* Prevent window opener vulnerability with space shortcut
This change fixes a vulnerability introduced by `window.open()` on untrusted sources. It reproduces the effect of `rel="noreferrer"` with JS.
Cross browser solution from: https://stackoverflow.com/a/40593743
## Reproduction
> tested with Firefox 68
1. Add this RSS feed
2. Open the 2nd link "À propos de la faille de sécurité liée à target="_blank" **using the space key shortcut**.
3. Click on the first of three links "http://bookmarks.ecyseo.net"
Current behaviour: the FreshRSS tab changes.
Expected behaviour: no effect on FreshRSS
* Test for popup blockers
* Require PHP 5.5+
https://github.com/FreshRSS/FreshRSS/issues/2469#issuecomment-522255093
I think it would be reasonable to require PHP 5.5+ for the core of
FreshRSS after all.
As Frenzie said, WordPress currently requires PHP 5.6.20+, and it is the
most popular PHP application.
We would loose about 20% of the PHP servers according to
https://w3techs.com/technologies/details/pl-php/5/all but I expect this
number to drop fast after the release of CentOS 8 (CentOS accounts for
17% of Linux servers
https://w3techs.com/technologies/details/os-linux/all/all ).
Distributions:
* no impact on Ubuntu, Fedora, Alpine, OpenWRT, FreeBSD, OpenSuze,
Mageia, as all active versions have PHP > 7
* no impact on OpenSuze, Synology, as all active versions have PHP > 5.5
* we drop Debian 8 Jessie (-2020) - we keep supporting Debian 9 Stretch
(2017-06) - current is Debian 10 Buster
* we drop Red Hat 7 (-2024) - we keep supporting RHEL 8 (2019-05)
* we drop CentOS 7 (-2024) - we will support CentOS 8 (to be released
soonish)
When dropping older versions, I can better like when it is for a good
reason, and there is actually one with PHP 5.5, namely generators
(yield) https://php.net/language.generators.overview which I consider
using.
* Version note for JSON.php
* hex2bin
* Update .travis.yml
Co-Authored-By: Frans de Jonge <fransdejonge@gmail.com>
* [CI] Run stylelint
Perform some basic CSS sanity checking and style enforcement.
I removed vendor prefixed linear-gradient and transform because those are from the IE9 era. With IE11 as a minimum and soon obsolete requirement it doesn't make much sense anymore.
* Remove as-link override
* Don't require newline after comment
* Also apply those newline rules to SCSS
* refine opening/closing braces, allow for single-line
* [CI] Run shellcheck and shfmt
Cf. https://github.com/FreshRSS/FreshRSS/pull/2436#discussion_r305640019
* rename
* no need for disable anymore
* also remove leftover indentation flags even if it makes no difference to syntax checking
* define colors and reset before exit for local use
* Issue #2446 : Fix passing authentication headers. Use CGIPassAuth is version is high enough
* Issue #2446 : Remove CGIPassAuth due to potential issues with AllowOverride rights.
* Tabs
* Change category configuration
Before, we had a drop-down list to interract on categories. It was not
working the same way as feeds.
Now, categories and feeds behave in a similar manner. At the moment,
there is no change in features but it will allow to expand them.
See #2369
* Minor whitespace
Before, the printed page didn't have any usable CSS.
Now, it uses the css files available in the application. It means that
custom CSS can be add to target printed page.
See #2149
* Better handling of bad request and fast unload
Warnings for bad requests, confirmation before leaving a page with
pending mark-as-read requests (not the others for now)
* Fix callbacks
* Less jQuery
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/2199
* Even less jQuery + global view unread title fix
* Even less jQuery
* Yet even less jQuery
* Even less jQuery
* Reduce some events
* Even less jQuery
* jQuery gone from main view
+Fixed English i18n
* Fix feed folded view
* Remove Firefox 64 workaround
Remove workaround for Gecko bug 1514498 in Firefox 64, fixed in Firefox
65
* Split to extra.js
Avoid loading unneeded JavaScript code for the main view.
+ several adjustements
* Improve CSS transition fold category
* Rewrite shortcuts
Remove library. Much faster, shorter, one listener instead of many.
Control of the shortcut context.
Fix https://github.com/FreshRSS/FreshRSS/issues/2215
* Remove debug
* Minor syntax
* Filter out unwanted shortcut modifiers
* Menu overflow fix
* Typo
* Fix unfolding in mobile view
* Remove jQuery from category.js
* Remove jQuery from Global view
* Add a JavaScript event when opening an article
https://framagit.org/nicofrand/xextension-threepanesview/issues/4
```javascript
document.body.addEventListener('freshrss:openArticle', function (e) {
console.log('freshrss:openArticle');
console.log(e.target);
});
```
* Use openlog before syslog
In order to have a copy on stderr when syslog is not available.
* Take advantage of syslog for actualization
Pipe cron job STDERR and syslog to Docker log
Cf. 00bd467655
* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.
* Apache readme
* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine