fix proper escaping of label titles (closes #255)

[tt-rss.git] / modules / backend-rpc.php

diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php
index 3e4a9434051213c28cc058c66890f7a6ca922a56..1a65efc025f06277db552e6e10ec3c3d03fd1ce3 100644 (file)
--- a/modules/backend-rpc.php
+++ b/modules/backend-rpc.php
@@ -450,7 +450,8 @@
                        $ids = split(",", db_escape_string($_REQUEST["ids"]));
                        $label_id = db_escape_string($_REQUEST["lid"]);
 
-                       $label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+                       $label = db_escape_string(label_find_caption($link, $label_id, 
+                               $_SESSION["uid"]));
 
                        print "<rpc-reply>";
                        print "<info-for-headlines>";
@@ -485,7 +486,8 @@
                        $ids = split(",", db_escape_string($_REQUEST["ids"]));
                        $label_id = db_escape_string($_REQUEST["lid"]);
 
-                       $label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+                       $label = db_escape_string(label_find_caption($link, $label_id, 
+                               $_SESSION["uid"]));
 
                        print "<rpc-reply>";