We were not vulnerable to it, but here is an additional layer of security against search ingestions, in particular in public user queries, where someone could try to ingest a search like `) OR (interesting`
Closes FreshRSS/FreshRSS#6522.
Refresh of FreshRSS/FreshRSS#6590 by @sgzmd, which has been stalled with merge
conflicts since 2024. All original commits are preserved as-is in the history
(authorship intact); this PR adds a merge with current `edge` plus minor fixes.
## Summary
Adds a user setting `show_title_unread` (default `true`, so existing behavior
is preserved) that hides the unread article counter from both the tab title
and the favicon overlay. A single toggle controls both, matching the request
in #6522.
## Screenshots
Toggle in display settings:
<img width="320" height="127" alt="Display settings with new toggle" src="https://github.com/user-attachments/assets/fc78f825-161d-4b47-9b85-08e39554a4b1" />
Tab title and favicon when **enabled** (current behavior):
<img width="253" height="42" alt="Tab title and favicon with unread counter" src="https://github.com/user-attachments/assets/57387600-72e0-4b22-b059-04b5bfea673a" />
Tab title and favicon when **disabled** (new behavior):
<img width="254" height="40" alt="Tab title and favicon without unread counter" src="https://github.com/user-attachments/assets/93ac7997-dd4e-49bc-ab4a-74e4f0d2db1b" />
## Changes on top of #6590
- Resolved merge conflicts with current `edge` (controllers, model, view,
`config.default.php`, ~25 i18n files, plus the `zh-tw` -> `zh-TW` rename).
- Replaced Czech text mistakenly placed in `de/conf.php` with an English
`// TODO` marker so a German speaker can translate later.
- Renamed JS context key `show_unread_favicon` -> `show_title_unread` to
match the backend property and avoid a confusing dual-name for one setting.
- Removed an unused duplicate of `show_title_unread` from `config.default.php`
(the setting is read via `userConf()`, never `systemConf()`).
- Gated the dynamic title rewrite in `incUnreadsFeed` (`p/scripts/main.js`)
on the setting. Without this, marking an article read while the setting
was off would re-add the `(N)` prefix to the tab title.
- Escaped a stray apostrophe in the Occitan translation that broke parsing.
- `make fix-all` re-sorted i18n keys and added `// TODO` placeholders for
`fi`, `pt-PT`, `uk` (untranslated by the original PR).
## Test plan
- [x] `make test-all` passes (620/620 PHPUnit, phpstan, phpcs, eslint,
stylelint, markdownlint clean; `bin/typos` failed locally with a binary
arch mismatch on macOS arm64 - unrelated to this change).
- [x] Manually tested on a real instance: default behavior unchanged;
toggling the setting hides both the tab title `(N) ` prefix and the
favicon overlay; toggling back restores both; marking articles read
while the setting is off does not bring the counter back; opening and
closing an article preserves the user's choice.
* Make showing the number of unread items in the title configurable.
* Proposed approach to passing show_unread_favicon setting down to client-side code
* Fixes and refactoring
* Updating default config for the user.
When user's config wasn't initialised we are copying it from `config-user.default.php` - if `show_title_unread` is not there, it is assumed to be false, whereas in `config.default.php` it's true by default. This results in inconsistency until user changes the field for the first time in Config->Display.
* Adding translations.
* fix: gate JS title rewrite + drop dead system config entry
The original PR added show_title_unread to both config-user.default.php
(read by userConf, the right place) and config.default.php (read by
systemConf, never used here). Drop the system-level entry.
Also: incUnreadsFeed dynamically rewrites document.title when articles
are marked read/unread. That code path was not gated by the setting, so
toggling the setting off and then marking an article read would re-add
the (N) prefix to the tab title. Skip the document.title / prevTitle
write when context.show_title_unread is false.
* fix: drop README pollution from local make fix-all
`make fix-all` regenerated the README translation tables on macOS, where the
case-insensitive filesystem and an untracked local `app/i18n/nb/` directory
caused the generator to emit `zh-tw` (lowercase) and an `nb` entry. Reset
both README files to upstream/edge so CI can regenerate them cleanly.
* fix: restore zh-TW/conf.php from edge (case-insensitive FS damage)
The macOS case-insensitive filesystem caused the merge to overwrite
upstream/edge's properly-translated zh-TW/conf.php with the older
zh-tw/conf.php content from the PR side, regressing translation
coverage from 94% to 71%. Reset the file to edge's content and re-add
the show_title_unread Traditional Chinese translation.
---------
Co-authored-by: sgzmd <sigizmund@gmail.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
Closes https://github.com/FreshRSS/FreshRSS/issues/8508
Changes proposed in this pull request:
- Use an integer for `Feed::error` everywhere (follow up to #8646)
- Extract `Entry::machineReadableDate()` into function for use in HTML templates
- Add `timeago()` function that converts a unix timestamp into a "4 weeks ago" string
- Show the last successful feed update, and the last erroneous update
How to test the feature manually:
1. Update a feed
2. Modify the feed URL in the database and set it to a non-existing URL
3. Update the feed again
4. Open the "Manage feed" and see the expanded error message:
> Blast! This feed has encountered a problem. If this situation persists, please verify that it is still reachable.
> Last successful update 3 hours ago, last erroneous update 1 hour ago.
You can hover the relative dates to see the timestamp.
* Make Feed::error an int everywhere
Related: https://github.com/FreshRSS/FreshRSS/pull/8646
* Extract timestamptomachinedate()
.. for later usage in the feed error time display.
* Show time since when a feed has problems
We add our own "timeago" function that converts a unix timestamp
into a "4 weeks ago" string.
Resolves: https://github.com/FreshRSS/FreshRSS/issues/8508
* Add new translation keys
* i18n fr, en-US
* Minor XHTML preference
* Slightly shorter rewrite, also hopefully easier to read
* Rewrite to allow (simple) plural
I also moved some functions around for hopefully a more generic and better structure.
I made some changes for the sake of speed (e.g. second-based logic instead of datetime intervals).
Note: I used automatic translation as I was worried it would be too complicated to explain to translators... I proofread the few languages I have some familiarity with.
* Add reference to CLDR
* Slightly more compact syntax
* Always show last update, fix case of unknown error date
* Remove forgotten span
* No need for multi-lines anymore
* Fix error date thresshold
* plurals forms
* Extract gettext formula conversion script to cli
* Simplify a bit
* Escort excess parentheses to the door
* Simplify
* Avoid being too clever in localization
* Fix German
* Fix plural TODO parsing
* Ignore en-US translation
* make fix-all
* git update-index --chmod=+x cli/compile.plurals.php
* Heredoc indent PHP 7.3+
* compileAll: Continue on error
* PHP strict comparisons
* Light logical simplification
* Cache plural_message_families
* Avoid case of empty value
* A bit of documentation
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: Frans de Jonge <frans@clevercast.com>
Co-authored-by: Frans de Jonge <fransdejonge@gmail.com>
* Add configuration to mark same GUID as read in category.
Implement suggestion mentioned in #8641
Changes proposed in this pull request:
- Add a configuration to the categories to automatically mark entries as read if the same GUID is present in recent entries.
How to test the feature manually:
1. Create a category. Check the option "Mark an article as read… if an identical GUID already exists [...]"
2. Enable debug logs, or add an extension which registers to the hook `Minz_HookType::EntryAutoRead`.
3. Add feeds which might have the same GUID.
For example: https://www.reddit.com/r/technology/hot.rss, https://www.reddit.com/r/technology/rising.rss, https://www.reddit.com/r/technology/best.rss, and https://www.reddit.com/r/technology/new.rss
4. See the logs "Mark GUID as read[...]", or the effect of the extension.
* Implement behavior to mark same GUID as read in category.
* Update documentation
* Update i18n
* Fix PHP CS report
* Fix missing argument
* Fixes
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* prefer feed.icon
Closes#5518
Changes proposed in this pull request:
- When a feed provides an icon URL (<image><url> in RSS 2.0/1.0, <atom:icon>/<atom:logo> in Atom, icon/favicon fields in JSON Feed), that URL is stored as a feedIconUrl attribute on the feed and used as the primary source for favicon downloads, instead of scraping the feed's website for <link rel="icon"> tags.
- If the feed-provided icon URL fails to return a valid image, the existing fallback chain (website HTML favicon search → /favicon.ico) is preserved.
Custom favicons uploaded by users always take priority and are never overridden.
How to test the feature manually:
1. Add an RSS feed that includes a <image><url> element (e.g. an RSSHub feed: `https://rsshub.app/youtube/channel/UC2cRwTuSWxxEtrRnT4lrlQA`). After actualization, confirm the feed's favicon matches the avatar image from the feed, not the Bilibili site favicon.
