diff options
-rw-r--r-- | backend.php | 6 | ||||
-rw-r--r-- | functions.php | 11 | ||||
-rw-r--r-- | tt-rss.css | 6 |
3 files changed, 21 insertions, 2 deletions
diff --git a/backend.php b/backend.php index e4329a26c..ebbf33a68 100644 --- a/backend.php +++ b/backend.php @@ -650,6 +650,8 @@ $line["content"] = preg_replace("/href=/i", "target=\"_new\" href=", $line["content"]); } + $line["content"] = sanitize_rss($line["content"]); + print $line["content"] . "</div>"; print "</div>"; @@ -1335,13 +1337,13 @@ print "</td>"; - $auth_login = db_fetch_result($result, 0, "auth_login"); + $auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login")); print "<tr><td>Login:</td>"; print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event)\" name=\"auth_login\" value=\"$auth_login\"></td></tr>"; - $auth_pass = db_fetch_result($result, 0, "auth_pass"); + $auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass")); print "<tr><td>Password:</td>"; print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" diff --git a/functions.php b/functions.php index 600a776c6..e5f06da37 100644 --- a/functions.php +++ b/functions.php @@ -2449,6 +2449,13 @@ $res = preg_replace('/<\/script>/i', "</p>", $res); + $res = preg_replace('/<object.*?>.*?<\/object>/i', + "<p class=\"objectWarn\">(Disabled html object + - flash or other embedded content)</p>", $str); + + $res = preg_replace('/<\/object>/i', + "</p>", $res); + return $res; } @@ -2637,4 +2644,8 @@ } } + function escape_for_form($s) { + return htmlspecialchars(db_unescape_string($s)); + } + ?> diff --git a/tt-rss.css b/tt-rss.css index 5f771fe6e..ec4b51320 100644 --- a/tt-rss.css +++ b/tt-rss.css @@ -1172,6 +1172,12 @@ span.debugTS { font-weight : bold; } +.objectWarn { + color : gray; + padding : 3px; + font-style: italic; +} + table.loginForm2 { padding : 1em; } |