fix proper escaping of label titles (closes #255)

diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php
index 3e4a9434051213c28cc058c66890f7a6ca922a56..1a65efc025f06277db552e6e10ec3c3d03fd1ce3 100644 (file)
--- a/modules/backend-rpc.php
+++ b/modules/backend-rpc.php
@@ -450,7 +450,8 @@
                        $ids = split(",", db_escape_string($_REQUEST["ids"]));
                        $label_id = db_escape_string($_REQUEST["lid"]);
 
-                       $label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+                       $label = db_escape_string(label_find_caption($link, $label_id, 
+                               $_SESSION["uid"]));
 
                        print "<rpc-reply>";
                        print "<info-for-headlines>";
@@ -485,7 +486,8 @@
                        $ids = split(",", db_escape_string($_REQUEST["ids"]));
                        $label_id = db_escape_string($_REQUEST["lid"]);
 
-                       $label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+                       $label = db_escape_string(label_find_caption($link, $label_id, 
+                               $_SESSION["uid"]));
 
                        print "<rpc-reply>";                    
 

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index 3362288017d1ed1cb3b959816fa4ac9f6a4528a6..02e5a2be94ce39317c253f9515b1bca43820a069 100644 (file)
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -61,6 +61,8 @@
 
                                                /* Update filters that reference label being renamed */
 
+                                               $old_caption = db_escape_string($old_caption);
+
                                                db_query($link, "UPDATE ttrss_filters SET
                                                        action_param = '$caption' WHERE action_param = '$old_caption'
                                                        AND action_id = 7