X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Farticle.php;h=075da19409d986fb5f58bd0d7de21c216eae7387;hb=ed1262d55a01a6ffbefe01eb3b5fc22d33dfad24;hp=869e746cf195d6df22f460181bfd98ce672e7f21;hpb=e4befe6bf43318766bcfd5a610b26be0aa1f82f0;p=tt-rss.git
diff --git a/classes/article.php b/classes/article.php
old mode 100644
new mode 100755
index 869e746c..075da194
--- a/classes/article.php
+++ b/classes/article.php
@@ -8,6 +8,8 @@ class Article extends Handler_Protected {
}
function redirect() {
+ $id = clean($_REQUEST['id']);
+
$sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = ? AND id = ref_id AND owner_uid = ?
LIMIT 1");
@@ -26,9 +28,9 @@ class Article extends Handler_Protected {
}
function view() {
- $id = $_REQUEST["id"];
- $cids = explode(",", $_REQUEST["cids"]);
- $mode = $_REQUEST["mode"];
+ $id = clean($_REQUEST["id"]);
+ $cids = explode(",", clean($_REQUEST["cids"]));
+ $mode = clean($_REQUEST["mode"]);
// in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache)
@@ -124,7 +126,7 @@ class Article extends Handler_Protected {
if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) return false;
$pdo = Db::pdo();
-
+
$pdo->beginTransaction();
// only check for our user data here, others might have shared this with different content etc
@@ -208,7 +210,7 @@ class Article extends Handler_Protected {
print __("Tags for this article (separated by commas):")."
";
- $param = $_REQUEST['param'];
+ $param = clean($_REQUEST['param']);
$tags = Article::get_article_tags($param);
@@ -239,8 +241,8 @@ class Article extends Handler_Protected {
}
function setScore() {
- $ids = explode(",", $_REQUEST['id']);
- $score = (int)$_REQUEST['score'];
+ $ids = explode(",", clean($_REQUEST['id']));
+ $score = (int)clean($_REQUEST['score']);
$ids_qmarks = arr_qmarks($ids);
@@ -255,7 +257,7 @@ class Article extends Handler_Protected {
}
function getScore() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
$sth->execute([$id, $_SESSION['uid']]);
@@ -271,9 +273,9 @@ class Article extends Handler_Protected {
function setArticleTags() {
- $id = $_REQUEST["id"];
+ $id = clean($_REQUEST["id"]);
- $tags_str = $_REQUEST["tags_str"];
+ $tags_str = clean($_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str)));
$this->pdo->beginTransaction();
@@ -307,7 +309,7 @@ class Article extends Handler_Protected {
if ($tag != '') {
$sth = $this->pdo->prepare("INSERT INTO ttrss_tags
- (post_int_id, owner_uid, tag_name)
+ (post_int_id, owner_uid, tag_name)
VALUES (?, ?, ?)");
$sth->execute([$int_id, $_SESSION['uid'], $tag]);
@@ -340,7 +342,7 @@ class Article extends Handler_Protected {
function completeTags() {
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = ? AND
@@ -367,11 +369,10 @@ class Article extends Handler_Protected {
private function labelops($assign) {
$reply = array();
- $ids = explode(",", $_REQUEST["ids"]);
- $label_id = $_REQUEST["lid"];
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $label_id = clean($_REQUEST["lid"]);
- $label = db_escape_string(Labels::find_caption($label_id,
- $_SESSION["uid"]));
+ $label = Labels::find_caption($label_id, $_SESSION["uid"]);
$reply["info-for-headlines"] = array();
@@ -601,13 +602,15 @@ class Article extends Handler_Protected {
unset($line["tag_cache"]);
$line["content"] = sanitize($line["content"],
- sql_bool_to_bool($line['hide_images']),
+ $line['hide_images'],
$owner_uid, $line["site_url"], false, $line["id"]);
foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE) as $p) {
$line = $p->hook_render_article($line);
}
+ $line['content'] = rewrite_cached_urls($line['content']);
+
$num_comments = (int) $line["num_comments"];
$entry_comments = "";
@@ -627,17 +630,52 @@ class Article extends Handler_Protected {
}
}
+ $enclosures = self::get_article_enclosures($line["id"]);
+
if ($zoom_mode) {
header("Content-Type: text/html");
- $rv['content'] .= "