diff options
-rw-r--r-- | functions.php | 18 | ||||
-rw-r--r-- | modules/pref-feeds.php | 20 | ||||
-rw-r--r-- | modules/pref-filters.php | 6 | ||||
-rw-r--r-- | modules/pref-labels.php | 14 |
4 files changed, 26 insertions, 32 deletions
diff --git a/functions.php b/functions.php index f6783ff94..ba4b02344 100644 --- a/functions.php +++ b/functions.php @@ -386,8 +386,8 @@ $result = db_query($link, "SELECT update_interval,auth_login,auth_pass FROM ttrss_feeds WHERE id = '$feed'"); - $auth_login = db_unescape_string(db_fetch_result($result, 0, "auth_login")); - $auth_pass = db_unescape_string(db_fetch_result($result, 0, "auth_pass")); + $auth_login = db_fetch_result($result, 0, "auth_login"); + $auth_pass = db_fetch_result($result, 0, "auth_pass"); $update_interval = db_fetch_result($result, 0, "update_interval"); @@ -2141,7 +2141,7 @@ $is_selected = ""; } printf("<option $is_selected value='%d'>%s</option>", - $line["id"], htmlspecialchars(db_unescape_string($line["title"]))); + $line["id"], htmlspecialchars($line["title"])); } print "</select>"; @@ -2170,7 +2170,7 @@ $is_selected = ""; } printf("<option $is_selected value='%d'>%s</option>", - $line["id"], htmlspecialchars(db_unescape_string($line["title"]))); + $line["id"], htmlspecialchars($line["title"])); } print "</select>"; @@ -2525,8 +2525,6 @@ $feed_title = "?"; } - $feed_title = db_unescape_string($feed_title); - if ($feed < -10) error_reporting (0); if (preg_match("/^-?[0-9][0-9]*$/", $feed) != false) { @@ -2899,10 +2897,6 @@ } } - function escape_for_form($s) { - return htmlspecialchars(db_unescape_string($s)); - } - function make_guid_from_title($title) { return preg_replace("/[ \"\',.:;]/", "-", mb_strtolower(strip_tags($title), 'utf-8')); @@ -3121,7 +3115,7 @@ error_reporting (DEFAULT_ERROR_LEVEL); printFeedEntry($label_id, - $class, db_unescape_string($line["description"]), + $class, $line["description"], $count, "images/label.png", $link); } @@ -3182,7 +3176,7 @@ while ($line = db_fetch_assoc($result)) { - $feed = trim(db_unescape_string($line["title"])); + $feed = trim($line["title"]); if (!$feed) $feed = "[Untitled]"; diff --git a/modules/pref-feeds.php b/modules/pref-feeds.php index ae5ab28ec..9ef88e8fa 100644 --- a/modules/pref-feeds.php +++ b/modules/pref-feeds.php @@ -101,7 +101,7 @@ $class = ($feedctr % 2) ? "even" : "odd"; print "<li class='$class' id=\"FBROW-".$details["id"]."\">$check_box". - "$feed_icon " . db_unescape_string($details["title"]) . + "$feed_icon " . $details["title"] . " <span class='subscribers'>($subscribers)</span></li>"; ++$feedctr; @@ -130,8 +130,8 @@ "SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]); - $title = htmlspecialchars(db_unescape_string(db_fetch_result($result, - 0, "title"))); + $title = htmlspecialchars(db_fetch_result($result, + 0, "title")); $icon_file = ICONS_DIR . "/$feed_id.ico"; @@ -159,8 +159,8 @@ name=\"title\" value=\"$title\"></td></tr>"; $feed_url = db_fetch_result($result, 0, "feed_url"); - $feed_url = htmlspecialchars(db_unescape_string(db_fetch_result($result, - 0, "feed_url"))); + $feed_url = htmlspecialchars(db_fetch_result($result, + 0, "feed_url")); print "<tr><td>".__('Feed URL:')."</td>"; print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\" @@ -259,13 +259,13 @@ print "</td>"; - $auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login")); + $auth_login = htmlspecialchars(db_fetch_result($result, 0, "auth_login")); print "<tr><td>".