* SimplePie strip iframe allow attribute
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow
Besides security, the `allow autoplay` atttribute is especially problematic on mobile (Firefox on Android) as it asks to open the YouTube app as soon as the article is opened.
Example of code before:
```html
<iframe data-original="https://www.youtube.com/embed/??????feature=oembed" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
```
* Replace allow attribute
* Allow more
* HTTP Get allow UTF-8 even when charset is far from top
fix https://github.com/FreshRSS/FreshRSS/issues/5586
The case was an HTML document with 15k whitespace then 1.2k of scripts before the `<meta charset="utf-8">` (far from the 1024 bytes suggested by the spec..., and too far for DOMDocument)
* Rewording
* Trim also vertical tab + comment
* allow POST requests for feeds
* added json dotpath and jsonfeed subscriptions. No translation strings yet
* debug and fix jsonfeed parser
* bugfix params saved when editing feed
* added translations for JSON features
* Update docs for web scraping
* make fix-all
and revert unrelated changes, plus a few manual fixes, but there are still several type errors
* Fix some i18n
* refactor json parsing for both feed types
* cleanup unnecessary comment
* refactored generation of SimplePie for XPath and JSON feeds
* Fix merge error
* Update to newer FreshRSS code
* A bit of refactoring
* doc, whitespace
* JSON Feed is in two words
* Add support for array syntax
* Whitespace
* Add OPML export/import
* Work on i18n
* Accept application/feed+json
* Rework POST
* Fix update
* OPML for cURL options
* Fix types
* Fix Typos
---------
Co-authored-by: Erion Elmasllari <elmasllari@factorsixty.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Pass PHPStan level 8
And prepare for PHPStan level 9 https://phpstan.org/user-guide/rule-levels
* Revert wrong replace in comment
* Fix PHPStan level 8
* Update PHPStan and other dev dependencies
* Remove obsolete comment
* noVariableVariables and towards bleedingEdge
https://github.com/phpstan/phpstan-strict-ruleshttps://phpstan.org/blog/what-is-bleeding-edge
* More bleedingEdge
* A bit more PHPStan level 9
* More PHPStan level 9
* Prepare for booleansInConditions
Ignore int and null
* Revert wrong line
* More fixes
* Fix keep_max_n_unread
* Stricter attribute functions
* Stricter callHooks and more PHPStan level 9
* More typing
* A tiny more
* Little's optimisations and booleans in conditions
* Apply strict type
* Apply strict type
* Apply strict type
* Fix multiple bugs with PHP 8.2 and 8.3
* Many declares missing, more errors fixed
* Apply strict type
* Another approach
* Stronger typing for Minz_Session
* Fix case of SQLite
---------
Co-authored-by: Luc <sanchezluc+freshrss@gmail.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Fix ignored TRUSTED_PROXY issue
* Add a sub-section to the docs no property mappings for Authentik
* Typo
* Fix typing
* A few changes to the doc
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* fix many "Only booleans are allowed in an if condition"
* Update cli/create-user.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Update cli/i18n/I18nUsageValidator.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Fix several regressions and other minor things
* Fix another regression
* Update lib/http-conditional.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---------
Co-authored-by: Luc <sanchezluc+freshrss@gmail.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* docs: language table added
* Update 05_Configuration.md
* Update 05_Configuration.md
* french docs
* Unicode quote and a few fixes
(Same search&replace aslo applied to a few other files)
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Complete PHPStan Level 6
Fix https://github.com/FreshRSS/FreshRSS/issues/4112
And initiate PHPStan Level 7
* PHPStan Level 6 for tests
* Use phpstan/phpstan-phpunit
* Update to PHPStan version 1.10
* Fix mixed bug
* Fix mixed return bug
* Fix paginator bug
* Fix FreshRSS_UserConfiguration
* A couple more Minz_Configuration bug fixes
* A few trivial PHPStan Level 7 fixes
* A few more simple PHPStan Level 7
* More files passing PHPStan Level 7
Add interface to replace removed class from https://github.com/FreshRSS/FreshRSS/pull/5251
* A few more PHPStan Level 7 preparations
* A few last details
* Modernize Constants and use new constant 'currentUser'
* Add FreshRSS_Context::currentUser() function and use
* Add FreshRSS_Context::currentUser() function and use
* Add FreshRSS_Context::currentUser() function and use
* Add FreshRSS_Context::currentUser() function and use
* Add FreshRSS_Context::currentUser() function and use
* Update app/Controllers/userController.php
* Update app/Controllers/userController.php
* Update app/Controllers/userController.php
* Update app/Models/Auth.php
* Update p/api/greader.php
* Update p/api/greader.php
* Update p/api/greader.php
* Update app/Models/Context.php
* Update app/Models/LogDAO.php
* Update lib/Minz/Log.php
* Update p/api/greader.php
* Update app/layout/header.phtml
* Update app/views/helpers/export/articles.phtml
* Update cli/do-install.php
* Remarque's from Alkarex
* Remarque's from Alkarex
* Refactor using new Minz_User class
* Consistent naming of public constants
---------
Co-authored-by: Luc <sanchezluc+freshrss@gmail.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* XML+XPath
#fix https://github.com/FreshRSS/FreshRSS/issues/5075
Implementation allowing to take an XML document as input using an XML parser (instead of an HTML parser for HTML+XPath)
* Remove noise from another PR
* Better MIME for XML
* And add glob *.xml for cache cleaning
* Minor syntax
* Add glob json for clean cache
* fix: Fix undefined GLOB_BRACE on Alpine
The manual states that:
> Note: The GLOB_BRACE flag is not available on some non GNU systems,
> like Solaris or Alpine Linux.
