mirrors
/
miniflux-v2
mirror of https://github.com/miniflux/v2.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,201 Commits 3 Branches 65 Tags 49 MiB
Commit Graph

1201 Commits

Author SHA1 Message Date
Frédéric Guillot 9ae6922bdc Fix null reference in toggle entry attachments shortcut 
Fixes #1723
 2023-03-13 20:20:35 -07:00
Frédéric Guillot ea8c3c801a Update Security policy 2023-03-13 19:56:47 -07:00
Frédéric Guillot eb9508502c Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler 
Creating an RSS feed item with the inline description containing an `<img>` tag
with a `srcset` attribute pointing to an invalid URL like
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the
user is convinced to open the broken image.
 2023-03-12 22:36:03 -07:00
Frédéric Guillot b46b5dfb2a Use r.RemoteAddr to check /metrics endpoint network access 
HTTP headers like X-Forwarded-For or X-Real-Ip can be easily spoofed. As
such, it cannot be used to test if the client IP is allowed.

The recommendation is to use HTTP Basic authentication to protect the
metrics endpoint, or run Miniflux behind a trusted reverse-proxy.
 2023-03-11 20:53:12 -08:00
Frédéric Guillot 877dbed5e8 Add HTTP Basic authentication for /metrics endpoint 2023-03-11 20:13:52 -08:00
fructurj 79ff381c4c Update es_ES.json 2023-03-11 17:38:07 -08:00
dependabot[bot] f6a672738a Bump golang.org/x/crypto from 0.6.0 to 0.7.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](https://github.com/golang/crypto/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-06 20:38:55 -08:00
dependabot[bot] e4964d6933 Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/oauth2/releases)
- [Commits](https://github.com/golang/oauth2/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-06 20:27:58 -08:00
Davide Masserut 755c9af47d Update scraping rules for ilpost.it 2023-03-01 20:04:25 -08:00
Frédéric Guillot 02e4b8eadc Update GitHub Actions to use Go 1.20 2023-03-01 19:56:06 -08:00
Frédéric Guillot aaa1625724 Ignore empty link when discovering feeds 2023-02-26 17:19:26 -08:00
Frédéric Guillot bb5f3ec6a8 Disable CGO explicitly to make sure the binary is statically linked 
Apparently this behavior has been changed in Go 1.20: https://tip.golang.org/doc/go1.20#cgo
 2023-02-25 16:55:11 -08:00
Sigsign 8804eb9a78 Update Japanese translation 2023-02-25 15:58:39 -08:00
Romain de Laage 2c2700a31d Proxy support for several media types 
closes #615
closes #635
 2023-02-25 15:57:59 -08:00
privatmamtora 8f9ccc6540
Parse `<category>` from Feeds (RSS, Atom and JSON) 2023-02-24 20:52:45 -08:00
dependabot[bot] ff8d68c151 Bump github.com/PuerkitoBio/goquery from 1.8.0 to 1.8.1 
Bumps [github.com/PuerkitoBio/goquery](https://github.com/PuerkitoBio/goquery) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/PuerkitoBio/goquery/releases)
- [Commits](https://github.com/PuerkitoBio/goquery/compare/v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/PuerkitoBio/goquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-20 19:24:57 -08:00
the7thNightmare 1fb0bc29db Update the plural for Indonesian 
Copied from the zh_CN plural
 2023-02-19 19:53:06 -08:00
Ananta Krsna dasa a1593b8942 Run the application in one command 2023-02-19 11:56:51 -08:00
Ananta Krsna dasa 20c4cb770e Bring back the health check condition to `depends_on` 2023-02-19 11:56:51 -08:00
Ananta Krsna dasa db7a4ae7e9 Remove deprecated `version` element 2023-02-19 11:56:51 -08:00
the7thNightmare aabb766fad Add Indonesian Language 2023-02-19 11:49:17 -08:00
the7thNightmare 8dce3099d9 Add Indonesian Language 2023-02-19 11:49:17 -08:00
dependabot[bot] fb2b43176f Bump golang.org/x/net from 0.6.0 to 0.7.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-14 19:06:58 -08:00
dependabot[bot] 2f6034c63c Bump golang.org/x/crypto from 0.5.0 to 0.6.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](https://github.com/golang/crypto/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-09 17:54:31 -08:00
