• Milestone

This is a security-fix and bug-fix release for FreshRSS 1.27.x.

A few highlights ✨:

• Keep sort and order criteria after marking as read
• Automatic database recovery: skip broken entries during CLI export/import
• Add possibility of Docker healthcheck
• Add security option for CSP frame-ancestors
• Several security fixes
• Several bug fixes
• New translation to Ukrainian
• Improvements of some themes
• And much more…

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @math-GH and newcomers @beerisgood, @nykula, @horvi28, @nhirokinet, @rnkln, @scmaybee.

Full changelog:

• Features
  • Automatic database recovery: skip broken entries during CLI export/import #7949
  • Add security option for CSP frame-ancestors #7857, #8021
  • Lazy-load <track src> #7997
• Security
  • Regenerate session ID on login #7829
  • Disallow setting non-existent language #7878, #7934
  • Safer calling of install.php #7971
  • Prevent log CR/LF injection #7883
  • Restrict allowed cURL parameters #7979, #8009
  • Fix reauthentication while updating #7989
  • Fix some CSRFs #8000
• Bug fixing
  • Include port number for HTTP Retry-After #7875
  • Fix logic for searching labels #7863
  • Fix cURL response parsing for HTTP redirections #7866
  • Fix fetching OPML URL with special characters #7843
  • Fix validation when creating a new user label #7890
  • Fix bug in user self-deletion #7877
  • Fix displaying of current date in main statistics #7892
  • Fix default values on stat processing #7891
  • Fix UI JavaScript error when navigating to last article with keyboard #7957
  • Fix some links in anonymous mode #8011, #8012
  • Fixes for no-cache.txt #7907
  • Fix Docker Traefik .yml and SERVER_DNS example #7858
• SimplePie
  • Upstream contribution: Normalize encoding uppercase simplepie#936, #7967
  • Sync upstream, including bump to 1.9.0 with better PHP 8.5+ support #7955
• Deployment
  • Docker improve CMD compatibility #7861
  • Add possibility of Docker healthcheck #7945
• UI
  • Keep sort and order after marking as read #7974
  • Improve leave validation #7830
  • Improve Origine theme visibility of toggle buttons #7956
  • Improve Dark pink theme #8020
  • Improve Mapco and Ansum themes: read all button in mobile view #7873
  • Improve Swage theme #7608
  • Use standard CSS overflow-wrap instead of word-wrap #7898
  • Various UI and style improvements: #7868, #7872,
    #7882, #7893, #7904,
    #7952
• I18n
  • Clarify the concepts of visibility hidden vs. archived in feeds settings #7970
  • Translate the API information page #7922
  • Add a default language constant #7933
  • Label config delete label #7871
  • Add Ukrainian #7961
  • Improve Dutch #7940
  • Improve German #7833
  • Improve Hungarian #7986
  • Improve Japanese #7903, #7918
  • Improve Polish #7963
  • Improve Simplified Chinese #7943, #7944
  • Minor improvements #7881
  • Add CLI command to add i18n file #7917
  • Add make target to generate the translation progress #7905
• Extensions
  • Add entry_before_update and entry_before_add hooks for extensions #7977
• Misc.
  • Improve make #7901
  • Improve PHP code #7906, #7916, #7939,
    #7941, #7960, #7991
  • Upgrade to PHP_CodeSniffer 4 #7993
  • Update dev dependencies #7902, #7895, #7896,
    #7899, #7966, #7969

• Milestone

A few highlights ✨:

• Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After
• Add sort by category title, or by feed title
• Add search operator c: for categories like c:23,34 or !c:45,56
• Custom feed favicons
• Several security improvements, such as:
  • Implement reauthentication (sudo mode)
  • Add Content-Security-Policy: frame-ancestors
  • Ensure CSP everywhere
  • Fix access rights when creating a new user
• Several bug fixes, such as:
  • Fix redirections when scraping from HTML
  • Fix feed redirection when coming from WebSub
  • Fix support for XML feeds with HTML entities, or encoded in UTF-16LE
• Docker alternative image updated to Alpine 3.22 with PHP 8.4 (PHP 8.4 for default Debian image coming soon)
• Start supporting PHP 8.5+
• And much more…

