sanitize article content when importing data from feed

diff --git a/classes/feeds.php b/classes/feeds.php
index fd98314a9c7a23291902191cfc77a09bd909dbe4..d924eeb3e0e537dc2446e2cdd877b65879559370 100644 (file)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -626,10 +626,8 @@ class Feeds extends Handler_Protected {
                                                }\r
                                        }\r
 \r
-                                       $feed_site_url = $line["site_url"];\r
-\r
-                                       $article_content = sanitize($this->link, $line["content_preview"],\r
-                                                       false, false, $feed_site_url);\r
+#                                      $feed_site_url = $line["site_url"];\r
+                                       $article_content = $line["content_preview"];\r
 \r
                                        $reply['content'] .= "<div id=\"POSTNOTE-$id\">";\r
                                        if ($line['note']) {\r

diff --git a/classes/handler/public.php b/classes/handler/public.php
index d3c3fc094cba5d6bd38dbf7a64643c4fb23ea031..0aa86a8442afc1237c09df1995a3885e69166632 100644 (file)
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -61,7 +61,7 @@ class Handler_Public extends Handler {
                                $tpl->setVariable('ARTICLE_EXCERPT',
                                        truncate_string(strip_tags($line["content_preview"]), 100, '...'), true);
 
-                               $content = sanitize($this->link, $line["content_preview"], false, $owner_uid);
+                               $content = $line["content_preview"];
 
                                if ($line['note']) {
                                        $content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" .
@@ -132,7 +132,7 @@ class Handler_Public extends Handler {
                                $article['link']        = $line['link'];
                                $article['title'] = $line['title'];
                                $article['excerpt'] = truncate_string(strip_tags($line["content_preview"]), 100, '...');
-                               $article['content'] = sanitize($this->link, $line["content_preview"], false, $owner_uid);
+                               $article['content'] = $line["content_preview"];
                                $article['updated'] = date('c', strtotime($line["updated"]));
 
                                if ($line['note']) $article['note'] = $line['note'];

diff --git a/classes/rpc.php b/classes/rpc.php
index cb3eeda98ff73a6e891e5a335a909eac96d91404..56b13dc51410de584538e260f84040335ce40099 100644 (file)
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -584,7 +584,7 @@ class RPC extends Handler_Protected {
                        FROM ttrss_entries, ttrss_user_entries
                        WHERE id = '$article_id' AND ref_id = id AND owner_uid = ".$_SESSION['uid']);
 
-               $content = sanitize($this->link, db_fetch_result($result, 0, "content"));
+               $content = db_fetch_result($result, 0, "content");
                $title = strip_tags(db_fetch_result($result, 0, "title"));
                $article_url = htmlspecialchars(db_fetch_result($result, 0, "link"));
                $marked = sql_bool_to_bool(db_fetch_result($result, 0, "marked"));

diff --git a/include/functions.php b/include/functions.php
index f607cb3cc2ba5c9187203800cb77e7be169417e1..a8f42d6d5165b8b61596bab1a82b1c7b03d0d14f 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -2686,11 +2686,15 @@
 
        }
 
-       function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) {
+       function sanitize($link, $str, $owner = false, $site_url = false) {
                if (!$owner) $owner = $_SESSION["uid"];
 
                $res = trim($str); if (!$res) return '';
 
+               # we don't support CDATA sections in articles, they break our own escaping
+               $res = preg_replace("/\[\[CDATA/", "", $res);
+               $res = preg_replace("/\]\]\>/", "", $res);
+
                $config = array('safe' => 1, 'deny_attribute' => 'style');
                $res = htmLawed($res, $config);
 
@@ -3626,13 +3630,6 @@
                }
        } // function encrypt_password
 
-       function sanitize_article_content($text) {
-               # we don't support CDATA sections in articles, they break our own escaping
-               $text = preg_replace("/\[\[CDATA/", "", $text);
-               $text = preg_replace("/\]\]\>/", "", $text);
-               return $text;
-       }
-
        function load_filters($link, $feed_id, $owner_uid, $action_id = false) {
                $filters = array();
 

diff --git a/include/rssfuncs.php b/include/rssfuncs.php
index 14fa5f34838640c5de79e435fadd53f923eb3987..af62a5041cdb247525ad652765e71ec01f564aa8 100644 (file)
--- a/include/rssfuncs.php
+++ b/include/rssfuncs.php
@@ -770,9 +770,8 @@
                                }
 
                                # sanitize content
-
-                               $entry_content = sanitize_article_content($entry_content);
-                               $entry_title = sanitize_article_content($entry_title);
+                               $entry_content = sanitize($link, $entry_content, $owner_uid, $site_url);
+                               $entry_title = strip_tags($entry_title);
 
                                if ($debug_enabled) {
                                        _debug("update_rss_feed: done collecting data [TITLE:$entry_title]");