| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\
| |
| | |
Versioned JS files & centralized licenses
|
| |
| |
| |
| |
| |
| |
| | |
Updated libraries
Updated copyright dates and the list of contributors.
Added unminified sources for GPL compliance
|
|\ \
| | |
| | | |
daily: display link timestamps
|
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #26
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes #64
All pages:
- add `urlencode` when passing the version to a custom stylesheet;
- set meaningful values of `alt` and `title` for QR-Code images.
Install page:
- the form's `action` attribute must be non-empty;
- the `valign` attribute is deprecated.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
and we can safely omit it.
* make QRCode JS works with IE :
* behave as a normal link if canvas aren't supported (<=IE8)
* default parameter values in JS aren't widely supported (see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Default_parameters ), use this method instead: http://stackoverflow.com/a/148918/1484919
* dataset isn't supported in IE9 use getAttribute instead
* addEventListener works with IE9+ and other browsers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://github.com/shaarli/Shaarli/issues/64):
* fix duplicate IDs - #paging_older, #paging_newer become classes as the paging is displayed twice (top, bottom) in the linklist
* fix duplicate IDs - #paging_privatelinks and #paging_linksperpage become classes
* daily links are now valid (use &)
* name attribute is not used anymore on a tag in link list
* center tag is replaced by CSS in picwall and tag cloud
* action in form tag can't be empty, use # instead
* fixed configure table with CSS instead of cellpadding, border, and valign
* export links are now valid
* remove "size" in input tag
* Fix missing alt attributes for img elements
* tpl/daily: Use HTML entities instead of char escape codes
* tpl/export: fix missing </span> closing tag
* Remove obsolete language attribute on <script> elements
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes shaarli/Shaarli#29
Style elements refactored as follows:
- use existing ids and classes if possible,
- else, define new ones and stick with the existing naming convention,
- remove hardcoded style attributes from RainTPL templates.
Exception:
In tpl/tagcloud.html, the display size of each tag is computed at page
generation.
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
|
|
|
|
|
| |
Corrected CSS to prevent a line from showing underneath
Fixes https://github.com/shaarli/Shaarli/issues/53
|
|\
| |
| | |
uniform if syntax
|
| | |
|
| |
| |
| |
| |
| |
| | |
* prevents unproper escaping of characters like '&'
* fixes https://github.com/sebsauvage/Shaarli/issues/85
* fixes https://github.com/shaarli/Shaarli/issues/48
|
| | |
|
| |
| |
| |
| | |
* adds an "archive" link next to permalinks, linking to the last version of the page on archive.org
|
| |
| |
| |
| |
| | |
* ATOM button display is now configurable using the SHOW_ATOM variable in index.php or data/options.php (defaults to false)
* Fixes https://github.com/shaarli/Shaarli/issues/24
|
|\ \
| | |
| | | |
bookmarklet: use selected text as description when adding a new link
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Based on romnGit's work at https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/shaarli/Shaarli/issues/18
* Closes https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/sebsauvage/Shaarli/issues/53
* Fixes https://github.com/sebsauvage/Shaarli/issues/129
* Fixes https://github.com/sebsauvage/Shaarli/issues/33
|
|/ /
| |
| |
| |
| |
| |
| | |
typo in css
Based on respencer's work at https://github.com/respencer/Shaarli/
Closes https://github.com/sebsauvage/Shaarli/pull/103
|
| | |
|
|/
|
|
| |
link on the title.
|
|
|
|
|
|
|
|
| |
jQuery has been removed from all pages, except those who really require
it (like autocomplete in link edition).
Immediate gain: All pages weight 286 kb LESS ! \o/
Highlighting in search results has also been temporarly removed (and
will be re-implemented).
|
|
|
|
|
|
|
|
|
|
| |
* QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy.
* Library used is http://neocotic.com/qr.js/ (11 kb).
* jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely).
* This library is loaded *only* if the QR-Code icon is clicked.
* If javascript is disabled, it will fallback to the external service.
* External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated.
By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
|
|\
| |
| | |
Highlight search results
|
| | |
|
| |
| |
| |
| | |
Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
|
|/ |
|
|
|
|
| |
private by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_
Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)
Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards
Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works
- The url field of a link is vulnerable :
When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link
Or with a classic XSS : "><script>alert(1)</script>
Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer
e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com
History :
March 2, 2013
- Vendor contacted
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)
(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)
|
| |
|
|
|
|
| |
https://github.com/sebsauvage/Shaarli/issues/5
|
|
|