spaze / michalspacek.cz Goto Github PK
View Code? Open in Web Editor NEWmichalspacek.cz + michalspacek.com + subdomains source code because why not
License: MIT License
michalspacek.cz + michalspacek.com + subdomains source code because why not
License: MIT License
Font Awesome is an awesome font icon collection but
I should migrate away from it, I quite like @zraly's Humbleicons. They're SVG, can be embedded in HTML & MIT-licensed (although it's not mentioned on the site itself).
Need to explore whether the Humbleicons collection has all icons I use, or whether there are some viable alternatives. Currently, I use these icons, as extracted with spaze/fa-extract:
Used icons: array (
'fas' =>
array (
0 => 'asterisk',
1 => 'bolt',
2 => 'calendar',
3 => 'check',
4 => 'coins',
5 => 'external-link-square-alt',
6 => 'flag',
7 => 'images',
8 => 'key',
9 => 'link',
10 => 'map-marker-alt',
11 => 'microphone',
12 => 'moon',
13 => 'plus',
14 => 'project-diagram',
15 => 'rss-square',
16 => 'sun',
17 => 'tag',
18 => 'tags',
19 => 'times',
20 => 'video',
21 => 'wifi',
),
'far' =>
array (
0 => 'comment',
1 => 'comment-alt',
),
'fab' =>
array (
0 => 'creative-commons',
1 => 'creative-commons-by',
),
)
but all the HTML is there
this is because here
the nextElementSibling
matches only the next sibling, and not all next siblings. Will have to write some more code to get all next siblings and remove the hidden
attribute from all of them
So I could enable Trusted Types.
My /var/log/nginx/error.log
contains a lot of
2021/12/29 07:36:55 [warn] 2119123#2119123: *27 upstream sent more data than specified in "Content-Length" header while reading upstream, client: 127.0.0.1, server: michalspacek.cz, request: "GET /exporty/clanky HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.1-fpm-michalspacek.cz.sock:", host: "www.michalspacek.cz"
The URL works fine, it's just that there's a lot of those in the log.
After a lot of experimentation, I was able to reproduce it with
curl -si --http1.1 --header "if-modified-since: Sat, 26 Jan 2022 20:29:14 GMT" --header "accept-encoding: gzip" https://www.michalspacek.cz/exporty/clanky
(All those options are required as specified, except the date which needs to be specified in a way to trigger HTTP 304, ant the accept-encoding: gzip
header can be replaced with --compressed
option).
Running:
PHP 8.1.0 (cli) (built: Nov 25 2021 20:22:03) (NTS)
nginx version: nginx/1.21.5
As strange as it seems, looks like nginx requires Content-Length
header from upstream when using gzip/deflate compression and PHP/framework doesn't send it for HTTP 304 responses. Adding the header in the framework's lastModified
method here
would be doable but there's some exception for sending Content-Length
header with compression enabled here:
michalspacek.cz/site/vendor/nette/http/src/Http/Response.php
Lines 94 to 95 in 4fdf2b9
and this would need to be changed and possibly the exception removed if the bug doesn't apply anymore in supported PHP versions.
Or compression can be disabled for 304s.
In #90 I accidentally added passwordrules
to username instead of password:
This seems like a good idea to %subj%
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Partial stack trace:
File: .../srv/www/michalspacek.cz/site/app/UpcKeys/UpcKeys.php:36
26: /** @var RouterInterface[] */
27: private array $routers;
28:
29: /** @var string[]|null */
30: private ?array $prefixes = null;
31:
32: /** @var array<string, array<int, string>>|null */
33: private ?array $modelsWithPrefixes = null;
34:
35:
36: public function __construct(RouterInterface ...$routers)
37: {
38: foreach ($routers as $router) {
39: $this->routers[$router::class] = $router;
40: }
.../temp/cache/nette.configurator/Container_109e499896.php:2782
2772:
2773:
2774: public function createService0126(): MichalSpacekCz\UpcKeys\Ubee
2775: {
2776: return new MichalSpacekCz\UpcKeys\Ubee($this->getService('database.upcKeys.context'), 'Ubee EVW3226', ['UAAP']);
2777: }
2778:
2779:
2780: public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
2781: {
2782: return new MichalSpacekCz\UpcKeys\UpcKeys(routers: [$this->getService('0125'), $this->getService('0126')]);
2783: }
2784:
2785:
2786: public function createService0128(): MichalSpacekCz\User\Manager
I think this started after updating nette/di in #93, there was a change in handling variadics in 3.1.2.
