rdelaage
/
miniflux-v2
mirror of https://github.com/miniflux/v2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,205 Commits 1 Branch 65 Tags 65 MiB
Commit Graph

8 Commits

Author SHA1 Message Date
Frédéric Guillot eb9508502c Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler 
Creating an RSS feed item with the inline description containing an `<img>` tag
with a `srcset` attribute pointing to an invalid URL like
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the
user is convinced to open the broken image.
 2023-03-12 22:36:03 -07:00
Romain de Laage 2c2700a31d Proxy support for several media types 
closes #615
closes #635
 2023-02-25 15:57:59 -08:00
Frédéric Guillot cecab91298 Fix some linter issues 2022-08-08 22:06:38 -07:00
Frédéric Guillot 11dfcdd3d6 Fix typo in license header 2018-10-08 15:50:15 -07:00
Frédéric Guillot 1f58b37a5e Refactor HTTP response builder 2018-10-08 15:31:58 -07:00
Frédéric Guillot dbcc5d8a97 Use canonical imports 2018-08-24 21:56:39 -07:00
Frédéric Guillot 34a3fe426b Compress HTML responses to Gzip/Deflate if supported by browser 2018-07-06 20:39:28 -07:00
Frédéric Guillot f49b42f70f Use vanilla HTTP handlers (refactoring) 2018-04-29 16:35:04 -07:00