dependabot[bot] 67190fc988 Bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/oauth2/releases)
- [Commits](https://github.com/golang/oauth2/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-09 17:49:00 -08:00
dependabot[bot] e4c0495646 Bump golang.org/x/net from 0.5.0 to 0.6.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-08 20:15:36 -08:00
dependabot[bot] a7508b2746 Bump golang.org/x/term from 0.4.0 to 0.5.0 
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/term/releases)
- [Commits](https://github.com/golang/term/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-07 20:16:21 -08:00
Wojtek 34408b50a7
Add CSS classes to differentiate between category/feed/entry view and icons 2023-02-06 20:46:42 -08:00
Marie Ramlow 48acd1feca Add rewrite and scraper rules for blog.cloudflare.com 2023-02-05 21:01:42 -08:00
Ryan Cao 8d51fd8ff5
fix: add `color-scheme` to themes 2023-02-05 20:58:23 -08:00
Martin Vietz a44ba4abcb
Add toggle open/close entry attachments shortcut 2023-02-05 20:51:51 -08:00
dependabot[bot] b338c9b3c2 Bump github.com/yuin/goldmark from 1.5.3 to 1.5.4 
Bumps [github.com/yuin/goldmark](https://github.com/yuin/goldmark) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/yuin/goldmark/releases)
- [Commits](https://github.com/yuin/goldmark/compare/v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/yuin/goldmark
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-02 20:07:07 -08:00
xdavidwu 08f7835f5d sanitizer: allow id in <sup> 
One of blogs I read uses anchor on <sup> to link a footnote back to its
reference.
 2023-01-31 17:53:45 -08:00
dependabot[bot] d38fc80bad Bump docker/build-push-action from 3 to 4 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 4.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-30 17:04:35 -08:00
Frédéric Guillot b2fd84e0d3 Update ChangeLog 2023-01-29 17:01:14 -08:00
Sigsign e64f488654 Update Japanese translations 2023-01-28 17:58:56 -08:00
Sigsign 8017ed2cf6 Sort like en_US.json 2023-01-28 17:58:56 -08:00
Davide Masserut 65febebd40 Fix header items wrapping 2023-01-17 20:00:13 -08:00
Frédéric Guillot 2e047dff98 Add option to enable or disable double tap 2023-01-14 16:59:52 -08:00
Frédéric Guillot 6612e42668 Improve PWA display mode label in settings page 2023-01-14 15:39:09 -08:00
dependabot[bot] 2956bbad8d Bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/oauth2/releases)
- [Commits](https://github.com/golang/oauth2/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-05 07:23:59 -08:00
dependabot[bot] 3285a00ebc Bump golang.org/x/crypto from 0.4.0 to 0.5.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](https://github.com/golang/crypto/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-05 07:23:41 -08:00
dependabot[bot] c0c8e47344 Bump golang.org/x/net from 0.4.0 to 0.5.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-05 07:14:53 -08:00
dependabot[bot] 3fc02df70f Bump golang.org/x/term from 0.3.0 to 0.4.0 
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/term/releases)
- [Commits](https://github.com/golang/term/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-05 07:06:56 -08:00
Tadeusz Magura-Witkowski c071201e37 Update pl_PL.json 
Fixed message for form.feed.label.disable (for some reason this was in Russian?).
 2022-12-29 12:56:50 -08:00
Davide Masserut 690d66ce0b Update scraping rules for ilpost.it 2022-12-27 13:33:41 -08:00
Davide Masserut ef312ef770 Update scraping rule for ilpost.it 2022-12-16 15:07:10 -08:00
Davide Masserut c0bed53b42 Add scraping rule for ilpost.it 2022-12-15 19:53:12 -08:00
Davide Masserut c0ee3ed375 Update reading time HTML element after fetching the original web page 2022-12-14 19:53:04 -08:00
Davide Masserut ce35b46fee Add category feeds refresh 2022-12-12 19:41:30 -08:00