booru-viewer

History

pax ad6f876f40 category_fetcher: reject XML responses with DOCTYPE/ENTITY declarations

User-configurable sites could send XXE or billion-laughs payloads
via tag category API responses. Reject any XML body containing
<!DOCTYPE or <!ENTITY before passing to ET.fromstring.

2026-04-12 14:55:30 -05:00

__init__.py

Initial release — booru image viewer with Qt6 GUI and Textual TUI

2026-04-04 06:00:50 -05:00

_safety.py

security: fix #1 — add public-host validator helper

2026-04-11 16:09:53 -05:00

base.py

security: fix #3 — redact URL in BooruClient._log_request

2026-04-11 16:12:28 -05:00

category_fetcher.py

category_fetcher: reject XML responses with DOCTYPE/ENTITY declarations

2026-04-12 14:55:30 -05:00

danbooru.py

security: fix #3 — redact params in DanbooruClient debug log

2026-04-11 16:12:47 -05:00

detect.py

security: fix #1 — wire SSRF hook into detect_site_type client

2026-04-11 16:11:37 -05:00

e621.py

security: fix #3 — redact params in E621Client debug log

2026-04-11 16:13:06 -05:00

gelbooru.py

security: fix #3 — redact params in GelbooruClient debug log

2026-04-11 16:13:25 -05:00

moebooru.py

gelbooru+moebooru: drop background prefetch from search, fetch on demand

2026-04-09 19:48:04 -05:00