aboutsummaryrefslogtreecommitdiffhomepage
Commit message (Collapse)AuthorAgeFilesLines
* A real "Stay signed in": keep the connectionChristophe HENRY2013-12-051-5/+21
| | | | | | | | | | Instead of trusting the php session, it uses a cookie. The php session sooner or later is distroyed if not used. It depends upon the server settings. Using a cookie ensures that one really stays signed in. Dev notes: I wanted to avoid merge conflicts, stay with the main developper standards and keep the "index.php" in one file. That's why the code may not be that nice. My own dev level my also explain.
* Corrected overlapping tagsSébastien SAUVAGE2013-12-041-1/+1
|
* Merge pull request #145 from Alkarex/patch-1Sébastien SAUVAGE2013-11-291-5/+2
|\ | | | | smallHash: simplified and improved performance
| * smallHash: simplified and improved performanceAlexandre Alapetite2013-11-101-5/+2
| | | | | | Unchanged behaviour
* | XSS flaw correctionSebastien SAUVAGE2013-11-291-5/+5
|/ | | | Closes issue https://github.com/sebsauvage/Shaarli/issues/134
* Corrected field focus in bookmarkletSebastien SAUVAGE2013-09-271-1/+1
| | | | Focus was not properly given to description field when it's empty.
* Update README.mdSébastien SAUVAGE2013-09-261-10/+10
|
* Removed jQuery from almost all pagesSebastien SAUVAGE2013-09-257-134/+25
| | | | | | | | jQuery has been removed from all pages, except those who really require it (like autocomplete in link edition). Immediate gain: All pages weight 286 kb LESS ! \o/ Highlighting in search results has also been temporarly removed (and will be re-implemented).
* New QR-Code generation codeSébastien SAUVAGE2013-09-251-20/+60
| | | | | | | | | | * QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy. * Library used is http://neocotic.com/qr.js/ (11 kb). * jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely). * This library is loaded *only* if the QR-Code icon is clicked. * If javascript is disabled, it will fallback to the external service. * External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated. By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
* Changed QR-Code CSS (selector and attributes)Sébastien SAUVAGE2013-09-251-2/+3
|
* Added javascript QR-Code librarySébastien SAUVAGE2013-09-251-0/+9
|
* Default example private link changedSébastien SAUVAGE2013-09-251-1/+1
| | | Default example private link changed from pastebin to ZeroBin.
* Added nb=all to get all links in RSS/ATOM feed.Sebastien SAUVAGE2013-09-241-2/+10
|
* Merge pull request #87 from ↵Sébastien SAUVAGE2013-09-241-1/+36
|\ | | | | | | | | LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368 Added a json_encode implementation for PHP < 5.2 (free.fr)
| * Added json_encode implementation for php<5.2Lionel Martin2013-05-201-2/+37
| |
* | Added tags+private in shaarli URLSébastien SAUVAGE2013-09-241-2/+3
| | | | | | Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
* | Merge pull request #112 from BoboTiG/masterSébastien SAUVAGE2013-09-241-4/+6
|\ \ | | | | | | RSS/Atom: add a parameter to print only the N last links
| * | RSS/Atom: add a parameter to print only the N last linksBoboTiG2013-07-261-5/+7
| |/
* | Merge pull request #118 from Alkarex/patch-1Sébastien SAUVAGE2013-09-241-1/+1
|\ \ | | | | | | Corrected error message for lack of write access in ./data
| * | Corrected error message for lack of write access in ./dataAlexandre Alapetite2013-08-231-2/+2
| | |
* | | Merge pull request #119 from Alkarex/masterSébastien SAUVAGE2013-09-241-0/+0
|\ \ \ | | | | | | | | Smaller logo file
| * | | Smaller logo fileAlexandre Alapetite2013-08-231-0/+0
| |/ / | | | | | | | | | Better PNG compression of logo file, as produced by Page Speed.
