diff options
author | Andrew Dolgov <[email protected]> | 2013-03-17 14:55:55 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2013-03-17 14:55:55 +0400 |
commit | f01c8ec4f1324ed8b68e912220735af96c86883c (patch) | |
tree | 22f516816d37d305c474242c796a55c449fba2af | |
parent | 26e2b1843332bfc12426e68f1e259b95c9e997f0 (diff) |
prevent absolutely useless 'exploit' (not really) while editing filters (closes #572)
-rw-r--r-- | classes/pref/filters.php | 2 | ||||
-rw-r--r-- | js/functions.js | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/classes/pref/filters.php b/classes/pref/filters.php index 74a29c619..20abae1d0 100644 --- a/classes/pref/filters.php +++ b/classes/pref/filters.php @@ -372,7 +372,7 @@ class Pref_Filters extends Handler_Protected { WHERE id = ".(int)$rule["filter_type"]); $match_on = db_fetch_result($result, 0, "description"); - return T_sprintf("%s on %s in %s", $rule["reg_exp"], $match_on, $feed); + return T_sprintf("%s on %s in %s", strip_tags($rule["reg_exp"]), $match_on, $feed); } function printRuleName() { diff --git a/js/functions.js b/js/functions.js index 72f72ddaa..e00690c1c 100644 --- a/js/functions.js +++ b/js/functions.js @@ -964,6 +964,8 @@ function createNewRuleElement(parentNode, replaceNode) { try { var form = document.forms["filter_new_rule_form"]; + form.reg_exp.value = form.reg_exp.value.replace(/(<([^>]+)>)/ig,""); + var query = "backend.php?op=pref-filters&method=printrulename&rule="+ param_escape(dojo.formToJson(form)); |