2. Add an Atom feed containing <atom:icon> or <atom:logo> Confirm the feed icon is used.
3. Add a JSON Feed (spec: icon field). Confirm icon is preferred over favicon when both are present.
4. Temporarily point a feed's <image><url> to a broken URL. Confirm FreshRSS falls back to the website favicon silently.
5. Upload a custom favicon for a feed, then actualize it. Confirm the custom favicon is not replaced.
<img width="470" height="317" alt="image" src="https://github.com/user-attachments/assets/17445154-d94c-44d6-b7e7-019bf24c5767" />
* fix(favicon): use htmlspecialchars_decode for feed image URL
* Decode quotes as well
* New function in our SimplePie fork
https://github.com/FreshRSS/simplepie/pull/73
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
When the search query includes some feed IDs or category IDs, adjust feed visibility/priority filter to include at minimum feed or category visibility.
Fix: https://github.com/FreshRSS/FreshRSS/issues/8602
* New SQL wrapper function `fetchInt()`
* Favour use of `fetchAssoc()`, `fetchInt()`, `fetchColumn()`
* Favour Nowdoc / Heredoc syntax for SQL
* Update indenting to PHP 8.1+ convention
* Favour `bindValue()` instead of position `?` when possible
* Favour `bindValue()` over `bindParam()`
* More uniform and robust syntax when using `bindValue()`, checking return code
In the case of SQLite, there was a PDO type problem resulting in paging when sorting by article length to be buggy.
The problem was located in `LENGTH(e.content) < ?`
Change to explicit typed binding.
* Add option to hide sidebar by default (#8515)
Closes https://github.com/FreshRSS/FreshRSS/issues/8515
Changes proposed in this pull request:
- Add `sidebar_hidden_by_default` user preference (default: `false`)
- Add a checkbox in the Display settings page to toggle this preference
- Hide the sidebar on page load in `normal` and `reader` views when the preference is enabled and no session state exists
- Add English translation key; mark all other languages as `TODO` for translators
How to test the feature manually:
1. Go to Settings → Display, tick "Hide sidebar by default", save
2. Go back to the main view (normal or reader): the sidebar should be hidden on load
3. Toggle the sidebar manually — it should open/stay open for the rest of the session
4. Open a new tab: the sidebar should be hidden again
5. Go to Settings → Display, untick the option, save: the sidebar should now be visible on load as usual
6. Check that the sidebar is always visible on Settings pages regardless of the preference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: PR comment
* Update app/i18n/pl/conf.php
* i18n: fr
* make fix-all
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Inverle <inverle@proton.me>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Re-add database status in installation check
It got disabled in 2014 to get a beta out.
Time to re-enable it.
Tested on SQLite.
"checkTable" now only verifies that at least the expected columns
exist, but does not fail on additional columns provided by
e.g. extensions.
Related: https://github.com/FreshRSS/FreshRSS/issues/678
* make fix-all
* i18n
* Simpler and more correct content_bin
* Fix PostgreSQL
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Fix user query parsing
Fix https://github.com/FreshRSS/FreshRSS/issues/8531
We used to take some shortcuts in the code, but now that the logic has complexified, we need to parse those user queries more properly.
* More fixes
* Implement filter on last modified date by server
Especially relevant for API, to get the modified changes: the API will now return the articles that are new or which content has been modified since `ot`:
fix https://github.com/FreshRSS/FreshRSS/issues/7304
fix https://github.com/FreshRSS/FreshRSS/issues/2566https://github.com/jocmp/capyreader/discussions/533#discussioncomment-11341808
New corresponding search operator `mdate:` and new UI:
<img width="650" height="627" alt="image" src="https://github.com/user-attachments/assets/8ba02937-abc7-44bf-b718-cf269cc37caf" />
* Migration from existing id column
* Fix auto-update
* Index after update for performance
* Minor comment
* Minor whitespace
* Fix regex
* Minor .gitignore
* Changelog and warning
* Update app/i18n/pl/gen.php
Co-authored-by: Inverle <inverle@proton.me>
* make fix-all
* Optimise SQL auto-update
For speed and resilience
* Minor SQLite change of sequence
* Changelog
* Speed optimisation: No DEFAULT 0
* Better migration
* Revert small bug
* Prepare filtering on multiple dates for API
* make fix-all
* Update tests
* Remaining manual merge
* Update versions
* Remove warnings no longer relevant in changelog
* Implement in API, and COALESCE
* No lastModified when adding new article
* Rework logic
* Sort IS NOT NULL
* Remove forgotten lastModified
---------
Co-authored-by: Inverle <inverle@proton.me>
* Use Pdo\Mysql for PHP 8.5+ (and update PHPStan)
fix https://github.com/FreshRSS/FreshRSS/issues/8525
Update PHPStan at the same time due to the need to add new ignore rules.
