diff options
| author | Andrew Dolgov <[email protected]> | 2012-10-28 12:44:10 +0400 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2012-10-28 12:44:10 +0400 |
| commit | c7fe1b4e9e392e0b9ffa55151c43ea7e2e2ee709 (patch) | |
| tree | 1e3b13222f1996fa55c3c87ba0ba7b895f1850f8 | |
| parent | acccafe3daee1c94064202d38fa244bd5a15c2e7 (diff) | |
sanitize article content when importing data from feed
| -rw-r--r-- | classes/feeds.php | 6 | ||||
| -rw-r--r-- | classes/handler/public.php | 4 | ||||
| -rw-r--r-- | classes/rpc.php | 2 | ||||
| -rw-r--r-- | include/functions.php | 13 | ||||
| -rw-r--r-- | include/rssfuncs.php | 5 |
5 files changed, 12 insertions, 18 deletions
diff --git a/classes/feeds.php b/classes/feeds.php index fd98314a9..d924eeb3e 100644 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -626,10 +626,8 @@ class Feeds extends Handler_Protected { }
}
- $feed_site_url = $line["site_url"];
-
- $article_content = sanitize($this->link, $line["content_preview"],
- false, false, $feed_site_url);
+# $feed_site_url = $line["site_url"];
+ $article_content = $line["content_preview"];
$reply['content'] .= "<div id=\"POSTNOTE-$id\">";
if ($line['note']) {
diff --git a/classes/handler/public.php b/classes/handler/public.php index d3c3fc094..0aa86a844 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -61,7 +61,7 @@ class Handler_Public extends Handler { $tpl->setVariable('ARTICLE_EXCERPT', truncate_string(strip_tags($line["content_preview"]), 100, '...'), true); - $content = sanitize($this->link, $line["content_preview"], false, $owner_uid); + $content = $line["content_preview"]; if ($line['note']) { $content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" . @@ -132,7 +132,7 @@ class Handler_Public extends Handler { $article['link'] = $line['link']; $article['title'] = $line['title']; $article['excerpt'] = truncate_string(strip_tags($line["content_preview"]), 100, '...'); - $article['content'] = sanitize($this->link, $line["content_preview"], false, $owner_uid); + $article['content'] = $line["content_preview"]; $article['updated'] = date('c', strtotime($line["updated"])); if ($line['note']) $article['note'] = $line['note']; diff --git a/classes/rpc.php b/classes/rpc.php index cb3eeda98..56b13dc51 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -584,7 +584,7 @@ class RPC extends Handler_Protected { FROM ttrss_entries, ttrss_user_entries WHERE id = '$article_id' AND ref_id = id AND owner_uid = ".$_SESSION['uid']); - $content = sanitize($this->link, db_fetch_result($result, 0, "content")); + $content = db_fetch_result($result, 0, "content"); $title = strip_tags(db_fetch_result($result, 0, "title")); $article_url = htmlspecialchars(db_fetch_result($result, 0, "link")); $marked = sql_bool_to_bool(db_fetch_result($result, 0, "marked")); diff --git a/include/functions.php b/include/functions.php index f607cb3cc..a8f42d6d5 100644 --- a/include/functions.php +++ b/include/functions.php @@ -2686,11 +2686,15 @@ } - function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { + function sanitize($link, $str, $owner = false, $site_url = false) { if (!$owner) $owner = $_SESSION["uid"]; $res = trim($str); if (!$res) return ''; + # we don't support CDATA sections in articles, they break our own escaping + $res = preg_replace("/\[\[CDATA/", "", $res); + $res = preg_replace("/\]\]\>/", "", $res); + $config = array('safe' => 1, 'deny_attribute' => 'style'); $res = htmLawed($res, $config); @@ -3626,13 +3630,6 @@ } } // function encrypt_password - function sanitize_article_content($text) { - # we don't support CDATA sections in articles, they break our own escaping - $text = preg_replace("/\[\[CDATA/", "", $text); - $text = preg_replace("/\]\]\>/", "", $text); - return $text; - } - function load_filters($link, $feed_id, $owner_uid, $action_id = false) { $filters = array(); diff --git a/include/rssfuncs.php b/include/rssfuncs.php index 14fa5f348..af62a5041 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -770,9 +770,8 @@ } # sanitize content - - $entry_content = sanitize_article_content($entry_content); - $entry_title = sanitize_article_content($entry_title); + $entry_content = sanitize($link, $entry_content, $owner_uid, $site_url); + $entry_title = strip_tags($entry_title); if ($debug_enabled) { _debug("update_rss_feed: done collecting data [TITLE:$entry_title]"); |