disable html objects in article content, breaks layout

diff --git a/backend.php b/backend.php
index e4329a26c96f874213ea96b324ac1621b1217be7..ebbf33a687da4595b271640ed0f6054e3a6f3563 100644 (file)
--- a/backend.php
+++ b/backend.php
@@ -650,6 +650,8 @@
                                $line["content"] = preg_replace("/href=/i", "target=\"_new\" href=", $line["content"]);
                        }
 
+                       $line["content"] = sanitize_rss($line["content"]);
+
                        print $line["content"] . "</div>";
                        
                        print "</div>";
@@ -1335,13 +1337,13 @@
                        
                        print "</td>";
 
-                       $auth_login = db_fetch_result($result, 0, "auth_login");
+                       $auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login"));
 
                        print "<tr><td>Login:</td>";
                        print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event)\"
                                name=\"auth_login\" value=\"$auth_login\"></td></tr>";
 
-                       $auth_pass = db_fetch_result($result, 0, "auth_pass");
+                       $auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass"));
 
                        print "<tr><td>Password:</td>";
                        print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" 

diff --git a/functions.php b/functions.php
index 600a776c6394cd1e5a1bb5cb79dc3afd7dcb16aa..e5f06da371b4e82e951438ed8ad16aed696260e1 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -2449,6 +2449,13 @@
                $res = preg_replace('/<\/script>/i', 
                        "</p>", $res);
 
+               $res = preg_replace('/<object.*?>.*?<\/object>/i', 
+                       "<p class=\"objectWarn\">(Disabled html object 
+                       - flash or other embedded content)</p>", $str);
+
+               $res = preg_replace('/<\/object>/i', 
+                       "</p>", $res);
+
                return $res;
        }
 
@@ -2637,4 +2644,8 @@
                }
        }
 
+       function escape_for_form($s) {
+               return htmlspecialchars(db_unescape_string($s));
+       }
+
 ?>

diff --git a/tt-rss.css b/tt-rss.css
index 5f771fe6eaff1f1df181b4fc8eb5802a74d46f26..ec4b51320c2fbfcf13a8577dc65dd372e52b62c7 100644 (file)
--- a/tt-rss.css
+++ b/tt-rss.css
@@ -1172,6 +1172,12 @@ span.debugTS {
        font-weight : bold;
 }
 
+.objectWarn {
+       color : gray;
+       padding : 3px;
+       font-style: italic;
+}
+
 table.loginForm2 {
        padding : 1em;
 }