favoritter

olemd/favoritter

Fork 0

Commit graph

Author	SHA1	Message	Date
Ole-Morten Duesund	395b1b7523	fix: address security and quality issues from code review Security fixes: - Fix XSS in Atom feed: escape user-supplied URLs in HTML content - Wrap signup request approval in a transaction to prevent partial state on crash (user created but request still pending) - Stop leaking internal error messages to admin UI - Add request body size limit on API import endpoint - Log SetMustResetPassword errors instead of silently discarding Correctness fixes: - Handle errors from API fave update/delete instead of returning success on failure - Use actual data timestamp for feed <updated> instead of time.Now() (improves HTTP caching) - Replace hardcoded 10000 export limit with named constant (maxExportFaves = 100000) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 16:19:44 +02:00
Ole-Morten Duesund	4e9db3f995	feat: add Atom feeds and JSON/CSV import/export Phase 5 — Feeds & Import/Export: - Atom feeds: global (/feed.xml), per-user (/u/{name}/feed.xml), per-tag (/tags/{name}/feed.xml). Uses gorilla/feeds. - JSON export: all user's faves with tags, pretty-printed - CSV export: standard format with header row - JSON import: validates and creates faves with tags - CSV import: flexible column mapping from header row - Import/export pages with format documentation - Feed items include enclosure for images, author info - Limited-visibility profiles excluded from feeds Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 16:11:44 +02:00

Author

SHA1

Message

Date

Ole-Morten Duesund

395b1b7523

fix: address security and quality issues from code review

Security fixes:
- Fix XSS in Atom feed: escape user-supplied URLs in HTML content
- Wrap signup request approval in a transaction to prevent
  partial state on crash (user created but request still pending)
- Stop leaking internal error messages to admin UI
- Add request body size limit on API import endpoint
- Log SetMustResetPassword errors instead of silently discarding

Correctness fixes:
- Handle errors from API fave update/delete instead of returning
  success on failure
- Use actual data timestamp for feed <updated> instead of
  time.Now() (improves HTTP caching)
- Replace hardcoded 10000 export limit with named constant
  (maxExportFaves = 100000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-29 16:19:44 +02:00

Ole-Morten Duesund

4e9db3f995

feat: add Atom feeds and JSON/CSV import/export

Phase 5 — Feeds & Import/Export:
- Atom feeds: global (/feed.xml), per-user (/u/{name}/feed.xml),
  per-tag (/tags/{name}/feed.xml). Uses gorilla/feeds.
- JSON export: all user's faves with tags, pretty-printed
- CSV export: standard format with header row
- JSON import: validates and creates faves with tags
- CSV import: flexible column mapping from header row
- Import/export pages with format documentation
- Feed items include enclosure for images, author info
- Limited-visibility profiles excluded from feeds

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-29 16:11:44 +02:00

2 commits