* Update additional PDO examples
* added local feed sorting
Addresses https://github.com/FreshRSS/FreshRSS/issues/4761
- Added number of sorted feeds and associative array for feed sorting option in Context.
- Number of sorted feeds and local sorting option by its index saved into Minz Request Parameters.
- Number of sorted feeds and local sorting options deleted when choosing another Option Of Global Sorting.
- Added option of allowing sorting by feed in configuration.
- Added variable for allowing local sorting in userConf.
- Added function to get feeds by current get in context.
- Added menu button for all individual feed sorting.
- New database options for individual feed sorting in EntryDAO.
- Considered choosing new entries based on chosen load limit.
- Local sorting parameter saved into continuation value in Index Controller.
How to test the feature manually:
1. At the bottom of Reading Configuration menu turn on individual sorting option menu
2. Choose Sorting by feed option
3. Choose feed at next sorting menu and choose sorting option for that feed
* added feed sorting option
* added sort feeds display
* added template for sort feed name
* added title to feed sorting button
* added comments
* added local sorting option
* Added Docs
* css reset
* added getter and seter for local sort
* added getter and seter for local sort
* allowed sorting per feed
* allowed sorting per feed
* added sorting option for category
* deleted changes from NetryDAO
* add setting up sorting for category
* docs reset
* i18 reset
* updated i18 for category
* added i18 for categories
* added i18 for category
* added setting sorting for feeds and category
* removing userConf.allow-local-sort
* removing userConf.allow-local-sort
* removing white space
* added credits
* removed feeds_by_get
* removed whitespace
* changed escaping for values
* added escaping to user set values
* added in_array
* added secondary sort and order
* added secondary sort and order
* fixed readme
* removed whitespace change
* reseted i18n
* added translations
* added feed setting translations
* fixed i18n
* fixed i18n
* changes in sort order per feed
* changes in sort order per feed
* added secondary sort order
* primary sort
* changed to preferred sort order
* i18n
* Revert wrong whitespace changes
* Re-order new options
* added blank option
* fixed escaping
* fixed default sort in feed
* fixed default sort recovery
* siplyfied option
* added rand option
* Revert unrelated change
* Minor plaintext
* Whitespace and formatting fixes
* Avoid unneeded SQL requests and processing
* Improve syntax
* Improve logic
* Reuse existing translations as much as possible
* i18n
* Remove some options that make little sense
* Separators
* Fix old transation key
* Add help messages
* Progress on secondary sort
* raw name
* Pass parameters. Add TODO
* Progress
* Minor ordering
* Fix parenthesis
---------
Co-authored-by: root <root@LAPTOP-C8TCHHPN.localdomain>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Closes https://github.com/FreshRSS/FreshRSS/issues/7330
- Default behavior is same
- Added FreshRSS_Context::userConf()->html5_disable_notif so that, it determines weather user wants notification. (will not show any even it has permission) (i want default false so disable, so old configs get proper default values)
- Added button such that checking it makes it request permission too
<img width="707" height="119" alt="image" src="https://github.com/user-attachments/assets/a0fdbc4d-9f15-4644-8753-f0e6c979677f" />
- test notification actually happening (how can i trigger it, do i have to wait it), this code fixes permissions.
Compares host of hub and baseUrl, to detect they can connect each other ofr pubSubHub
Helps https://github.com/FreshRSS/FreshRSS/issues/8442
Changes proposed in this pull request:
- if host of hub and baseUrl are same then they hub can access freshrss even in localhost
How to test the feature manually:
- Create pubsub server on localhost and connect to RSS instance on localhost.
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Add closed msg field
i18n
fix
* Display based on registration type
* Save as FreshRSS_Context::systemConf()->closed_registration_message instead
* Improve messages
* Revert unrelated changes
* make fix-all
* Minor whitespace
* Simplify logic
* Fix invalid use of empty() and sympler syntax
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
The string syntax of `strtr()` cannot handle mutibytes characters, so need to be rewritten using an array map approach.
Extend the fallback replacements to include the Windows/ISO charsets of the latin languages for which we have a translation
Dates should not be expanded/resolved in string serialisations of search expressions, as it otherwise break relative user queries such as `P30D`.
Fix of https://github.com/FreshRSS/FreshRSS/pull/8293
* Allows easier modifications of the search expression.
* Add proper `__toString()` instead of just returning the raw input string. Allows in particular showing the result of the actual parsing of the raw input string in the UI.
Needed for https://github.com/FreshRSS/FreshRSS/pull/8294
