feeds-fun 1.22.3 → 1.22.5

package/codespell.toml

@@ -0,0 +1,2 @@
+[tool.codespell]
+ignore-words-list = "alltime,ontext"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "feeds-fun",
-  "version": "1.22.3",
+  "version": "1.22.5",
   "author": "Aliaksei Yaletski (Tiendil) <a.eletsky@gmail.com> (https://tiendil.org/)",
   "description": "Frontend for the Feeds Fun — web-based news reader",
   "keywords": [

package/src/components/SimplePagination.vue

@@ -2,13 +2,6 @@
   <div>
     {{ realShowEntries }} of {{ total }}
 
-    <button
-      class="ffun-form-button short ml-2"
-      v-if="canShowMore"
-      @click.prevent="showMore()">
-      next {{ realShowPerPage }}
-    </button>
-
     <button
       class="ffun-form-button short ml-2"
       v-if="canHide"
@@ -16,6 +9,13 @@
       >hide</button
     >
 
+    <button
+      class="ffun-form-button short ml-2"
+      v-if="canShowMore"
+      @click.prevent="showMore()">
+      next {{ realShowPerPage }}
+    </button>
+
     <div
       v-if="counterOnNewLine"
       style="line-height: 0.5rem"

package/src/components/tags/EntryTagsList.vue

@@ -85,14 +85,14 @@
         return 1;
       }
 
-      const aCount = properties.tagsCount[a];
-      const bCount = properties.tagsCount[b];
+      const leftTagCount = properties.tagsCount[a];
+      const rightTagCount = properties.tagsCount[b];
 
-      if (aCount > bCount) {
+      if (leftTagCount > rightTagCount) {
         return -1;
       }
 
-      if (aCount < bCount) {
+      if (leftTagCount < rightTagCount) {
         return 1;
       }
 

package/src/components/tags/TagsFilter.vue

@@ -97,14 +97,14 @@
     const counts = properties.tags;
 
     function tagComparator(a: string, b: string) {
-      const aCount = counts[a];
-      const bCount = counts[b];
+      const leftTagCount = counts[a];
+      const rightTagCount = counts[b];
 
-      if (aCount > bCount) {
+      if (leftTagCount > rightTagCount) {
         return -1;
       }
 
-      if (aCount < bCount) {
+      if (leftTagCount < rightTagCount) {
         return 1;
       }
 

package/src/layouts/SidePanelLayout.vue

@@ -165,7 +165,7 @@
 
     if (globalState.logoutConfirmed) {
       // Redirect to login page in case the user is not logged in.
-      // We redirect to login instead of the main page to be consisten
+      // We redirect to login instead of the main page to be consistent
       // with default API behavior on redirection in case of getting 401 status.
       api.redirectToLogin();
     }

package/src/logic/tests/utils.test.ts

@@ -0,0 +1,40 @@
+import {afterEach, describe, expect, it, vi} from "vitest";
+import DOMPurify from "dompurify";
+import {purifyBody, purifyTitle} from "@/logic/utils";
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe("purifyBody", () => {
+  it("sets required security attributes for links", () => {
+    const raw = '<a href="https://example.com" target="_self" rel="noopener" referrerpolicy="unsafe-url">Example</a>';
+
+    const purified = purifyBody({raw, default_: "No description"});
+
+    expect(purified).toContain('href="https://example.com"');
+    expect(purified).toContain('target="_blank"');
+    expect(purified).toContain('rel="noopener noreferrer nofollow"');
+    expect(purified).toContain('referrerpolicy="strict-origin-when-cross-origin"');
+  });
+});
+
+describe("purifyTitle", () => {
+  it("returns default value for null and empty values", () => {
+    expect(purifyTitle({raw: null, default_: "No title"})).toBe("No title");
+    expect(purifyTitle({raw: "   ", default_: "No title"})).toBe("No title");
+  });
+
+  it("sets required security attributes for links in sanitized output", () => {
+    vi.spyOn(DOMPurify, "sanitize").mockReturnValue(
+      '<a href="https://example.com" target="_self" rel="noopener" referrerpolicy="unsafe-url">Example</a>'
+    );
+
+    const purified = purifyTitle({raw: "Example title", default_: "No title"});
+
+    expect(purified).toContain('href="https://example.com"');
+    expect(purified).toContain('target="_blank"');
+    expect(purified).toContain('rel="noopener noreferrer nofollow"');
+    expect(purified).toContain('referrerpolicy="strict-origin-when-cross-origin"');
+  });
+});

package/src/logic/utils.ts

@@ -2,6 +2,25 @@ import _ from "lodash";
 import type * as t from "@/logic/types";
 import DOMPurify from "dompurify";
 
+const REQUIRED_LINK_ATTRIBUTES = {
+  target: "_blank",
+  rel: "noopener noreferrer nofollow",
+  referrerpolicy: "strict-origin-when-cross-origin"
+} as const;
+
+function hardenLinksSecurityAttributes(html: string) {
+  const parsed = new DOMParser().parseFromString(html, "text/html");
+  const links = parsed.body.querySelectorAll("[href]");
+
+  for (const link of links) {
+    link.setAttribute("target", REQUIRED_LINK_ATTRIBUTES.target);
+    link.setAttribute("rel", REQUIRED_LINK_ATTRIBUTES.rel);
+    link.setAttribute("referrerpolicy", REQUIRED_LINK_ATTRIBUTES.referrerpolicy);
+  }
+
+  return parsed.body.innerHTML;
+}
+
 export function timeSince(date: Date) {
   const now = new Date();
 
@@ -80,6 +99,8 @@ export function purifyTitle({raw, default_}: {raw: string | null; default_: stri
     return default_;
   }
 
+  title = hardenLinksSecurityAttributes(title);
+
   return title;
 }
 
@@ -94,6 +115,8 @@ export function purifyBody({raw, default_}: {raw: string | null; default_: strin
     return default_;
   }
 
+  body = hardenLinksSecurityAttributes(body);
+
   return body;
 }
 

package/src/stores/globalSettings.ts

@@ -73,7 +73,7 @@ export const useGlobalSettingsStore = defineStore("globalSettings", () => {
   // This dict is used for two purposes:
   // - To store settings that anonymous user changes while using the site.
   // - To close fast reactive loop after calling backendSettings.set.
-  //   Without this, setting a setting will cause weired and complex chain
+  //   Without this, setting a setting will cause weird and complex chain
   //   of (re)loading data from the backend.
   var settingsOverrides = ref<{[key in keyof any]: t.UserSettingsValue}>({});