* REST API routes are handle by Slim.
* Every API controller go through ApiMiddleware which handles security.
* First service implemented `/info`, for tests purpose.
- buttons_toolbar: now expect links represented by an array instead of HTML content
- fields_toolbar: now expect a form represented by an array instead of HTML content
- action_plugin: now expect links represented by an array instead of HTML content
Default templates updated accordingly
mprove theme dependent plugin placeholders:
Relates to #607
Relates to #608
Relates to #493 (abandoned)
Additions:
- use Composer's autoload to load 3rd-party dependencies under vendor/
Modifications:
- [import] replace the current parser with a generic, stable parser
- move code to application/NetscapeBookmarkUtils
- improve status report after parsing
- [router] use the same endpoint for both bookmark upload and import dialog
- [template] update bookmark import options
- allow adding tags to all imported links
- allow selecting the visibility (privacy) of imported links
- [tests] ensure bookmarks are properly parsed and imported in the LinkDB
- reuse reference input from the parser's test data
See:
- https://github.com/shaarli/netscape-bookmark-parser
- https://getcomposer.org/doc/01-basic-usage.md#autoloading
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Relates to #102
Additions:
- application:
- export: allow prepending note permalinks with the instance's URL
- test coverage
Modifications:
- export template: switch to an HTML form
- link selection (all/private/public)
- prepend note permalinks with the instance's URL
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Improvements:
* Add searchtags in categories domain URL.
* Language is now based on the locale.
* Add a generator tag.
* self link is always displayed.
Additions:
- [makefile] check versioned files are not executable
- [travis] call the new make target
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
* introduce class LinkFilter to handle link filter operation (and lighten LinkDB).
* handle 'private only' in filtering.
* update template to prefill search fields with current search terms.
* coding style.
* unit test (mostly move from LinkDB to LinkFilter).
PS: preparation for #358#315 and 'AND' search.
Fixes#328 - URL encode links when a redirector is set
* WARNING - template edit - new variable available : "real_url"
Contains the final real url (redirected or any other change on original URL)
* Don't redirect shaares link in RSS/Atom.
* Affects links shaared in description.
* Move text2clickable and keepMultipleSpaces to Utils.php + unit test
UPDATE:
* keepMultipleSpaces renamed to space2nbsp
* space2nbsp improved to handle single space at line beginning
* links in text description aren't 'nofollow' anymore
I reviewed character escaping everywhere with the following ideas:
* use a single common function to escape user data: `escape` using `htmlspecialchars`.
* sanitize fields in `index.php` after reading them from datastore and before sending them to templates.
It means no escaping function in Twig templates.
2 reasons:
* it reduces risks of security issue for future user made templates
* more readable templates
* sanitize user configuration fields after loading them.
It only concerns the date of the day in the main title.
Fixes#182
Note that daily RSS feed is not generated through templates. Date are still hard formatted in that case.
* sync current wiki (https://github.com/shaarli/Shaarli/wiki) to the doc/ directory
* fix missing logo in README
* add link to local documentation in the page footer
* add Makefile targets for doc generation by @virtualtam
* Add awesomplete dependancy (source + min + CSS)
* Remove jQuery and jQuery-UI dependancy
* Few CSS ajustements
* Use tags complete list as RainTPL var (and display it as HTML)
* Remove "disable jQuery" feature
* Remove tag list web service
* add idleman for original CSS
* add yahoo inc. for CSS reset
* split the main css code and the yahoo reset CSS in 2 files
* add copyright information for RainTPL, add LGPL license
The option to see the shortlinks or permalinks has been added to the configuration panel. It is a simple checkbox
This option is disabled by default (meaning that shortlinks are the default)
Updated writeConfig() to save this option
Also fixed a slight typo in config.html.
Removed useless CSS & fixed a comment
Enabled permalinks for the ATOM feed and fixed the isPermaLink attribute for the <guid> tag
Reverted to default behavior and clarified its meaning
EnableRssPermalinks is an oddly behaving option: when enabled, it shows a
permalink in the description and a full link in the element title, and
swaps it around when disabled. This clarifies the option for end-users
Also, moved enable_rss_permalinks to $GLOBALS['config'] because it is a
config option.
fix indent
Fixes#64
All pages:
- add `urlencode` when passing the version to a custom stylesheet;
- set meaningful values of `alt` and `title` for QR-Code images.
Install page:
- the form's `action` attribute must be non-empty;
- the `valign` attribute is deprecated.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
* fix duplicate IDs - #paging_older, #paging_newer become classes as the paging is displayed twice (top, bottom) in the linklist
* fix duplicate IDs - #paging_privatelinks and #paging_linksperpage become classes
* daily links are now valid (use &)
* name attribute is not used anymore on a tag in link list
* center tag is replaced by CSS in picwall and tag cloud
* action in form tag can't be empty, use # instead
* fixed configure table with CSS instead of cellpadding, border, and valign
* export links are now valid
* remove "size" in input tag
* Fix missing alt attributes for img elements
* tpl/daily: Use HTML entities instead of char escape codes
* tpl/export: fix missing </span> closing tag
* Remove obsolete language attribute on <script> elements
Fixesshaarli/Shaarli#29
Style elements refactored as follows:
- use existing ids and classes if possible,
- else, define new ones and stick with the existing naming convention,
- remove hardcoded style attributes from RainTPL templates.
Exception:
In tpl/tagcloud.html, the display size of each tag is computed at page
generation.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
* ATOM button display is now configurable using the SHOW_ATOM variable in index.php or data/options.php (defaults to false)
* Fixes https://github.com/shaarli/Shaarli/issues/24
jQuery has been removed from all pages, except those who really require
it (like autocomplete in link edition).
Immediate gain: All pages weight 286 kb LESS ! \o/
Highlighting in search results has also been temporarly removed (and
will be re-implemented).
* QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy.
* Library used is http://neocotic.com/qr.js/ (11 kb).
* jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely).
* This library is loaded *only* if the QR-Code icon is clicked.
* If javascript is disabled, it will fallback to the external service.
* External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated.
By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_
Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)
Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards
Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works
- The url field of a link is vulnerable :
When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link
Or with a classic XSS : "><script>alert(1)</script>
Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer
e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com
History :
March 2, 2013
- Vendor contacted
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)
(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)