This release has been made by @Alkarex, @Inverle, @the7thNightmare and newcomers @Deioces120, @Fraetor, @Tarow, @dotsam, @hilariousperson, @pR0Ps, @triatic, @tryallthethings

Full changelog:

• Features
  • Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After #7760
  • Add sort by category title, or by feed title #7702
  • Add search operator c: for categories like c:23,34 or !c:45,56 #7696
  • Custom feed favicons #7646, #7704, #7717,
    #7792
  • Rework fetch favicons for fewer HTTP requests #7767
  • Add more unicity criteria based on title and/or content #7789
  • Automatically restore user configuration from backup #7682
  • API add support for states in s parameter of streamId #7695
  • Improve sharing via Print #7728
  • Redirect to the login page from bookmarklet instead of 403 #7782
  • Clean local cache more often, when refreshing feeds #7827
• Security
  • Implement reauthentication (sudo mode) #7753
  • Add Content-Security-Policy: frame-ancestors #7677
  • Ensure CSP everywhere #7810
  • Show warning when unsafe CSP policy is in use #7804
  • Fix access rights when creating a new user #7783
  • Improve security of form for user details #7771, #7786
  • Disallow setting non-existent theme #7722
  • Regenerate cookie ID after logging out #7762
  • Require current password when setting new password #7763
  • Add missing access checks for feed-related actions #7768
  • Strip more unsafe attributes such as referrerpolicy, ping #7770
  • Remove unneeded execution permissions #7802
• Bug fixing
  • Fix redirections when scraping from HTML #7654, #7741
  • Fix multiple authentication HTTP headers #7703
  • Fix HTML queries with a single feed #7730
  • WebSub: only perform a redirection when coming from WebSub #7738
  • Include enclosures in entries’ hash #7719
    • Negative side-effect: users of the option to automatically mark updated articles as unread will once have some articles with enclosures re-appear as unread
  • Fix cancellation of slider exit UI #7705
  • Honor disable update on update page #7733
  • Fix no registration limit setting #7751
  • Fix XML encoding of sharing functions #7822
• SimplePie
  • Fix propagation of HTTP error codes #7670
  • Fix support for XML feeds with HTML entities #7689, simplepie#915
  • Fix feeds encoded in UTF-16LE #7691, simplepie#916
  • Various upstream contributions simplepie#917, simplepie#924,
    simplepie#926, simplepie#932, simplepie#933
  • Sync upstream #7706, FreshRSS/simplepie#45, #7775,
    FreshRSS/simplepie#50, #7824, #7825,
  • Fix regex Backtrack limit was exhausted in clean_hash() #7813, FreshRSS/simplepie#48
• Deployment
  • Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 #7805
  • Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 #7740, #7740,
    #7803
  • Start supporting PHP 8.5+ #7787, #7826
    • Docker Alpine dev image :newest updated to PHP 8.5-alpha and Apache 2.4.65 #7773
  • Docker: interpolate FRESHRSS_INSTALL and FRESHRSS_USER variables #7725
  • Docker: Reduce how much data needs to be chown/chmod’ed on container startup #7793
  • Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) #7651
• Extensions
  • Add API endpoint for extensions #7576
  • Expose the reading modes for extensions #7668, #7688
  • New extension hook before_login_btn #7761
• UI
  • Improve mark as read request showing popup due to onbeforeunload #7554
  • Fix lazy-loading for <video poster="..."> and <image> #7636
  • Avoid styling <code> inside of <pre> #7797
  • Improve confirmation logic with data-auto-leave-validation #7785
  • Update chart.js to 4.5.0 #7752, #7816
  • Various UI and style improvements: #7616, #7811
• I18n
  • Show translation status in README #7715
  • Improve Indonesian #7654, #7721
  • Improve Persian #7795
• Misc.
  • Improve PHP code #7642, #7665, #7761,
    #7781, #7794
  • Update dev dependencies #7708, #7709, #7710,
    #7711, #7776, #7777