__('Login:')."</td>"; print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\" name=\"auth_login\" value=\"$auth_login\"></td></tr>"; - $auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass")); + $auth_pass = htmlspecialchars(db_fetch_result($result, 0, "auth_pass")); print "<tr><td>".__('Password:')."</td>"; print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" @@ -652,7 +652,7 @@ print "<tr class=\"$class\" $this_row_id>"; - $edit_title = htmlspecialchars(db_unescape_string($line["title"])); + $edit_title = htmlspecialchars($line["title"]); if (!$edit_cat_id || $action != "edit") { @@ -880,8 +880,8 @@ $feed_id = $line["id"]; $cat_id = $line["cat_id"]; - $edit_title = htmlspecialchars(db_unescape_string($line["title"])); - $edit_cat = htmlspecialchars(db_unescape_string($line["category"])); + $edit_title = htmlspecialchars($line["title"]); + $edit_cat = htmlspecialchars($line["category"]); $hidden = sql_bool_to_bool($line["hidden"]); diff --git a/modules/pref-filters.php b/modules/pref-filters.php index 7445c0e0d..3c0f6129c 100644 --- a/modules/pref-filters.php +++ b/modules/pref-filters.php @@ -10,7 +10,7 @@ $result = db_query($link, "SELECT * FROM ttrss_filters WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); - $reg_exp = htmlspecialchars(db_unescape_string(db_fetch_result($result, 0, "reg_exp"))); + $reg_exp = htmlspecialchars(db_fetch_result($result, 0, "reg_exp")); $filter_type = db_fetch_result($result, 0, "filter_type"); $feed_id = db_fetch_result($result, 0, "feed_id"); $action_id = db_fetch_result($result, 0, "action_id"); @@ -285,11 +285,11 @@ print "<tr class=\"$class\" $this_row_id>"; - $line["reg_exp"] = htmlspecialchars(db_unescape_string($line["reg_exp"])); + $line["reg_exp"] = htmlspecialchars($line["reg_exp"]); if (!$line["feed_title"]) $line["feed_title"] = __("All feeds"); - $line["feed_title"] = htmlspecialchars(db_unescape_string($line["feed_title"])); + $line["feed_title"] = htmlspecialchars($line["feed_title"]); print "<td align='center'><input onclick='toggleSelectPrefRow(this, \"filter\");' type=\"checkbox\" id=\"FICHK-".$line["id"]."\"></td>"; diff --git a/modules/pref-labels.php b/modules/pref-labels.php index 3f7b7f806..8d19d0287 100644 --- a/modules/pref-labels.php +++ b/modules/pref-labels.php @@ -21,8 +21,8 @@ $line = db_fetch_assoc($result); - $sql_exp = htmlspecialchars(db_unescape_string($line["sql_exp"])); - $description = htmlspecialchars(db_unescape_string($line["description"])); + $sql_exp = htmlspecialchars($line["sql_exp"]); + $description = htmlspecialchars($line["description"]); print "<div id=\"infoBoxTitle\">Label editor</div>"; print "<div class=\"infoBoxContents\">"; @@ -78,8 +78,9 @@ if ($subop == "test") { - $expr = db_unescape_string(trim($_GET["expr"])); - $descr = db_unescape_string(trim($_GET["descr"])); + // no escaping here on purpose + $expr = trim($_GET["expr"]); + $descr = db_escape_string(trim($_GET["descr"])); if (!$expr) { print "<div>Error: SQL expression is blank.</div>"; @@ -260,9 +261,8 @@ print "<tr class=\"$class\" $this_row_id>"; - $line["sql_exp"] = htmlspecialchars(db_unescape_string($line["sql_exp"])); - $line["description"] = htmlspecialchars( - db_unescape_string($line["description"])); + $line["sql_exp"] = htmlspecialchars($line["sql_exp"]); + $line["description"] = htmlspecialchars($line["description"]); if (!$line["description"]) $line["description"] = "[No caption]"; |