diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/functions.php | 9 | ||||
-rw-r--r-- | include/rssfuncs.php | 4 |
2 files changed, 10 insertions, 3 deletions
diff --git a/include/functions.php b/include/functions.php index 2994dd438..7a5211b5a 100644 --- a/include/functions.php +++ b/include/functions.php @@ -2686,7 +2686,7 @@ } - function sanitize($link, $str, $owner = false, $site_url = false) { + function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) { if (!$owner) $owner = $_SESSION["uid"]; $res = trim($str); if (!$res) return ''; @@ -3626,6 +3626,13 @@ } } // function encrypt_password + function sanitize_article_content($text) { + # we don't support CDATA sections in articles, they break our own escaping + $text = preg_replace("/\[\[CDATA/", "", $text); + $text = preg_replace("/\]\]\>/", "", $text); + return db_escape_string($text, false); + } + function load_filters($link, $feed_id, $owner_uid, $action_id = false) { $filters = array(); diff --git a/include/rssfuncs.php b/include/rssfuncs.php index e413743b6..fbe671ca4 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -770,8 +770,8 @@ } # sanitize content - $entry_content = db_escape_string(sanitize($link, $entry_content, $owner_uid, $site_url)); - $entry_title = db_escape_string(strip_tags($entry_title)); + $entry_content = sanitize_article_content($entry_content); + $entry_title = sanitize_article_content($entry_title); if ($debug_enabled) { _debug("update_rss_feed: done collecting data [TITLE:$entry_title]"); |