Commit graph

62 commits

Author SHA1 Message Date
Sebastien SAUVAGE
246e9b4e37 Removed jQuery from almost all pages
jQuery has been removed from all pages, except those who really require
it (like autocomplete in link edition).
Immediate gain: All pages weight 286 kb LESS !   \o/
Highlighting in search results has also been temporarly removed (and
will be re-implemented).
2013-09-25 21:27:50 +02:00
Sébastien SAUVAGE
af77b2fd9a New QR-Code generation code
* QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy.
* Library used is http://neocotic.com/qr.js/ (11 kb).
* jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely).
* This library is loaded *only* if the QR-Code icon is clicked.
* If javascript is disabled, it will fallback to the external service.
* External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated.

By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
2013-09-25 15:17:09 +02:00
Sébastien SAUVAGE
99954e1290 Merge pull request #43 from dsferruzza/highlight-search-results
Highlight search results
2013-03-11 02:11:47 -07:00
David Sferruzza
f2acdfd14e Move lazyload init inside the body tag 2013-03-10 19:04:48 +01:00
David Sferruzza
9da4953190 Avoid highlighting paging stuff 2013-03-10 18:26:16 +01:00
David Sferruzza
1b647ff409 Highlight search results (issue #4)
Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
2013-03-10 18:24:05 +01:00
bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
Sebastien SAUVAGE
858c5c2b43 Added option to disable jQuery and heavy javascript
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)

(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)
2013-03-01 22:21:10 +01:00
Sébastien SAUVAGE
b342b2a4c7 After clicking save/cancel on a link, scroll to the link itself. 2013-02-27 18:24:07 +01:00
Sébastien SAUVAGE
b2877611c3 Edit/delete button on the left-side of links.
https://github.com/sebsauvage/Shaarli/issues/5
2013-02-27 17:46:45 +01:00
Sébastien SAUVAGE
450342737c Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00