disable scripts in rss entry content

diff --git a/functions.php b/functions.php
index 2e65f7a3508f5447d667c86226021416ab9375ef..133a8ccf9092a9039a70ebf80edc8afe6ea39734 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -530,6 +530,13 @@
 
                                }
 
+                               # sanitize content
+                               $entry_content = preg_replace('/<script.*?>/i', 
+                                       "<p class=\"scriptWarn\">", $entry_content);
+
+                               $entry_content = preg_replace('/<\/script>/i', 
+                                       "</p>", $entry_content);
+
                                db_query($link, "BEGIN");
 
                                if (db_num_rows($result) == 0) {

diff --git a/tt-rss.css b/tt-rss.css
index f69d2444ed5d1070915b61cda3da4fc9d9952952..8d29213ba27efca0d4a496a0997a7171d62c2d99 100644 (file)
--- a/tt-rss.css
+++ b/tt-rss.css
@@ -1145,3 +1145,15 @@ span.debugTS {
 #backReqBox {
        display : none;
 }
+
+.scriptWarn:before {
+       content : "Disabled script:";
+}
+
+.scriptWarn {
+       color : white;
+       background-color : #903030;
+       border : 1px solid #601010;
+       padding : 3px;
+       font-weight : bold;
+}