Use str_starts_with/str_ends_with

code style: line breaks

Rector to rename print to echo calls

reformat /lib/exe/ folder

Apply rector fixes to lib/exe

opening up CSP headers for fetch.php resources

This drops the sandbox attribute as discussed in #3710 to re-enable
inline display of PDFs in Safari again.

Dropping the sandbox attribute should also

opening up CSP headers for fetch.php resources

This drops the sandbox attribute as discussed in #3710 to re-enable
inline display of PDFs in Safari again.

Dropping the sandbox attribute should also help with using navigational
links within SVG files as discussed in
https://forum.dokuwiki.org/d/20420-how-to-embed-svg-with-links-the-proper-way

It also allows the loading of fonts from within SVG files. This
currently does not allow font loading from google fonts as asked for
in #3709 though. I'm not sure if we should favor any font provider here.

show more ...

minor SVG improvements

* never try to use slika to resize SVGs - let the browser do it
* use object-fit:cover for all images - this properly crops inside the
browser if the backend didn't (like fo

minor SVG improvements

* never try to use slika to resize SVGs - let the browser do it
* use object-fit:cover for all images - this properly crops inside the
browser if the backend didn't (like for SVGs). currently dokuwiki
template only - might be worth moving to default styles
* show previews for SVGs in media manager

show more ...

Media CSP: omit script-src and add frame-ancestors

See comments for details:

https://github.com/splitbrain/dokuwiki/pull/3310#discussion_r506909727
https://github.com/splitbrain/dokuwiki/pull/3310#

Media CSP: omit script-src and add frame-ancestors

See comments for details:

https://github.com/splitbrain/dokuwiki/pull/3310#discussion_r506909727
https://github.com/splitbrain/dokuwiki/pull/3310#discussion_r506913304

show more ...

Restrictive Content-Security-Policy for media #1045

This adds a CSP header for all media delivered through our fetch.php
dispatcher. This should revent any scripts etc. to be executed when
scriptabl

Restrictive Content-Security-Policy for media #1045

This adds a CSP header for all media delivered through our fetch.php
dispatcher. This should revent any scripts etc. to be executed when
scriptable media, like SVG is used.

Suggestions on finetuning the policy are welcome.

The policy is added to the MEDIA_SENDFILE event, so plugins can easily
influence it. The way it is passed as an array should make it easier to
modify from plugins as well.

I put the mechanism to send the header into it's own class in the HTTP
namespace. Additional methods from inc/httputils could be moved here
later. The method might also be interesting for #2198 and #1676.

show more ...

add new "MEDIA_RESIZE" event

First go at moving the plugin classes into their own namespace

adjusted the Input clases for PSR2

They are now in their own namespace.

fix misspelled variable name,

Re-order parameters to not break other callers

Use original filename for Content-Disposition

In most cases this change will have no effect, but noes the response will use the filename that was originally requested. The downloaded filename can be

Use original filename for Content-Disposition

In most cases this change will have no effect, but noes the response will use the filename that was originally requested. The downloaded filename can be modified to something different as well. E.g. the siteexport plugin will make use of it.

show more ...

media image can be resized by height (without width)

Add check for token when resizing and caching external images

refactor fetch to support unittesting

add a token to fetch urls requiring image resize/crop to prevent external DDOS via fetch

there's no pragma: private

max-age not allowed with no-cache

adjusted cache=0 headers again

fixed passed cache parameter

handle public vs. private ressource in sendFile()

alternative fix for FS#2734