return false;
}
- $this->seq = (int) $_REQUEST['seq'];
+ $this->seq = (int) clean($_REQUEST['seq']);
return true;
}
@session_destroy();
@session_start();
- $login = $_REQUEST["user"];
- $password = $_REQUEST["password"];
- $password_base64 = base64_decode($_REQUEST["password"]);
+ $login = clean($_REQUEST["user"]);
+ $password = clean($_REQUEST["password"]);
+ $password_base64 = base64_decode(clean($_REQUEST["password"]));
if (SINGLE_USER_MODE) $login = "admin";
}
function getUnread() {
- $feed_id = $_REQUEST["feed_id"];
- $is_cat = $_REQUEST["is_cat"];
+ $feed_id = clean($_REQUEST["feed_id"]);
+ $is_cat = clean($_REQUEST["is_cat"]);
if ($feed_id) {
$this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat)));
}
function getFeeds() {
- $cat_id = $_REQUEST["cat_id"];
- $unread_only = API::param_to_bool($_REQUEST["unread_only"]);
- $limit = (int) $_REQUEST["limit"];
- $offset = (int) $_REQUEST["offset"];
- $include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+ $cat_id = clean($_REQUEST["cat_id"]);
+ $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+ $limit = (int) clean($_REQUEST["limit"]);
+ $offset = (int) clean($_REQUEST["offset"]);
+ $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested);
}
function getCategories() {
- $unread_only = API::param_to_bool($_REQUEST["unread_only"]);
- $enable_nested = API::param_to_bool($_REQUEST["enable_nested"]);
- $include_empty = API::param_to_bool($_REQUEST['include_empty']);
+ $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+ $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"]));
+ $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
// TODO do not return empty categories, return Uncategorized and standard virtual cats
}
function getHeadlines() {
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
if ($feed_id != "") {
if (is_numeric($feed_id)) $feed_id = (int) $feed_id;
- $limit = (int)$_REQUEST["limit"];
+ $limit = (int)clean($_REQUEST["limit"]);
if (!$limit || $limit >= 200) $limit = 200;
- $offset = (int)$_REQUEST["skip"];
- $filter = $_REQUEST["filter"];
- $is_cat = API::param_to_bool($_REQUEST["is_cat"]);
- $show_excerpt = API::param_to_bool($_REQUEST["show_excerpt"]);
- $show_content = API::param_to_bool($_REQUEST["show_content"]);
+ $offset = (int)clean($_REQUEST["skip"]);
+ $filter = clean($_REQUEST["filter"]);
+ $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"]));
+ $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"]));
+ $show_content = API::param_to_bool(clean($_REQUEST["show_content"]));
/* all_articles, unread, adaptive, marked, updated */
- $view_mode = $_REQUEST["view_mode"];
- $include_attachments = API::param_to_bool($_REQUEST["include_attachments"]);
- $since_id = (int)$_REQUEST["since_id"];
- $include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+ $view_mode = clean($_REQUEST["view_mode"]);
+ $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"]));
+ $since_id = (int)clean($_REQUEST["since_id"]);
+ $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) ||
API::param_to_bool($_REQUEST["sanitize"]);
- $force_update = API::param_to_bool($_REQUEST["force_update"]);
- $has_sandbox = API::param_to_bool($_REQUEST["has_sandbox"]);
- $excerpt_length = (int)$_REQUEST["excerpt_length"];
- $check_first_id = (int)$_REQUEST["check_first_id"];
- $include_header = API::param_to_bool($_REQUEST["include_header"]);
+ $force_update = API::param_to_bool(clean($_REQUEST["force_update"]));
+ $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"]));
+ $excerpt_length = (int)clean($_REQUEST["excerpt_length"]);
+ $check_first_id = (int)clean($_REQUEST["check_first_id"]);
+ $include_header = API::param_to_bool(clean($_REQUEST["include_header"]));
$_SESSION['hasSandbox'] = $has_sandbox;
$skip_first_id_check = false;
$override_order = false;
- switch ($_REQUEST["order_by"]) {
+ switch (clean($_REQUEST["order_by"])) {
case "title":
$override_order = "ttrss_entries.title, date_entered, updated";
break;
/* do not rely on params below */
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order,
}
function updateArticle() {
- $article_ids = explode(",", $_REQUEST["article_ids"]);
- $mode = (int) $_REQUEST["mode"];
- $data = $_REQUEST["data"];
