Skip to content

Latest commit

 

History

History
46 lines (39 loc) · 2.25 KB

File metadata and controls

46 lines (39 loc) · 2.25 KB

Changelog

All notable changes to the Newsfeeds plugin are documented in this file.

[2.2.0] - 2026-06-15

Compatibility: e107 2.4 · PHP 7.4 – 8.4

Added

  • Selectable feed in the menu (e_menu.php): the menu can now be configured in the Menu Manager to display a single chosen newsfeed instead of always showing all of them. A dropdown lists every active feed plus an "All newsfeeds" option (the default).
  • newsfeed_menu.php now reads the newsfeed_id menu parameter and passes it to newsfeedInfo(); when empty/0 it falls back to all feeds, so existing menu instances keep working unchanged.

Security

  • Fixed authentication bypass (admin_config.php): the ?action=refresh handler was executed before the getperms('P') permission check, so any visitor (including unauthenticated users) could force the server to fetch any configured feed URL. The handler now runs only after the permission check.
  • Added CSRF protection to the manual feed refresh: the refresh link now carries an e-token which is validated via e107::getSession()->checkFormToken() before the action runs.
  • Fixed stored/reflected XSS from RSS sources (newsfeed_functions.php): values coming from a remote (and potentially malicious or compromised) RSS feed were written into HTML attributes without escaping. All feed, item, image and channel links plus the language value are now escaped with toAttribute(), and feed/item titles are passed through toHTML().

Fixed (PHP 8.0 – 8.4 compatibility)

  • Fatal error in e_help.php: it included a non-existent _admin_newsfeed language file while NFLAN_42/NFLAN_43 live in _admin; corrected the include so viewing the plugin help no longer fatals on PHP 8.
  • Replaced explode("::") + list() with array_pad() to avoid "Undefined array key" warnings when the separator is missing.
  • Guarded count() on the items list to avoid a TypeError when no items are present.
  • Guarded direct $_GET['action'] / $_GET['id'] access and various RSS array keys / variables (varset(), !empty()) to remove undefined key/variable warnings.
  • Prevented redefinition of the cache-tag constants.

Notes

  • Changes remain compatible with PHP 7.4 (no PHP 8-only syntax introduced).