Commit graph

120 commits

Author SHA1 Message Date
Sébastien SAUVAGE
067e66acfe Corrected overlapping tags 2013-12-04 13:55:42 +01:00
Sébastien SAUVAGE
ab0638edb0 Merge pull request #145 from Alkarex/patch-1
smallHash: simplified and improved performance
2013-11-29 13:01:08 -08:00
Sebastien SAUVAGE
53da201749 XSS flaw correction
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
2013-11-29 21:53:20 +01:00
Alexandre Alapetite
c002ca9c6b smallHash: simplified and improved performance
Unchanged behaviour
2013-11-10 22:50:34 +01:00
TsT
ae22a12b8a uniform if syntax 2013-10-23 23:21:36 +02:00
Sebastien SAUVAGE
7b2186a63e Corrected field focus in bookmarklet
Focus was not properly given to description field when it's empty.
2013-09-27 17:08:31 +02:00
Sébastien SAUVAGE
2d20481e45 Update README.md 2013-09-26 15:17:43 +02:00
Sebastien SAUVAGE
246e9b4e37 Removed jQuery from almost all pages
jQuery has been removed from all pages, except those who really require
it (like autocomplete in link edition).
Immediate gain: All pages weight 286 kb LESS !   \o/
Highlighting in search results has also been temporarly removed (and
will be re-implemented).
2013-09-25 21:27:50 +02:00
Sébastien SAUVAGE
af77b2fd9a New QR-Code generation code
* QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy.
* Library used is http://neocotic.com/qr.js/ (11 kb).
* jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely).
* This library is loaded *only* if the QR-Code icon is clicked.
* If javascript is disabled, it will fallback to the external service.
* External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated.

