Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-05-18 06:38:52 +01:00
Code Issues Packages Projects Releases Wiki Activity
7,268 Commits 25 Branches 114 Tags
master
Commit Graph

2905 Commits

Author SHA1 Message Date
Adam Warner 8330a7b3bb Merge commit from fork 
Alternative advisory fix, including the fix for the Lua function
 2026-04-03 16:52:14 +01:00
yubiuser 74f68fba89 Remove the loggingButton from Settings > System > Actions 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-03-25 08:23:18 +01:00
Dominik 5d16e2c44a fix: check on responseJSON when wrong password (#3693) 2026-03-25 06:34:14 +01:00
RD WebDesign 973900bfeb Fix sanitize_hostname() function (Lua) to escape invalid hostnames 
The new function uses a single str:gsub() call with multiple replacements,
which is a lot faster than muiltiple calls with single string replacement.

Fix: https://github.com/pi-hole/web/security/advisories/GHSA-pg2q-335w-h75w

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-19 19:38:47 -03:00
RD WebDesign 4f5bdd1fae Escape output on Queries page, to avoid Stored HTML Injection 
Fix: https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-19 19:38:36 -03:00
RD WebDesign b8c35e230f Escape values and keys on Settings All page, to avoid possible stored XSS 
Fix: https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-19 19:38:35 -03:00
RD WebDesign e82df84638 Escape hostnames and IP addresses to avoid Stored XSS on network page and 
charts tooltips (dashboard page)

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-19 19:38:26 -03:00
yubiuser 4c1d8f9a37 Show loading overlay when adding/removing CNAME records as it requires a FTL restart (#3742) 2026-03-19 00:08:02 +01:00
yubiuser 68542383ea Apply suggestions from code review 
Co-authored-by: RD WebDesign <github@rdwebdesign.com.br>
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-03-16 22:06:16 +01:00
yubiuser c02e66fe04 Fix xo errors 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-03-16 08:55:20 +01:00
RD WebDesign eacf8cdaf4 Escape output on taillog.js to avoid Reflected XSS 
Fix: https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-12 21:41:10 -03:00
yubiuser 0f8279f924 Show loading overlay when adding/removing CNAME records as it requires a FTL restart 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-03-08 21:07:03 +01:00
yubiuser da33c9f59d Do not try to compare component version when remote version info is not available (#3729) 2026-03-08 18:25:09 +01:00
RD WebDesign 02108a0ce1 Print just one message on the fotter asking to run "pihole updatechecker" 
instead of adding "Latest: N/A" per component, when at least one Pi-hole
component is missing the remote version info.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-03-07 18:10:07 -03:00
yubiuser 561f9c1ab7 Remove redundant setting of variables 
Co-authored-by: RD WebDesign <github@rdwebdesign.com.br>
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-02-26 20:19:02 +01:00
yubiuser d985829a23 Apply suggestion from @rdwebdesign 
Show the link if the version matches a date based tag

Co-authored-by: RD WebDesign <github@rdwebdesign.com.br>
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-02-26 20:15:04 +01:00
yubiuser de2e577549 Add hint that remote version could not be checked 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-02-23 13:42:09 +01:00
yubiuser 81623fc1bf Do not try to compare component version when remote version info is not available 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-02-23 13:27:10 +01:00
yubiuser edee7b9654 Don't link to github releases if docker tag is nightly 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2026-02-16 12:25:46 +01:00
Adam Warner 192d96ff11 Accidentally a ; 
Also fix Unnecessary use of boolean literals in conditional expression.

Co-authored-by: RD WebDesign <github@rdwebdesign.com.br>
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
 2026-02-15 17:55:55 +00:00
Adam Warner d328f14371 Merge commit from fork 
Use `.dataset` to avoid passing untrusted data to HTML button
 2026-02-15 17:45:54 +00:00
Adam Warner 1a0c6f4fe6 Merge commit from fork 
Escape `data.x_forwarded_for` value before inserting it into the DOM
 2026-02-15 17:45:39 +00:00
Dominik fdbba6b965 Use the properties earliest_timestamp and earliest_timestamp_disk provided by FTL (on related branch) to avoid having to call the (very heavy) GET /info/database endpoint just for sourcing the earliest timestamps in the database 
Signed-off-by: Dominik <dl6er@dl6er.de>
 2026-02-08 10:09:07 +01:00
Guybrush aka Gabriele Labita 0b4cf3c7bb fix: check for server unreachable error. 
Signed-off-by: Guybrush aka Gabriele Labita <gabriele.labita@linux.it>
 2026-01-15 22:29:07 +01:00
RD WebDesign 053cfb2180 Escape data.x_forwarded_for value before inserting it into the DOM 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-01-09 17:56:12 -03:00
RD WebDesign 2378ebad6b Use a different approach to create the delete button 
- use `createElement()` to create the button
- add data-* attributes using `.dateset`

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2026-01-09 17:18:46 -03:00
Rob Gill a83229096d Set the end date for live query update to end of epoch 
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
 2025-12-04 17:31:15 +10:00
Adam Warner e2d711f547 Request ANSI colour codes when calling gravity API 
Add the 'color=true' query parameter to the gravity API call so that the
FTL backend will include ANSI escape codes for terminal color output.

