force strip_tags() on all user input unless explicitly allowed

author: Andrew Dolgov <[email protected]> 2017-12-03 23:35:38 +0300
committer: Andrew Dolgov <[email protected]> 2017-12-03 23:35:38 +0300
commit: e6532439d68234d86176e4d967609d68dd564c1d (patch)
tree: 6b5336fc8ea97ab3ecb1db547189b63ae1cd6120 /classes/pref/filters.php
parent: 7c6f7bb0aa50f42fd697fbe82dc9b8b5931a3a52 (diff)
1 files changed, 31 insertions, 31 deletions
diff --git a/classes/pref/filters.php b/classes/pref/filters.php
index 1ff9a3723..74aecd309 100755
--- a/classes/pref/filters.php
+++ b/classes/pref/filters.php
@@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function savefilterorder() {
-		$data = json_decode($_POST['payload'], true);
+		$data = json_decode(clean($_POST['payload']), true);
 
-		#file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+		#file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
 		#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
 		if (!is_array($data['items']))
@@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function testFilterDo() {
-		$offset = (int) $_REQUEST["offset"];
-		$limit = (int) $_REQUEST["limit"];
+		$offset = (int) clean($_REQUEST["offset"]);
+		$limit = (int) clean($_REQUEST["limit"]);
 
 		$filter = array();
 
 		$filter["enabled"] = true;
-		$filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]);
+		$filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
 		$filter["rules"] = array();
 		$filter["actions"] = array("dummy-action");
@@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected {
 		$scope_qparts = array();
 
 		$rctr = 0;
-		foreach ($_REQUEST["rule"] AS $r) {
+		foreach (clean($_REQUEST["rule"]) AS $r) {
 			$rule = json_decode($r, true);
 
 			if ($rule && $rctr < 5) {
@@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function edit() {
 
-		$filter_id = $_REQUEST["id"];
+		$filter_id = clean($_REQUEST["id"]);
 
 		$sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 
 			WHERE id = ? AND owner_uid = ?");
@@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	private function getRuleName($rule) {
-		if (!$rule) $rule = json_decode($_REQUEST["rule"], true);
+		if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
 
 		$feeds = $rule["feed_id"];
 		$feeds_fmt = [];
@@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function printRuleName() {
-		print $this->getRuleName(json_decode($_REQUEST["rule"], true));
+		print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
 	}
 
 	private function getActionName($action) {
@@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function printActionName() {
-		print $this->getActionName(json_decode($_REQUEST["action"], true));
+		print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
 	}
 
 	function editSave() {
-		if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+		if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
 			return $this->testFilter();
 		}
 
-		$filter_id = $_REQUEST["id"];
-		$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-		$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
-		$title = $_REQUEST["title"];
+		$filter_id = clean($_REQUEST["id"]);
+		$enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+		$match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
+		$title = clean($_REQUEST["title"]);
 
 		$this->pdo->beginTransaction();
 
@@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function remove() {
 
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 		$ids_qmarks = arr_qmarks($ids);
 
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) 
@@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected {
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
 		$sth->execute([$filter_id]);
 
-		if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = [];
-		if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = [];
+		if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
+		if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
 		
 		if ($filter_id) {
 			/* create rules */
@@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected {
 			$rules = array();
 			$actions = array();
 
-			foreach ($_REQUEST["rule"] as $rule) {
+			foreach (clean($_REQUEST["rule"]) as $rule) {
 				$rule = json_decode($rule, true);
 				unset($rule["id"]);
 
@@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected {
 				}
 			}
 
-			foreach ($_REQUEST["action"] as $action) {
+			foreach (clean($_REQUEST["action"]) as $action) {
 				$action = json_decode($action, true);
 				unset($action["id"]);
 
@@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function add() {
-		if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+		if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
 			return $this->testFilter();
 		}
 
-		$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-		$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$title = $_REQUEST["title"];
-		$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
+		$enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+		$match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$title = clean($_REQUEST["title"]);
+		$inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
 		$this->pdo->beginTransaction();
 
@@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function index() {
 
-		$filter_search = $_REQUEST["search"];
+		$filter_search = clean($_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_filter_search"] = $filter_search;
@@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function newrule() {
-		$rule = json_decode($_REQUEST["rule"], true);
+		$rule = json_decode(clean($_REQUEST["rule"]), true);
 
 		if ($rule) {
 			$reg_exp = htmlspecialchars($rule["reg_exp"]);
@@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function newaction() {
-		$action = json_decode($_REQUEST["action"], true);
+		$action = json_decode(clean($_REQUEST["action"]), true);
 
 		if ($action) {
 			$action_param = $action["action_param"];
@@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function join() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		if (count($ids) > 1) {
 			$base_id = array_shift($ids);
author	Andrew Dolgov <[email protected]>	2017-12-03 23:35:38 +0300
committer	Andrew Dolgov <[email protected]>	2017-12-03 23:35:38 +0300
commit	e6532439d68234d86176e4d967609d68dd564c1d (patch)
tree	6b5336fc8ea97ab3ecb1db547189b63ae1cd6120 /classes/pref/filters.php
parent	7c6f7bb0aa50f42fd697fbe82dc9b8b5931a3a52 (diff)