Previously, the generated container looked like:
public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
{
return new MichalSpacekCz\UpcKeys\UpcKeys($this->getService('0125'), $this->getService('0126'));
}
now it looks like
public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
{
return new MichalSpacekCz\UpcKeys\UpcKeys(routers: [$this->getService('0125'), $this->getService('0126')]);
}
The app is running PHPStan on level 8 for quite some time already (5cc25c4) and now even on level 9 #147, so let's see how far I can bring the Latte extensions.
PHPStan Latte Levels and PRs:
Lnil:
L0:
L1:
L2:
L3:
L4:
L5:
L6:
L7:
L8:
L9:
+ Bleeding Edge:
Some ๐๐๐ discovered later by for example newer versions of the PHPStan Latte extension
symfony/process was moved to require-dev
after symfony/filesystem v7.0.7 has been released and updated in #305
Once a newer symfony/filesystem is released, b262161 can be reverted and this can be safely removed from replace
:
michalspacek.cz/site/composer.json
Line 60 in dd64b03
Tracking issue for:
Typed property MichalSpacekCz\Articles\Blog\BlogPost::$edits must not be accessed before initialization
File: .../Articles/Blog/BlogPostPreview.php:34
A regression introduced in #137 commit 18b1d2a, here:
- $template->edits = $post->postId ? $this->blogPosts->getEdits($post->postId) : [];
+ $template->edits = $post->postId ? $post->edits : [];
GitHub is deprecating and subsequently removing some Actions functionality I use, see for example these workflow run annotations.
"Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16" ("We plan to migrate all actions to run on Node16 by Summer 2023.")
Should update these actions:
"The set-output
command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/" (Resolved in actions/upload-artifact 3.1.1, updating to that or newer version will remove the warnings)
"The save-state
command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/" (This is resolved in actions/cache 3.0.11, updating as per 1. will remove the annotation warnings)
In #37/#39 I've upgraded some GitHub Actions to not throw deprecation warnings but some actions are still using those deprecated commands and runtimes:
mbogh/test-ssl-action@v2
uses node12
runtime, once upgraded to use node16
the deprecation warning should disappear
mbogh/test-ssl-action#3 mbogh/test-ssl-action#4
Done in #198
symfonycorp/security-checker-action@v4
uses set-output
Done in #231
These should be upgraded too, once their new versions become available.
$placeholder
param should be called something else because it's not a placeholder but more like a placeholder param or something.
Also getPlaceholder
should be called something like "placeholder id" or something because a placeholder is the whole thing (e.g. **TRAINING_DATE:security**
)
DOM XSS sink here:
The report
{
"blockedURL": "trusted-types-sink",
"columnNumber": 23,
"disposition": "report",
"documentURL": "https://admin.michalspacek.cz/blog/edit/74",
"effectiveDirective": "require-trusted-types-for",
"lineNumber": 207,
"originalPolicy": "require-trusted-types-for 'script'; report-uri https://plz.report-uri.com/r/default/csp/enforce; report-to default",
"referrer": "https://admin.michalspacek.cz/blog",
"sample": "Element innerHTML|<div id=\"header-icons\">\n\t<div>\n<svg xmln",
"sourceFile": "https://www.michalspacek.cz/i/build/zG-zkuF9IZW6XMjdV7Tl2ALNoo7Rdp59drTXxSR5AOo.js",
"statusCode": 200
}
Tracking issue for:
Once moved to Latter 3.0.1 or newer, remove the initialization part from latte-lint
michalspacek.cz/site/bin/latte-lint.php
Lines 19 to 23 in 1bedcc6
Because it has been moved to the Linter class here nette/latte@58f9974
This can also be removed then
michalspacek.cz/site/phpstan.neon
Lines 7 to 12 in 1bedcc6
Certmonitor started throwing errors for newly issued certificates:
2023-07-05T04:52:34+02:00 xss.sk ERROR: Logged certificate's notAfter (2023-10-01T13:28:25+02:00, in 88 days) doesn't match 52.211.207.55 certificate's notAfter (2023-10-01T13:28:25+00:00, in 88 days)
That's a regression introduced in #155 commit da519cb, here:
- $start = NetteDateTime::from($cert['start']);
- $expiry = NetteDateTime::from($cert['expiry']);
and here:
+ 'not_before' => $cert->getNotBefore(),
+ 'not_after' => $cert->getNotAfter(),
The server is running with timezone Europe/Prague set, not UTC, so the timezone was lost with that change. Logged certificates don't have timestamp saved with their not before/not after.
Add security policy that's already in README.
Tracking issue for:
Followup to #53 (Upgrade to PHP 8.2)
Let's Encrypt has now enabled the CAA extensions in prod.
