X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Farticle.php;h=075da19409d986fb5f58bd0d7de21c216eae7387;hb=ed1262d55a01a6ffbefe01eb3b5fc22d33dfad24;hp=1b4d26f701fb046bfe86448ea74523b63529142a;hpb=5e68e24679e9a2248a3c28c8a4078b4bdad09f9c;p=tt-rss.git
diff --git a/classes/article.php b/classes/article.php
old mode 100644
new mode 100755
index 1b4d26f7..075da194
--- a/classes/article.php
+++ b/classes/article.php
@@ -8,7 +8,7 @@ class Article extends Handler_Protected {
}
function redirect() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = ? AND id = ref_id AND owner_uid = ?
@@ -28,9 +28,9 @@ class Article extends Handler_Protected {
}
function view() {
- $id = $_REQUEST["id"];
- $cids = explode(",", $_REQUEST["cids"]);
- $mode = $_REQUEST["mode"];
+ $id = clean($_REQUEST["id"]);
+ $cids = explode(",", clean($_REQUEST["cids"]));
+ $mode = clean($_REQUEST["mode"]);
// in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache)
@@ -126,7 +126,7 @@ class Article extends Handler_Protected {
if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) return false;
$pdo = Db::pdo();
-
+
$pdo->beginTransaction();
// only check for our user data here, others might have shared this with different content etc
@@ -210,7 +210,7 @@ class Article extends Handler_Protected {
print __("Tags for this article (separated by commas):")."
";
- $param = $_REQUEST['param'];
+ $param = clean($_REQUEST['param']);
$tags = Article::get_article_tags($param);
@@ -241,8 +241,8 @@ class Article extends Handler_Protected {
}
function setScore() {
- $ids = explode(",", $_REQUEST['id']);
- $score = (int)$_REQUEST['score'];
+ $ids = explode(",", clean($_REQUEST['id']));
+ $score = (int)clean($_REQUEST['score']);
$ids_qmarks = arr_qmarks($ids);
@@ -257,7 +257,7 @@ class Article extends Handler_Protected {
}
function getScore() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
$sth->execute([$id, $_SESSION['uid']]);
@@ -273,9 +273,9 @@ class Article extends Handler_Protected {
function setArticleTags() {
- $id = $_REQUEST["id"];
+ $id = clean($_REQUEST["id"]);
- $tags_str = $_REQUEST["tags_str"];
+ $tags_str = clean($_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str)));
$this->pdo->beginTransaction();
@@ -309,7 +309,7 @@ class Article extends Handler_Protected {
if ($tag != '') {
$sth = $this->pdo->prepare("INSERT INTO ttrss_tags
- (post_int_id, owner_uid, tag_name)
+ (post_int_id, owner_uid, tag_name)
VALUES (?, ?, ?)");
$sth->execute([$int_id, $_SESSION['uid'], $tag]);
@@ -342,7 +342,7 @@ class Article extends Handler_Protected {
function completeTags() {
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = ? AND
@@ -369,11 +369,10 @@ class Article extends Handler_Protected {
private function labelops($assign) {
$reply = array();
- $ids = explode(",", $_REQUEST["ids"]);
- $label_id = $_REQUEST["lid"];
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $label_id = clean($_REQUEST["lid"]);
- $label = db_escape_string(Labels::find_caption($label_id,
- $_SESSION["uid"]));
+ $label = Labels::find_caption($label_id, $_SESSION["uid"]);
$reply["info-for-headlines"] = array();
@@ -610,6 +609,8 @@ class Article extends Handler_Protected {
$line = $p->hook_render_article($line);
}
+ $line['content'] = rewrite_cached_urls($line['content']);
+
$num_comments = (int) $line["num_comments"];
$entry_comments = "";
@@ -629,16 +630,52 @@ class Article extends Handler_Protected {
}
}
+ $enclosures = self::get_article_enclosures($line["id"]);
+
if ($zoom_mode) {
header("Content-Type: text/html");
- $rv['content'] .= "