properly escape article link/PTITLEs (refs #472)

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 21 Oct 2012 21:19:06 +0000 (01:19 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 21 Oct 2012 21:19:11 +0000 (01:19 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 21 Oct 2012 21:19:06 +0000 (01:19 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 21 Oct 2012 21:19:11 +0000 (01:19 +0400)
diff --git a/classes/feeds.php b/classes/feeds.php

index 31224d1db3b6579e3c547441c8bf020fce7e159d..5280502c4dab84eea0de132cae3ce631c390b90c 100644 (file)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -503,7 +503,7 @@ class Feeds extends Handler_Protected {
                                         $reply['content'] .= "</div>";\r
  \r
                                         $reply['content'] .= "<div id=\"PTITLE-FULL-$id\" style=\"display : none\">" .\r
-                                               strip_tags($line['title']) . "</div>";\r
+                                               htmlspecialchars(strip_tags($line['title'])) . "</div>";\r
  \r
                                         $reply['content'] .= "<span id=\"RTITLE-$id\"\r
                                                 onclick=\"return cdmClicked(event, $id);\"\r
diff --git a/include/functions.php b/include/functions.php

index a80d09cbfb77d5a45ad2486cf740d725b3f65167..f37578ba3704b9b89d9198a3bcc614ad36e778a4 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -3372,7 +3372,7 @@
                                         </head><body>";
                         }
  
-                       $title_escaped = db_escape_string($line['title']);
+                       $title_escaped = htmlspecialchars($line['title']);
  
                         $rv['content'] .= "<div id=\"PTITLE-$id\" style=\"display : none\">" .
                                 truncate_string(strip_tags($line['title']), 15) . "</div>";
@@ -3400,7 +3400,7 @@
                                 $rv['content'] .= "<div class='postTitle'><a target='_blank'
                                         title=\"".htmlspecialchars($line['title'])."\"
                                         href=\"" .
-                                       $line["link"] . "\">" .
+                                       htmlspecialchars($line["link"]) . "\">" .
                                         $line["title"] .
                                         "<span class='author'>$entry_author</span></a></div>";
                         } else {
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 21 Oct 2012 21:19:06 +0000 (01:19 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 21 Oct 2012 21:19:11 +0000 (01:19 +0400)
classes/feeds.php		patch \| blob \| history
include/functions.php		patch \| blob \| history