- $field_raw = (int)$_REQUEST["field"];
+ $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+ $mode = (int) clean($_REQUEST["mode"]);
+ $data = clean($_REQUEST["data"]);
+ $field_raw = (int)clean($_REQUEST["field"]);
$field = "";
$set_to = "";
function getArticle() {
- $article_ids = explode(",", $_REQUEST["article_id"]);
+ $article_ids = explode(",", clean($_REQUEST["article_id"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) ||
API::param_to_bool($_REQUEST["sanitize"]);
}
function updateFeed() {
- $feed_id = (int) $_REQUEST["feed_id"];
+ $feed_id = (int) clean($_REQUEST["feed_id"]);
if (!ini_get("open_basedir")) {
RSSUtils::update_rss_feed($feed_id);
}
function catchupFeed() {
- $feed_id = $_REQUEST["feed_id"];
- $is_cat = $_REQUEST["is_cat"];
+ $feed_id = clean($_REQUEST["feed_id"]);
+ $is_cat = clean($_REQUEST["is_cat"]);
Feeds::catchup_feed($feed_id, $is_cat);
}
function getPref() {
- $pref_name = $_REQUEST["pref_name"];
+ $pref_name = clean($_REQUEST["pref_name"]);
$this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name)));
}
function getLabels() {
- $article_id = (int)$_REQUEST['article_id'];
+ $article_id = (int)clean($_REQUEST['article_id']);
$rv = array();
function setArticleLabel() {
- $article_ids = explode(",", $_REQUEST["article_ids"]);
- $label_id = (int) $_REQUEST['label_id'];
- $assign = API::param_to_bool($_REQUEST['assign']);
+ $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+ $label_id = (int) clean($_REQUEST['label_id']);
+ $assign = API::param_to_bool(clean($_REQUEST['assign']));
$label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]);
}
function shareToPublished() {
- $title = strip_tags($_REQUEST["title"]);
- $url = strip_tags($_REQUEST["url"]);
- $content = strip_tags($_REQUEST["content"]);
+ $title = strip_tags(clean($_REQUEST["title"]));
+ $url = strip_tags(clean($_REQUEST["url"]));
+ $content = strip_tags(clean($_REQUEST["content"]));
if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
$this->wrap(self::STATUS_OK, array("status" => 'OK'));
}
function unsubscribeFeed() {
- $feed_id = (int) $_REQUEST["feed_id"];
+ $feed_id = (int) clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
id = ? AND owner_uid = ?");
}
function subscribeToFeed() {
- $feed_url = $_REQUEST["feed_url"];
- $category_id = (int) $_REQUEST["category_id"];
- $login = $_REQUEST["login"];
- $password = $_REQUEST["password"];
+ $feed_url = clean($_REQUEST["feed_url"]);
+ $category_id = (int) clean($_REQUEST["category_id"]);
+ $login = clean($_REQUEST["login"]);
+ $password = clean($_REQUEST["password"]);
if ($feed_url) {
$rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password);
}
function getFeedTree() {
- $include_empty = API::param_to_bool($_REQUEST['include_empty']);
+ $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
$pf = new Pref_Feeds($_REQUEST);
}
function redirect() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = ? AND id = ref_id AND owner_uid = ?
}
function view() {
- $id = $_REQUEST["id"];
- $cids = explode(",", $_REQUEST["cids"]);
- $mode = $_REQUEST["mode"];
+ $id = clean($_REQUEST["id"]);
+ $cids = explode(",", clean($_REQUEST["cids"]));
+ $mode = clean($_REQUEST["mode"]);
// in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache)
print __("Tags for this article (separated by commas):")."<br>";
- $param = $_REQUEST['param'];
+ $param = clean($_REQUEST['param']);
$tags = Article::get_article_tags($param);
}
function setScore() {
- $ids = explode(",", $_REQUEST['id']);
- $score = (int)$_REQUEST['score'];
+ $ids = explode(",", clean($_REQUEST['id']));
+ $score = (int)clean($_REQUEST['score']);
$ids_qmarks = arr_qmarks($ids);
}
function getScore() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
$sth->execute([$id, $_SESSION['uid']]);
function setArticleTags() {
- $id = $_REQUEST["id"];
+ $id = clean($_REQUEST["id"]);
- $tags_str = $_REQUEST["tags_str"];
+ $tags_str = clean($_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str)));
$this->pdo->beginTransaction();
function completeTags() {
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = ? AND
private function labelops($assign) {
$reply = array();
- $ids = explode(",", $_REQUEST["ids"]);
- $label_id = $_REQUEST["lid"];
