aboutsummaryrefslogtreecommitdiffhomepage
path: root/tpl
Commit message (Collapse)AuthorAgeFilesLines
* Move lazyload init inside the body tagDavid Sferruzza2013-03-101-1/+2
|
* [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as ↵Knah Tsaeb2013-03-042-3/+11
| | | | private by default.
* Corrected vulnerabilities (see report below)Sebastien SAUVAGE2013-03-032-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g <script>alert(1)</script> Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "><script>alert(1)</script> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted
* Added option to disable jQuery and heavy javascriptSebastien SAUVAGE2013-03-015-8/+24
| | | | | | | | | | | | | Shaarli uses light Javascript in its normal operation, and some jQuery for some features (autocomplete in tags, QR-Code popup...). jQuery can be slow on small computers. An option has been added in configuration screen to disable javascript features which are hard on CPU. (Note that the Picture Wall is awfully heavy *without* jQuery.) (Side note: A *LOT* of users want Shaarli to work without javasript at all, if possible. That's why I try to use as few javascript as possible: It keeps Shaarli pages fast.)
* After clicking save/cancel on a link, scroll to the link itself.Sébastien SAUVAGE2013-02-271-0/+1
|
* Edit/delete button on the left-side of links.Sébastien SAUVAGE2013-02-271-4/+6
| | | | https://github.com/sebsauvage/Shaarli/issues/5
* Initial commit (version 0.0.40 beta)v0.0.40betaSébastien SAUVAGE2013-02-2622-0/+530