This works in conjunction with FTL changes that make color codes opt-in
rather than always-on.

Addresses: pi-hole/FTL#2671
 2025-11-19 21:28:47 +00:00
Adam Warner 77b3833fa6 Use the start of day for past 7 and 30 days 
No need to check for null on endofTime, it will always have a values

Co-authored-by: yubiuser <github@yubiuser.dev>
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
 2025-11-19 20:06:57 +00:00
Adam Warner 1b509593c9 Treat 0.0 response as NULL. Also get the in-memory timetamp, and then use whichever of the two timestamps is smallest (and non-zero) 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
 2025-11-12 23:11:53 +00:00
Adam Warner 0f76df92b9 Refactor date range initialization to fetch earliest timestamp from API and set default values 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
 2025-11-10 00:00:08 +00:00
RD WebDesign 5e3000c141 Make sure the table is redrawn after the dnssec API call returns 
Without this, the icons won't show up on the initial table draw because the
asynchronous AJAX call usually only completes after that.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-10-29 18:04:49 -03:00
RD WebDesign 356666122b Remove unused filter_dnsmasq_warnings=true option 
Also remove the old code used to read hideNonfatalDnsmasqWarnings_chkbox
from localstorage. This value was a leftover from v5 web interface.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-10-27 19:50:17 -03:00
Adam Warner 4159aaade6 Merge commit from fork 
HTML escape adlist URL and non-domain entried before printing it in gravity stream
 2025-10-25 10:08:44 +01:00
RD WebDesign 8c0f785351 Replace mg.request_info.request_uri with the variable scriptname 
The information from `mg.request_info.request_uri` depends on the URL typed
by the user. This information was used without any sanitization, allowing
an attacker to send crafted links containing anything, including javascript
code, which could be loaded and executed in a few pages.

Replacing this value with `scriptname` variable fixes the issue, since this
variable contains the name of the file currently being executed. This
information cannot be externally manipulated and it is safe to be used on
the page.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-10-19 18:44:52 -03:00
yubiuser febc2b870a Escape all lines to also prevent XSS for non-domain entries 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2025-10-12 15:44:23 +02:00
RD WebDesign 507fde4edf Add CPU usage percentage to the Load tooltip 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-10-06 22:34:47 -03:00
yubiuser 4f11435291 Update FTL %cpu and %mem everytime total CPU stats are updated 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2025-10-06 21:18:46 +02:00
Dominik 5ecfcf3f19 Adjust domain count according to pi-hole/FTL#2177 (#3619) 2025-10-05 09:55:38 +02:00
Adam Warner 4b5697c7be Fix addList function to include type in API request URL 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
 2025-10-04 22:35:27 +01:00
yubiuser 078e34c96d Adjust domain count according to https://github.com/pi-hole/FTL/pull/2177 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2025-10-04 22:21:06 +02:00
Adam Warner dcb07b761b Make DNSSEC icon conditional in Queries Log (redo of https://github.com/pi-hole/web/pull/3399/) (#3535) 2025-10-04 15:33:59 +01:00
yubiuser 94e8e909b7 Improve line graph tooltip (#3601) 2025-10-04 08:58:29 +02:00
RD WebDesign c6a2e8572e Trigger the offset effect when the mouse is over a legend item 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-19 17:11:10 -03:00
RD WebDesign ec5f8b7037 Add offset effect on hover to the doughnut charts 
We need to add a small padding to avoid "clipping" the arc/slice.
This happens because when an arc/slice expands, it grows beyond the canvas
limits and get clipped.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-19 17:04:48 -03:00
RD WebDesign ca57bcfb5c Include the upstream DNS server name to the link, when needed 
The link must send the "upstream" parameter in exactly the same format used
by the "suggestions" API.
The format is: "upstream=<IP>#<port> (<servername>)".
This will ensure that when a link is clicked, the correct server name will
be highlighted in the SELECT element on the queries.lp page and no other
OPTION element will be created.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-16 16:47:03 -03:00
RD WebDesign af471bec94 Show the upstream server IP on the title tooltip 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-15 23:03:26 -03:00
RD WebDesign 48666e1ffd Use an array to store upstream server IPs 
This will avoid overwritting the IP when more than one upstream DNS server uses the same name

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-15 22:34:06 -03:00
RD WebDesign 52441b7b1b Remove unnecessary code 
The outer `if` (line 92) already guarantees only 2 possible values.
If `isQueryTypeChart` is false, `isForwardDestinationChart` must be true.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2025-09-15 22:11:44 -03:00
yubiuser 2c1876879d Fix calculation of tootlip percentage 
Signed-off-by: yubiuser <github@yubiuser.dev>
 2025-09-10 11:12:04 +02:00