properly escape comment links

[tt-rss.git] / include / functions.php

diff --git a/include/functions.php b/include/functions.php
index f37578ba3704b9b89d9198a3bcc614ad36e778a4..2fb14097fa7a38d6933b716efd8f0cc2829a452d 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -3352,14 +3352,14 @@
 
                        if ($num_comments > 0) {
                                if ($line["comments"]) {
-                                       $comments_url = $line["comments"];
+                                       $comments_url = htmlspecialchars($line["comments"]);
                                } else {
-                                       $comments_url = $line["link"];
+                                       $comments_url = htmlspecialchars($line["link"]);
                                }
                                $entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
                        } else {
                                if ($line["comments"] && $line["link"] != $line["comments"]) {
-                                       $entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+                                       $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
                                }
                        }