diff options
| author | Andrew Dolgov <[email protected]> | 2023-03-05 08:07:55 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2023-03-05 08:07:55 +0300 |
| commit | d210ae50ad14ded6cf204242bc072c82b9e8e70c (patch) | |
| tree | 4921a0441e8d8d51249b6fe68b018ade53a245fb /classes | |
| parent | b7a6c948d078a59739f14de8454e0e7237d0722e (diff) | |
API:
- sharedToPublished: add optional sanitize parameter (defaults to true)
if disabled, allows inserting HTML into shared article content;
- clean() already invokes strip_tags() so it's pointless to do both;
Diffstat (limited to 'classes')
| -rwxr-xr-x | classes/api.php | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/classes/api.php b/classes/api.php index 09f190451..b282a39ce 100755 --- a/classes/api.php +++ b/classes/api.php @@ -1,7 +1,7 @@ <?php class API extends Handler { - const API_LEVEL = 19; + const API_LEVEL = 20; const STATUS_OK = 0; const STATUS_ERR = 1; @@ -504,9 +504,14 @@ class API extends Handler { } function shareToPublished(): bool { - $title = strip_tags(clean($_REQUEST["title"])); - $url = strip_tags(clean($_REQUEST["url"])); - $content = strip_tags(clean($_REQUEST["content"])); + $title = clean($_REQUEST["title"]); + $url = clean($_REQUEST["url"]); + $sanitize_content = self::_param_to_bool($_REQUEST["sanitize"] ?? true); + + if ($sanitize_content) + $content = clean($_REQUEST["content"]); + else + $content = $_REQUEST["content"]; if (Article::_create_published_article($title, $url, $content, "", $_SESSION["uid"])) { return $this->_wrap(self::STATUS_OK, array("status" => 'OK')); |