}\r
}\r
\r
-# $feed_site_url = $line["site_url"];\r
- $article_content = $line["content_preview"];\r
+ $feed_site_url = $line["site_url"];\r
+\r
+ $article_content = sanitize($this->link, $line["content_preview"],\r
+ false, false, $feed_site_url);\r
\r
$reply['content'] .= "<div id=\"POSTNOTE-$id\">";\r
if ($line['note']) {\r
$tpl->setVariable('ARTICLE_EXCERPT',
truncate_string(strip_tags($line["content_preview"]), 100, '...'), true);
- $content = $line["content_preview"];
+ $content = sanitize($this->link, $line["content_preview"], false, $owner_uid);
if ($line['note']) {
$content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" .
$article['link'] = $line['link'];
$article['title'] = $line['title'];
$article['excerpt'] = truncate_string(strip_tags($line["content_preview"]), 100, '...');
- $article['content'] = $line["content_preview"];
+ $article['content'] = sanitize($this->link, $line["content_preview"], false, $owner_uid);
$article['updated'] = date('c', strtotime($line["updated"]));
if ($line['note']) $article['note'] = $line['note'];
FROM ttrss_entries, ttrss_user_entries
WHERE id = '$article_id' AND ref_id = id AND owner_uid = ".$_SESSION['uid']);
- $content = db_fetch_result($result, 0, "content");
+ $content = sanitize($this->link, db_fetch_result($result, 0, "content"));
$title = strip_tags(db_fetch_result($result, 0, "title"));
$article_url = htmlspecialchars(db_fetch_result($result, 0, "link"));
$marked = sql_bool_to_bool(db_fetch_result($result, 0, "marked"));
}
- function sanitize($link, $str, $owner = false, $site_url = false) {
+ function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) {
if (!$owner) $owner = $_SESSION["uid"];
$res = trim($str); if (!$res) return '';
}
} // function encrypt_password
+ function sanitize_article_content($text) {
+ # we don't support CDATA sections in articles, they break our own escaping
+ $text = preg_replace("/\[\[CDATA/", "", $text);
+ $text = preg_replace("/\]\]\>/", "", $text);
+ return db_escape_string($text, false);
+ }
+
function load_filters($link, $feed_id, $owner_uid, $action_id = false) {
$filters = array();
}
# sanitize content
- $entry_content = db_escape_string(sanitize($link, $entry_content, $owner_uid, $site_url));
- $entry_title = db_escape_string(strip_tags($entry_title));
+ $entry_content = sanitize_article_content($entry_content);
+ $entry_title = sanitize_article_content($entry_title);
if ($debug_enabled) {
_debug("update_rss_feed: done collecting data [TITLE:$entry_title]");