By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
2013-09-25 15:17:09 +02:00
Sébastien SAUVAGE
26c9556894 Changed QR-Code CSS (selector and attributes) 2013-09-25 14:58:47 +02:00
Sébastien SAUVAGE
83cff11de5 Added javascript QR-Code library 2013-09-25 14:57:27 +02:00
Sébastien SAUVAGE
58a8f4cab4 Default example private link changed
Default example private link changed from pastebin to ZeroBin.
2013-09-25 10:41:31 +02:00
Sebastien SAUVAGE
c677013b93 Added nb=all to get all links in RSS/ATOM feed. 2013-09-24 22:39:40 +02:00
Sébastien SAUVAGE
eea58b3d5a Merge pull request #87 from LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368
Added a json_encode implementation for PHP < 5.2 (free.fr)
2013-09-24 02:20:06 -07:00
Sébastien SAUVAGE
3fac0a5257 Added tags+private in shaarli URL
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
2013-09-24 11:17:22 +02:00
Sébastien SAUVAGE
85c0205876 Merge pull request #112 from BoboTiG/master
RSS/Atom: add a parameter to print only the N last links
2013-09-24 02:10:18 -07:00
Sébastien SAUVAGE
0b88c6022d Merge pull request #118 from Alkarex/patch-1
Corrected error message for lack of write access in ./data
2013-09-24 02:07:21 -07:00
Sébastien SAUVAGE
371a6fc2d2 Merge pull request #119 from Alkarex/master
Smaller logo file
2013-09-24 02:06:41 -07:00
Sébastien SAUVAGE
c4bbb01064 Merge pull request #125 from broncowdd/master
Added the possibility to put a description in the bookmarklet's URL
2013-09-24 02:03:26 -07:00
Sébastien SAUVAGE
fdc3c114d1 Merge pull request #126 from Alkarex/Milliseconds
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
2013-09-24 02:02:33 -07:00
Sébastien SAUVAGE
5d48d5d06e Merge pull request #122 from lehollandaisvolant/master
Ajout d’un UA lors de la récupération d’une page externe
2013-09-24 02:01:13 -07:00
Alexandre Alapetite
fc93ae1d1a Import NETSCAPE-Bookmark compatible milliseconds
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
2013-09-21 18:15:41 +02:00
Bronco
3057373a25 Added the possibility to put a description in the bookmarklet's URL 2013-09-16 10:32:02 +02:00
lehollandaisvolant
03545ef691 Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA) 2013-09-03 15:55:13 +02:00
Alexandre Alapetite
f0075b1743 Smaller logo file
Better PNG compression of logo file, as produced by Page Speed.
2013-08-23 17:37:59 +02:00
Alexandre Alapetite
ff63b7d111 Corrected error message for lack of write access in ./data 2013-08-23 17:02:15 +02:00
Sebastien SAUVAGE
002ef0e5c8 Better encoding handling in title parsing
Thanks to a patch from Le Hollandais Volant.
2013-08-03 22:10:04 +02:00
Sebastien SAUVAGE
f6a6ca0aec SERVER_NAME changed to HTTP_HOST
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
2013-08-03 22:00:09 +02:00
BoboTiG
fbd9e52716 RSS/Atom: add a parameter to print only the N last links 2013-07-26 08:57:19 +02:00
Lionel Martin
3385af123f Added json_encode implementation for php<5.2 2013-05-20 19:00:28 +02:00
Sébastien SAUVAGE
99954e1290 Merge pull request #43 from dsferruzza/highlight-search-results
Highlight search results
2013-03-11 02:11:47 -07:00
Sébastien SAUVAGE
87e3d65023 Merge pull request #42 from matchab/master
Timezone par défaut
2013-03-11 01:59:48 -07:00
Sébastien SAUVAGE
2d21a179b0 Merge pull request #45 from dsferruzza/fix-picwall-bug
Fix picwall bugs
2013-03-11 01:49:50 -07:00
David Sferruzza
f2acdfd14e Move lazyload init inside the body tag 2013-03-10 19:04:48 +01:00
David Sferruzza
a908244cc4 Fix bug producing invalid HTML 2013-03-10 19:03:34 +01:00
David Sferruzza
9da4953190 Avoid highlighting paging stuff 2013-03-10 18:26:16 +01:00
David Sferruzza
1b647ff409 Highlight search results (issue #4)
Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
2013-03-10 18:24:05 +01:00
Mathieu Chabanon
6e330f2225 Ingore Eclipse project files 2013-03-10 14:16:29 +01:00
Mathieu Chabanon
cb49ab945f Avoid a strict standard error when php.ini do not define the default
timezone.
2013-03-10 14:06:12 +01:00
Sébastien SAUVAGE
310f3ca007 Version 0.0.41 beta 2013-03-08 10:14:31 +01:00
Sébastien SAUVAGE
41a30d9b2d Merge pull request #37 from sebsauvage/CookieDomain
Correction for login problem with webkit browsers on sub-domain hosted Shaarli.
2013-03-08 01:01:40 -08:00
Sebastien SAUVAGE
75e199d606 Correction for login problem with webkit browsers on sub-domain hosted Shaarli. 2013-03-06 23:31:18 +01:00
Sebastien SAUVAGE
979d6334e7 Added second check to write rights.
(Because on some hosts is_writable() is not reliable.)
2013-03-04 21:26:06 +01:00
Sebastien SAUVAGE
f2cb5f95a9 Check that Shaarli has the right to write in its own directory.
Because some user forget to check this at installation.
2013-03-04 21:14:07 +01:00
Sebastien SAUVAGE
8a80e4fe07 Got rid of small display bugs before installation. 2013-03-04 21:02:24 +01:00
Sébastien SAUVAGE
22701e2d0b Merge pull request #30 from Knah-Tsaeb/master
Merged "Private by default" feature (when creating a new link).
2013-03-04 11:49:33 -08:00
bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
dd064cc315 Added https to list of authorized protocols. 2013-03-03 22:49:10 +01:00
Sebastien SAUVAGE
feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
Sebastien SAUVAGE
705f8355a9 Proper redirect in popup when login fails.
This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
2013-03-02 14:07:00 +01:00