack of write access in ./data
2013-08-23 17:02:15 +02:00
Sebastien SAUVAGE
002ef0e5c8
Better encoding handling in title parsing
...
Thanks to a patch from Le Hollandais Volant.
2013-08-03 22:10:04 +02:00
Sebastien SAUVAGE
f6a6ca0aec
SERVER_NAME changed to HTTP_HOST
...
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name ).
This should cause less problem on most hosts.
2013-08-03 22:00:09 +02:00
BoboTiG
fbd9e52716
RSS/Atom: add a parameter to print only the N last links
2013-07-26 08:57:19 +02:00
Lionel Martin
3385af123f
Added json_encode implementation for php<5.2
2013-05-20 19:00:28 +02:00
Sébastien SAUVAGE
87e3d65023
Merge pull request #42 from matchab/master
...
Timezone par défaut
2013-03-11 01:59:48 -07:00
David Sferruzza
a908244cc4
Fix bug producing invalid HTML
2013-03-10 19:03:34 +01:00
Mathieu Chabanon
cb49ab945f
Avoid a strict standard error when php.ini do not define the default
...
timezone.
2013-03-10 14:06:12 +01:00
Sébastien SAUVAGE
310f3ca007
Version 0.0.41 beta
2013-03-08 10:14:31 +01:00
Sebastien SAUVAGE
75e199d606
Correction for login problem with webkit browsers on sub-domain hosted Shaarli.
2013-03-06 23:31:18 +01:00
Sebastien SAUVAGE
979d6334e7
Added second check to write rights.
...
(Because on some hosts is_writable() is not reliable.)
2013-03-04 21:26:06 +01:00
Sebastien SAUVAGE
f2cb5f95a9
Check that Shaarli has the right to write in its own directory.
...
Because some user forget to check this at installation.
2013-03-04 21:14:07 +01:00
Sebastien SAUVAGE
8a80e4fe07
Got rid of small display bugs before installation.
2013-03-04 21:02:24 +01:00
bb8f712db6
[add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default.
2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
dd064cc315
Added https to list of authorized protocols.
2013-03-03 22:49:10 +01:00
Sebastien SAUVAGE
feebc6d466
Corrected vulnerabilities (see report below)
...
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_
Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)
Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards
Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works
- The url field of a link is vulnerable :
When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link
Or with a classic XSS : "><script>alert(1)</script>
Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer
e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com
History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
Sebastien SAUVAGE
705f8355a9
Proper redirect in popup when login fails.
...
This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
2013-03-02 14:07:00 +01:00
Sebastien SAUVAGE
858c5c2b43
Added option to disable jQuery and heavy javascript
...
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)
(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)
2013-03-01 22:21:10 +01:00
Sebastien SAUVAGE
58046a19ae
URL source in cached RSS feeds.
2013-03-01 17:43:20 +01:00
Sebastien SAUVAGE
dd62b9ba2a
Sort tags
2013-03-01 17:09:52 +01:00
Sebastien SAUVAGE
925f6108ba
Corrected: "Nothing found" when logging out when only private links were displayed.
...
This closes the issues https://github.com/sebsauvage/Shaarli/issues/25
2013-03-01 16:57:34 +01:00
Sébastien SAUVAGE
3e0ef647a3
RSS patch for Thunderbird (and some RSS clients).
...
In the RSS specifications, the "link" tags contains the URL to follow,
and the "guid" contains a unique identifier (which may or may not be an
URL).
RSS clients should always use "link" to follow the link (and most do),
but Thunderbird uses the "guid" if it find a valid URL inside (and only
falls back to "link" if "guid" is not an URL).
I have patched the RSS feed so that Thunderbird ignores the URL in guid.
2013-02-28 14:48:11 +01:00
Sébastien SAUVAGE
f37664a2b8
Check that sessions work before installation.
...
This is necessary because some hosts do not have a properly set
session.save_path parameter in php config, or do not have write access
to the directory.
2013-02-28 10:37:43 +01:00
Sébastien SAUVAGE
a1f5a6ec17
Improved token security
...
...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24
2013-02-28 09:19:00 +01:00
Sebastien SAUVAGE
9e8209064d
Corrected thumbnail creation.
...
Because some systems do not allow file overwriting when doing a
rename().
2013-02-27 21:24:41 +01:00
Sébastien SAUVAGE
b342b2a4c7
After clicking save/cancel on a link, scroll to the link itself.
2013-02-27 18:24:07 +01:00
Sébastien SAUVAGE
9e975d86e4
Remove script name from URL if it's index.php
...
(for better looking URLs, eg. http://mysite.com/shaarli/?abcde instead
of http://mysite.com/shaarli/index.php?abcde )
2013-02-27 16:52:32 +01:00
Sébastien SAUVAGE
2abd39052d
Link in description & option to invert link/permalink.
...
Patch for issue https://github.com/sebsauvage/Shaarli/issues/19
Now:
* The (perma)link is added at the bottom of description.
* If "permalinks" is added in URL parameters, link/permalinks will be
swapped.
eg.
* Normal link in title + permalink in description:
http://mysite.com/shaarli/?do=rss
* Permalink in title + normal link in description :
http://mysite.com/shaarli/?do=rss&permalinks
It works for the ATOM feed too.
(Happy ? :-D )
2013-02-27 16:39:16 +01:00
Sébastien SAUVAGE
30b0672d04
Support for magnet links in description.
2013-02-27 15:49:32 +01:00
Sébastien SAUVAGE
64bf914aea
Corrected bug in cache purge.
2013-02-26 16:03:47 +01:00
Sébastien SAUVAGE
543e0c7b56
Typo correction.
2013-02-26 15:01:15 +01:00
Sébastien SAUVAGE
2d9fab88be
Login problem correction
...
This corrects the session problem with some browsers when Shaarli is
hosted on a sub-domain. Please tell me if this corrects login problems
if you had one.
2013-02-26 14:47:47 +01:00
Sébastien SAUVAGE
450342737c
Initial commit (version 0.0.40 beta)
2013-02-26 10:09:41 +01:00