<?php
define('EXPECTED_CONFIG_VERSION', 26);
- define('SCHEMA_VERSION', 97);
+ define('SCHEMA_VERSION', 98);
$fetch_last_error = false;
ini_set('user_agent', SELF_USER_AGENT);
require_once 'lib/pubsubhubbub/publisher.php';
-
- $purifier = false;
+ require_once 'lib/htmLawed.php';
$tz_offset = -1;
$utc_tz = new DateTimeZone('UTC');
print "</select>";
}
- function get_article_filters($filters, $title, $content, $link, $timestamp, $author, $tags) {
- $matches = array();
-
- foreach ($filters as $filter) {
- $match_any_rule = $filter["match_any_rule"];
- $filter_match = false;
-
- foreach ($filter["rules"] as $rule) {
- $match = false;
- $reg_exp = $rule["reg_exp"];
-
- if (!$reg_exp)
- continue;
-
- switch ($rule["type"]) {
- case "title":
- $match = @preg_match("/$reg_exp/i", $title);
- break;
- case "content":
- $match = @preg_match("/$reg_exp/i", $content);
- break;
- case "both":
- $match = (@preg_match("/$reg_exp/i", $title) || @preg_match("/$reg_exp/i", $title));
- break;
- case "link":
- $match = @preg_match("/$reg_exp/i", $link);
- break;
- case "author":
- $match = @preg_match("/$reg_exp/i", $author);
- break;
- case "tag":
- $tag_string = join(",", $tags);
- $match = @preg_match("/$reg_exp/i", $tag_string);
- break;
- }
-
- if ($match_any_rule) {
- if ($match) {
- $filter_match = true;
- break;
- }
- } else {
- $filter_match = $match;
- if (!$match) {
- break;
- }
- }
- }
-
- if ($filter_match) {
- foreach ($filter["actions"] AS $action) {
- array_push($matches, $action);
- }
- }
- }
-
- return $matches;
- }
-
- function find_article_filter($filters, $filter_name) {
- foreach ($filters as $f) {
- if ($f["type"] == $filter_name) {
- return $f;
- };
- }
- return false;
- }
-
- function find_article_filters($filters, $filter_name) {
- $results = array();
-
- foreach ($filters as $f) {
- if ($f["type"] == $filter_name) {
- array_push($results, $f);
- };
- }
- return $results;
- }
-
- function calculate_article_score($filters) {
- $score = 0;
-
- foreach ($filters as $f) {
- if ($f["type"] == "score") {
- $score += $f["param"];
- };
- }
- return $score;
- }
-
- function assign_article_to_labels($link, $id, $filters, $owner_uid) {
- foreach ($filters as $f) {
- if ($f["type"] == "label") {
- label_add_article($link, $id, $f["param"], $owner_uid);
- };
- }
- }
-
function getmicrotime() {
list($usec, $sec) = explode(" ",microtime());
return ((float)$usec + (float)$sec);
$override_order = "updated DESC";
- $filter_query_part = filter_to_sql($filter) . " AND";
+ $filter_query_part = filter_to_sql($link, $filter, $owner_uid);
+
+ // Try to check if SQL regexp implementation chokes on a valid regexp
+ $result = db_query($link, "SELECT true AS true FROM ttrss_entries,
+ ttrss_user_entries, ttrss_feeds, ttrss_feed_categories
+ WHERE $filter_query_part LIMIT 1", false);
+
+ $test = db_fetch_result($result, 0, "true");
+
+ if (!$test) {
+ $filter_query_part = "false AND";
+ } else {
+ $filter_query_part .= " AND";
+ }
+
} else {
$filter_query_part = "";
}
$offset_query_part = "OFFSET $offset";
}
+ // proper override_order applied above
if ($vfeed_query_part && get_pref($link, 'VFEED_GROUP_BY_FEED', $owner_uid)) {
if (!$override_order) {
$order_by = "ttrss_feeds.title, $order_by";
+ } else {
+ $order_by = "ttrss_feeds.title, $override_order";
}
}
}
function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) {
- global $purifier;
-
if (!$owner) $owner = $_SESSION["uid"];
$res = trim($str); if (!$res) return '';
- // create global Purifier object if needed
- if (!$purifier) {
- require_once 'lib/htmlpurifier/library/HTMLPurifier.auto.php';
-
- $config = HTMLPurifier_Config::createDefault();
-
- $allowed = "p,a[href],i,em,b,strong,code,pre,blockquote,br,img[src|alt|title|align|hspace],ul,ol,li,h1,h2,h3,h4,s,object[classid|type|id|name|width|height|codebase],param[name|value],table,tr,td,span[class]";
-
- $config->set('HTML.SafeObject', true);
- @$config->set('HTML', 'Allowed', $allowed);
