miniflux-v2

mirror of https://github.com/miniflux/v2.git synced 2025-08-06 17:41:00 +00:00

Author	SHA1	Message	Date
Frédéric Guillot	cb617ff6e0	test(sanitizer): enhance tests for image width and height attributes	2025-07-01 20:52:45 -07:00
jvoisin	43546976d2	refactor(tests): use b.Loop() instead of for range b.N See https://tip.golang.org/doc/go1.24#new-benchmark-function	2025-06-18 20:12:55 -07:00
Frédéric Guillot	6af4d69c39	test(sanitizer): add test case to cover Vimeo iframe rewrite without query string	2025-06-17 17:55:39 -07:00
Frédéric Guillot	27015a5e34	test(sanitizer): add unit test for 0x0 pixel tracker	2025-06-17 17:42:55 -07:00
Frédéric Guillot	3538c4271b	refactor(sanitizer): use global variables to avoid recreating slices on every call	2025-06-13 21:34:07 -07:00
Frédéric Guillot	ac44507af2	refactor(sanitizer): use a map for iframe allow list	2025-06-13 21:05:23 -07:00
Frédéric Guillot	cecc18420d	feat(sanitizer): add validation for empty width and height attributes in img tags	2025-06-09 20:38:17 -07:00
Frédéric Guillot	d53fd17e10	feat(sanitizer): validate MathML XML namespace	2025-06-09 20:28:54 -07:00
Frédéric Guillot	21d22d7f0b	feat(sanitizer): add support for fetchpriority and decoding attributes in img tags	2025-06-09 20:12:15 -07:00
Frédéric Guillot	8db637cb39	feat(ui): add user setting to control `target="_blank"` on links Rationale: Opening links in the current tab is the default browser behavior. Using `target="_blank"` on external links can lead to accessibility issues and override user preferences. It may also interfere with assistive technologies and expected browser behavior. To maintain backward compatibility, this option is enabled by default (`true`), which adds `target="_blank"` to links.	2025-06-08 21:07:11 -07:00
Frédéric Guillot	828a4334db	fix(sanitizer): MathML tags are not fully supported by `golang.org/x/net/html` See https://github.com/golang/net/blob/master/html/atom/gen.go and https://github.com/golang/net/blob/master/html/atom/table.go	2025-05-06 21:18:19 -07:00
jvoisin	f916373f55	fix: allow the `<b>` tag	2025-03-06 19:27:30 -08:00
Frédéric Guillot	462ba8d7f7	feat(sanitizer): allow `img` tags with only a `srcset` and no `src` attribute	2025-02-15 18:03:36 -08:00
Frédéric Guillot	1faccc7eca	fix(sanitizer): non-allowed attributes are not properly stripped Regression introduced in commit `58178d90cb`	2025-01-22 20:50:38 -08:00
Julien Voisin	f116f7dd6a	test(sanitizer): add a fuzzer	2025-01-11 17:19:31 -08:00
Julien Voisin	728423339a	refactor(sanitizer): improve `rewriteIframeURL()` - Use `url.Parse` instead of a regex, as this is much faster and way more robust - Add support for Vimeo's Do Not Track parameter	2024-12-09 17:14:54 -08:00
Frédéric Guillot	c0f6e32a99	feat: remove well-known URL parameter trackers	2024-07-19 21:35:47 -07:00
JohnnyJayJay	ee5e18ea9f	sanitizer: add support for HTML `hidden` attribute This commit adjusts the `Sanitize` function to skip tags with the `hidden` attribute, similar to how it skips blocked tags and their contents.	2024-06-21 14:00:40 -07:00
jvoisin	3d0126be0b	Speed the sanitizer up a bit, again - allow youtube urls to start with `www` - use `strings.Builder` instead of a `bytes.Buffer` - use a `strings.NewReader` instead of a `bytes.NewBufferString` - sprinkles a couple of `continue` to make the code-flow more obvious - inline calls to `inList`, and put their parameters in the right order - simplify isPixelTracker - simplify `isValidIframeSource`, by extracting the hostname and comparing it directly, instead of using the full url and checking if it starts with multiple variations of the same one (`//`, `http:`, `https://` multiplied by ``/`www.`) - add a benchmark	2024-03-05 19:31:50 -08:00
Kristof Mattei	0465f9b188	fix: tests for allow popups to escape sandbox	2023-12-10 16:59:58 -08:00
Frédéric Guillot	168a870c02	Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages	2023-08-10 20:29:34 -07:00

21 commits