Here's how to find the account id (remember it may be different on each machine and that is probably a good idea)
but if using recent Certbot (I am) there's an easier way with
certbot show_account
(there's a PR for Let's Encrypt docs, not merged however)
And the list of challenge types for the validationmethods
field might also be handy.
Tracking issue for:
Try running PHPStan with https://github.com/efabrica-team/phpstan-latte
If successful, add a composer script and run it on GitHub Actions.
Current blockers:
Because it's not needed anymore.
Caused by making App
always available in #108.
Which means stop using jQuery, mostly.
Resources:
fetch()
is not as straightforward (to replace $.ajax({..., timeout: 10000})
)scroll-behavior
& Element.scrollIntoView()
to replace $('html, body').animate({scrollTop: ...})
Subtasks:
I missed something when migrating off Font Awesome in #43
After #96, when visiting https://www.michalspacek.cz/pgp, Chrome says
xEaskxPEAg5Szxqu7HN-bNgegbp8vkqEhZ9a56vVXy8.js:37 [Report Only] This document requires 'TrustedScriptURL' assignment.
This is where I load OpenPGP.js asynchronously, when clicking the Encrypt button, or focusing the text area etc.:
script
element's src
attribute is considered a DOM XSS injection sink, so either a TrustedScriptURL
object created by createScriptURL()
is required or the loading should be refactored somehow.
I could start using Trusted Types but would need to still support browsers that do not yet support it (e.g. Firefox) but frankly, this isn't a user input as such (although I understand why the violation is triggered) so I'd rather not complicate it.
Maybe just moving the <script>
tag from <head>
and loading both encryption.js
& openpgp.js
at the bottom of the page would be enough.
This way, each page visit would load openpgp.js
as opposed to loading it only when clicking the button/the textarea, but it wouldn't block the renderer. Bandwidth-wise, I've saved a lot more by dropping jQuery in #57.
These should be resolved before migrating to PHP 8.0:
Something something country code
Running tests on PHP 8.3.2 gives:
-- FAILED: Tls/CertificateFactoryTest.phpt
Exited with error code 255 (expected 0)
Warning: Private methods cannot be final as they are never overridden by other classes in /home/runner/work/michalspacek.cz/michalspacek.cz/site/vendor/nette/di/src/DI/Config/Helpers.php on line 19
Warning: Private methods cannot be final as they are never overridden by other classes in /home/runner/work/michalspacek.cz/michalspacek.cz/site/vendor/nette/schema/src/Schema/Helpers.php on line 19
See php/php-src#13177 & php/php-src#12857
This was fixed in nette/utils 4.0.4 by just removing the final
keyword nette/utils@fba3961 (which is valid, see the PHP bugs).
michalspacek.cz/site/phpstan-latte-templates.neon
Lines 8 to 9 in 01d1fc3
Originally introduced in #68 and no longer needed because efabrica-team/phpstan-latte#304 (efabrica-team/phpstan-latte#307 docs) adds something useful (released in 0.6.0).
nette/http 3.2 has deprecated magic accessors & ArrayAccess in SessionSection. I've updated to the version in #52.
Psalm (#205) detects it, and shows the info when executed as ./vendor/bin/psalm.phar --show-info=true
:
INFO: DeprecatedMethod - app/Www/Presenters/TrainingsPresenter.php:119:15 - The method Nette\Http\SessionSection::__get has been marked as deprecated (see https://psalm.dev/001)
$session->application,
Tracking issue for:
So I could enable Trusted Types.
With
latte:
strictParsing: true
in here somewhere
michalspacek.cz/site/config/common.neon
Lines 38 to 39 in 906f34b
Also enable strict mode for the linter, there's a new constructor param now:
nette/latte@10a57e1#diff-7bddd570477ad9caaa114109f50c895a48508b1b966b7dae4ae67dad34e5bb48R28
And also the script uses --strict
param:
nette/latte@57ed322
which I should probably also add it to the workflow file, possibly hardcode it.
See https://blog.nette.org/en/latte-news-linter-and-strict-mode
All major browsers have removed their support already
In #51 & #68 I added basic PHPStan tests for Latte templates, running on level nil. #79 upgrades to level 0.
Should switch to level 1 so that undefined variables etc. are also detected.
Hi, we are collecting interesting errors which phpstan-latte found in our applications. I want to ask you if there were some real bugs found or just some annoying errors which ment you have to rewrite your working app.
After #155, MichalSpacekCz\ShouldNotHappenException
: No original request is thrown in
When visiting URLs like https://www.michalspacek.cz/.env
This is because previously a different exception was thrown and catch
'd:
So I could enable Trusted Types.
This replaces only the first occurrence of '\r'.
Tracking issue for:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.