This generated an error on Alpine.
Reference: https://www.php.net/manual/function.glob.php
* fix: List details of feeds for OPML exportation
The details are necessary to export the XPath information, the CSS full
content path and read actions filters.
* Update LibOpml to 0.4.0
* Refactor OPML importation to be more robust
First, it fixes two regressions introduced by the update of lib_opml:
- title attribute is used when text attribute is missing;
- the OPML category attribute is used as a fallback for feeds categories.
In a related way, if also fixes a problem when a feed had both a parent
category outline and a category attribute. Before, it only considered the
attribute as its category, but now it considers the parent outline.
Then, it counts category limit correctly by not increasing
`$nb_categories` if the category already exists.
* Exclude lib_opml from the CodeSniffer
* Fix variable names when logging some errors
* Fix catch of LibOpml Exception
* Make sure to declare the category
* Exclude lib_opml from PHPStan analyze
* Disable markdownlint for lib_opml
* Fix typos
* Use auto-loading and allow updates via Composer
* Fix broken links to lib_opml
* Bring back the ability to import the OPML frss:opmlUrl attribute
* Refactor the logs of OPML errors
* Update lib_opml to the version 0.5.0
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* API avoid logging passwords
* Strip passwords and tokens from API logs
* Only log failed requests information when in debug mode
* Remove debug SHA
* Clean also Apache logs
* Better comments
* Redact also token parameters
* shfmt
* Simplify whitespace
* redacted
`preg_match` can return `1`, `0` or `false`. In this last case,
`enforceHttpEncoding` was trying to access `$matches[1]`, even if the regex wasn't matching.
Having this header leads to errors from sites such as LinkedIn. The usage of this header is also decreasing. Finaly, we were not sending the actual Referer but just the same URL as the one being fetched.
I suggest to remove for now, and see whether anyone needs it, in which case an option would be possible.
* Install CssXPath with composer
* Fix code style in tests
* fix pathnames for tests and linting
* add irrelevant files to .gitignore
* Alphabetic order
* let composer sort the packages alphabetically
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Install PHPMailer 6.5.1 with composer
* Fix folder name for phpmailer
* Update PHPMailer to v6.6.0, add LICENSE and README.md
* remove composer and autoload.php after install/update
* Fix path to PHPMailer for PHPStan
* Remove lib/composer.lock, lock PHPMailer at version 6.6.0
* Improve PSR-4 autoloading for PHPMailer
* Markdownlint ignore
* Delete some obvious comments
* ignores
* Support composer update --no-autoloader
* Automatic cleaning
With rules based on https://github.com/PHPMailer/PHPMailer/blob/master/README.md#minimal-installation
* Readme gitignore hint
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Little bug for cases with single quote in URL such as
```html
<img src="123?format='jpg'" />
```
Could probably be replaced by `loading="lazy"` in the future, and with a better DOM-aware method, for instance during SimplePie `add_attributes()`
* add HTTP_REMOTE_USER header for auth
* add ip whitelist for HTTP_REMOTE_USER header
* add IPv6 support for header auth
* fix formatting
* A few fixes
* Add some default trusted sources
* Fix IPv6 doc
* More standard header names
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* More PHP type hints for Fever
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/4201
Related to https://github.com/FreshRSS/FreshRSS/issues/4200
* Detail
* Draft
* Progress
* More draft
* Fix thumbnail PHP type hint
https://github.com/FreshRSS/FreshRSS/issues/4215
* More types
* A bit more
* Refactor FreshRSS_Entry::fromArray
* Progress
* Starts to work
* Categories
* Fonctional
* Layout update
* Fix relative URLs
* Cache system
* Forgotten files
* Remove a debug line
* Automatic form validation of XPath expressions
* data-leave-validation
* Fix reload action
* Simpler examples
* Fix column type for PostgreSQL
* Enforce HTTP encoding
* Readme
* Fix get full content
* target="_blank"
* gitignore
* htmlspecialchars_utf8
* Implement HTML <base>
And fix/revert `xml:base` support in SimplePie e49c578817
* SimplePie upstream PR merged
https://github.com/simplepie/simplepie/pull/723