- $config->set('Output.FlashCompat', true);
- $config->set('Attr.EnableID', true);
- if (!defined('MOBILE_VERSION')) {
- @$config->set('Cache', 'SerializerPath', CACHE_DIR . "/htmlpurifier");
- } else {
- @$config->set('Cache', 'SerializerPath', "../" . CACHE_DIR . "/htmlpurifier");
- }
-
- $config->set('Filter.YouTube', true);
-
- $purifier = new HTMLPurifier($config);
- }
-
- $res = $purifier->purify($res);
+ $config = array('safe' => 1, 'deny_attribute' => 'style', 'comment' => 1, 'cdata' => 1);
+ $res = htmLawed($res, $config);
if (get_pref($link, "STRIP_IMAGES", $owner)) {
$res = preg_replace('/<img[^>]+>/is', '', $res);
if ($num_comments > 0) {
if ($line["comments"]) {
- $comments_url = $line["comments"];
+ $comments_url = htmlspecialchars($line["comments"]);
} else {
- $comments_url = $line["link"];
+ $comments_url = htmlspecialchars($line["link"]);
}
$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
} else {
if ($line["comments"] && $line["link"] != $line["comments"]) {
- $entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+ $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
}
}
</head><body>";
}
- $title_escaped = db_escape_string($line['title']);
+ $title_escaped = htmlspecialchars($line['title']);
$rv['content'] .= "<div id=\"PTITLE-$id\" style=\"display : none\">" .
truncate_string(strip_tags($line['title']), 15) . "</div>";
$rv['content'] .= "<div class='postTitle'><a target='_blank'
title=\"".htmlspecialchars($line['title'])."\"
href=\"" .
- $line["link"] . "\">" .
+ htmlspecialchars($line["link"]) . "\">" .
$line["title"] .
"<span class='author'>$entry_author</span></a></div>";
} else {
$button_plugins = explode(",", ARTICLE_BUTTON_PLUGINS);
foreach ($button_plugins as $p) {
- $pclass = trim("button_${p}");
+ $pclass = "button_" . trim($p);
if (class_exists($pclass)) {
$plugin = new $pclass($link);
}
} // function encrypt_password
- function sanitize_article_content($text) {
- # we don't support CDATA sections in articles, they break our own escaping
- $text = preg_replace("/\[\[CDATA/", "", $text);
- $text = preg_replace("/\]\]\>/", "", $text);
- return $text;
- }
-
function load_filters($link, $feed_id, $owner_uid, $action_id = false) {
$filters = array();
}
}
+ function get_all_labels($link, $owner_uid) {
+ $rv = array();
+
+ $result = db_query($link, "SELECT fg_color, bg_color, caption FROM ttrss_labels2 WHERE owner_uid = " . $owner_uid);
+
+ while ($line = db_fetch_assoc($result)) {
+ array_push($rv, $line);
+ }
+
+ return $rv;
+ }
+
function label_update_cache($link, $id, $labels = false, $force = false) {
if ($force)
function api_get_headlines($link, $feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $order,
$include_attachments, $since_id,
- $search = "", $search_mode = "", $match_on = "", $include_nested = false) {
+ $search = "", $search_mode = "", $match_on = "",
+ $include_nested = false, $sanitize_content = true) {
$qfh_ret = queryFeedHeadlines($link, $feed_id, $limit,
$view_mode, $is_cat, $search, $search_mode, $match_on,
}
if ($show_content) {
- $headline_row["content"] = $line["content_preview"];
+ if ($sanitize_content) {
+ $headline_row["content"] = sanitize($link,
+ $line["content_preview"], false, false, $line["site_url"]);
+ } else {
+ $headline_row["content"] = $line["content_preview"];
+ }
}
// unify label output to ease parsing
return $html;
}
- function filter_to_sql($filter) {
+ function filter_to_sql($link, $filter, $owner_uid) {
$query = array();
if (DB_TYPE == "pgsql")
}
if (isset($rule["cat_id"])) {
- $qpart .= " AND cat_id " . ($rule["cat_id"] ? '= ' . $rule["cat_id"] : 'IS NULL');
+
+ if ($rule["cat_id"] > 0) {
+ $children = getChildCategories($link, $rule["cat_id"], $owner_uid);
+ array_push($children, $rule["cat_id"]);
+
+ $children = join(",", $children);
+
+ $cat_qpart = "cat_id IN ($children)";
+ } else {
+ $cat_qpart = "cat_id IS NULL";
+ }
+
+ $qpart .= " AND $cat_qpart";
}
array_push($query, "($qpart)");