* | | Merge pull request #125 from broncowdd/masterSébastien SAUVAGE2013-09-241-1/+2
|\ \ \ | | | | | | | | Added the possibility to put a description in the bookmarklet's URL
| * | | Added the possibility to put a description in the bookmarklet's URLBronco2013-09-161-2/+3
| |/ /
* | | Merge pull request #126 from Alkarex/MillisecondsSébastien SAUVAGE2013-09-241-1/+5
|\ \ \ | | | | | | | | Import: add compatibility for milliseconds in NETSCAPE-Bookmark
| * | | Import NETSCAPE-Bookmark compatible millisecondsAlexandre Alapetite2013-09-211-1/+5
| |/ / | | | | | | | | | | | | | | | | | | | | | NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of seconds. For instance, this is the case of the files gererated for Google +1s by Google Takeout. This patch make these files compatible.
* | | Merge pull request #122 from lehollandaisvolant/masterSébastien SAUVAGE2013-09-241-2/+2
|\ \ \ | |/ / |/| | Ajout d’un UA lors de la récupération d’une page externe
| * | Ajout d’un UA lors de la récupération d’une page externe (certains ↵lehollandaisvolant2013-09-031-2/+2
|/ / | | | | | | site veulent un UA)
* | Better encoding handling in title parsingSebastien SAUVAGE2013-08-031-2/+23
| | | | | | | | Thanks to a patch from Le Hollandais Volant.
* | SERVER_NAME changed to HTTP_HOSTSebastien SAUVAGE2013-08-031-7/+7
|/ | | | | | | | SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems on some misconfigured hosts. HTTP_HOST is usually more reliable with those servers. (cf. http://stackoverflow.com/questions/2297403/http-host-vs-server-name). This should cause less problem on most hosts.
* Merge pull request #43 from dsferruzza/highlight-search-resultsSébastien SAUVAGE2013-03-113-0/+120
|\ | | | | Highlight search results
| * Avoid highlighting paging stuffDavid Sferruzza2013-03-101-1/+1
| |
| * Highlight search results (issue #4)David Sferruzza2013-03-103-0/+120
| | | | | | | | Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
* | Merge pull request #42 from matchab/masterSébastien SAUVAGE2013-03-112-4/+15
|\ \ | | | | | | Timezone par défaut
| * | Ingore Eclipse project filesMathieu Chabanon2013-03-101-4/+9
| | |
| * | Avoid a strict standard error when php.ini do not define the defaultMathieu Chabanon2013-03-101-0/+6
| |/ | | | | timezone.
* | Merge pull request #45 from dsferruzza/fix-picwall-bugSébastien SAUVAGE2013-03-112-2/+2
|\ \ | |/ |/| Fix picwall bugs
| * Move lazyload init inside the body tagDavid Sferruzza2013-03-101-1/+2
| |
| * Fix bug producing invalid HTMLDavid Sferruzza2013-03-101-1/+0
|/
* Version 0.0.41 betav0.0.41betaSébastien SAUVAGE2013-03-082-3/+3
|
* Merge pull request #37 from sebsauvage/CookieDomainSébastien SAUVAGE2013-03-081-3/+3
|\ | | | | Correction for login problem with webkit browsers on sub-domain hosted Shaarli.
| * Correction for login problem with webkit browsers on sub-domain hosted Shaarli.Sebastien SAUVAGE2013-03-061-3/+3
|/
* Added second check to write rights.Sebastien SAUVAGE2013-03-041-0/+2
| | | | (Because on some hosts is_writable() is not reliable.)
* Check that Shaarli has the right to write in its own directory.Sebastien SAUVAGE2013-03-041-0/+1
| | | | Because some user forget to check this at installation.
* Got rid of small display bugs before installation.Sebastien SAUVAGE2013-03-041-5/+7
|
* Merge pull request #30 from Knah-Tsaeb/masterSébastien SAUVAGE2013-03-043-60/+71
|\ | | | | Merged "Private by default" feature (when creating a new link).
| * [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as ↵Knah Tsaeb2013-03-043-60/+71
|/ | | | private by default.
* Added https to list of authorized protocols.Sebastien SAUVAGE2013-03-031-1/+1
|
* Corrected vulnerabilities (see report below)Sebastien SAUVAGE2013-03-033-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g <script>alert(1)</script> Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "><script>alert(1)</script> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted
* Proper redirect in popup when login fails.Sebastien SAUVAGE2013-03-021-1/+3
| | | | This corrects issue https://github.com/sebsauvage/Shaarli/issues/10