All notable changes to the Newsfeeds plugin are documented in this file.
Compatibility: e107 2.4 · PHP 7.4 – 8.4
- Selectable feed in the menu (
e_menu.php): the menu can now be configured in the Menu Manager to display a single chosen newsfeed instead of always showing all of them. A dropdown lists every active feed plus an "All newsfeeds" option (the default). newsfeed_menu.phpnow reads thenewsfeed_idmenu parameter and passes it tonewsfeedInfo(); when empty/0 it falls back to all feeds, so existing menu instances keep working unchanged.
- Fixed authentication bypass (
admin_config.php): the?action=refreshhandler was executed before thegetperms('P')permission check, so any visitor (including unauthenticated users) could force the server to fetch any configured feed URL. The handler now runs only after the permission check. - Added CSRF protection to the manual feed refresh: the refresh link now
carries an
e-tokenwhich is validated viae107::getSession()->checkFormToken()before the action runs. - Fixed stored/reflected XSS from RSS sources (
newsfeed_functions.php): values coming from a remote (and potentially malicious or compromised) RSS feed were written into HTML attributes without escaping. All feed, item, image and channel links plus the language value are now escaped withtoAttribute(), and feed/item titles are passed throughtoHTML().
- Fatal error in
e_help.php: it included a non-existent_admin_newsfeedlanguage file whileNFLAN_42/NFLAN_43live in_admin; corrected the include so viewing the plugin help no longer fatals on PHP 8. - Replaced
explode("::") + list()witharray_pad()to avoid "Undefined array key" warnings when the separator is missing. - Guarded
count()on the items list to avoid aTypeErrorwhen no items are present. - Guarded direct
$_GET['action']/$_GET['id']access and various RSS array keys / variables (varset(),!empty()) to remove undefined key/variable warnings. - Prevented redefinition of the cache-tag constants.
- Changes remain compatible with PHP 7.4 (no PHP 8-only syntax introduced).