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $label_id = clean($_REQUEST["lid"]);
$label = db_escape_string(Labels::find_caption($label_id,
$_SESSION["uid"]));
}
function help() {
- $topic = basename($_REQUEST["topic"]);
+ $topic = basename(clean($_REQUEST["topic"]));
switch ($topic) {
case "main":
$tpl->addBlock('feed');
$tpl->generateOutputToString($tmp);
- if (@!$_REQUEST["noxml"]) {
+ if (@!clean($_REQUEST["noxml"])) {
header("Content-Type: text/xml; charset=utf-8");
} else {
header("Content-Type: text/plain; charset=utf-8");
}
function getUnread() {
- $login = $_REQUEST["login"];
- $fresh = $_REQUEST["fresh"] == "1";
+ $login = clean($_REQUEST["login"]);
+ $fresh = clean($_REQUEST["fresh"]) == "1";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
$sth->execute([$login]);
}
function getProfiles() {
- $login = $_REQUEST["login"];
+ $login = clean($_REQUEST["login"]);
$sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
}
function share() {
- $uuid = $_REQUEST["key"];
+ $uuid = clean($_REQUEST["key"]);
$sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
uuid = ?");
}
function rss() {
- $feed = $_REQUEST["id"];
- $key = $_REQUEST["key"];
- $is_cat = $_REQUEST["is_cat"];
- $limit = (int)$_REQUEST["limit"];
- $offset = (int)$_REQUEST["offset"];
+ $feed = clean($_REQUEST["id"]);
+ $key = clean($_REQUEST["key"]);
+ $is_cat = clean($_REQUEST["is_cat"]);
+ $limit = (int)clean($_REQUEST["limit"]);
+ $offset = (int)clean($_REQUEST["offset"]);
- $search = $_REQUEST["q"];
- $view_mode = $_REQUEST["view-mode"];
- $order = $_REQUEST["order"];
- $start_ts = $_REQUEST["ts"];
+ $search = clean($_REQUEST["q"]);
+ $view_mode = clean($_REQUEST["view-mode"]);
+ $order = clean($_REQUEST["order"]);
+ $start_ts = clean($_REQUEST["ts"]);
- $format = $_REQUEST['format'];
- $orig_guid = $_REQUEST["orig_guid"];
+ $format = clean($_REQUEST['format']);
+ $orig_guid = clean($_REQUEST["orig_guid"]);
if (!$format) $format = 'atom';
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
</head><body id='sharepopup' class='ttrss_utility'>";
- $action = $_REQUEST["action"];
+ $action = clean($_REQUEST["action"]);
if ($_SESSION["uid"]) {
if ($action == 'share') {
- $title = strip_tags($_REQUEST["title"]);
- $url = strip_tags($_REQUEST["url"]);
- $content = strip_tags($_REQUEST["content"]);
- $labels = strip_tags($_REQUEST["labels"]);
+ $title = strip_tags(clean($_REQUEST["title"]));
+ $url = strip_tags(clean($_REQUEST["url"]));
+ $content = strip_tags(clean($_REQUEST["content"]));
+ $labels = strip_tags(clean($_REQUEST["labels"]));
Article::create_published_article($title, $url, $content, $labels,
$_SESSION["uid"]);
print "</script>";
} else {
- $title = htmlspecialchars($_REQUEST["title"]);
- $url = htmlspecialchars($_REQUEST["url"]);
+ $title = htmlspecialchars(clean($_REQUEST["title"]));
+ $url = htmlspecialchars(clean($_REQUEST["url"]));
?>
function login() {
if (!SINGLE_USER_MODE) {
- $login = $_POST["login"];
- $password = $_POST["password"];
- $remember_me = $_POST["remember_me"];
+ $login = clean($_POST["login"]);
+ $password = clean($_POST["password"]);
+ $remember_me = clean($_POST["remember_me"]);
if ($remember_me) {
session_set_cookie_params(SESSION_COOKIE_LIFETIME);
}
$_SESSION["ref_schema_version"] = get_schema_version(true);
- $_SESSION["bw_limit"] = !!$_POST["bw_limit"];
+ $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
- if ($_POST["profile"]) {
+ if (clean($_POST["profile"])) {
- $profile = $_POST["profile"];
+ $profile = clean($_POST["profile"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
WHERE id = ? AND owner_uid = ?");
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
}
- if ($_REQUEST['return']) {
- header("Location: " . $_REQUEST['return']);
+ if (clean($_REQUEST['return'])) {
+ header("Location: " . clean($_REQUEST['return']));
} else {
header("Location: " . get_self_url_prefix());
}
/* function subtest() {
header("Content-type: text/plain; charset=utf-8");
- $url = $_REQUEST["url"];
+ $url = clean($_REQUEST["url"]);
print "$url\n\n";
if ($_SESSION["uid"]) {
- $feed_url = trim($_REQUEST["feed_url"]);
+ $feed_url = trim(clean($_REQUEST["feed_url"]));
header('Content-Type: text/html; charset=utf-8');
print "<html>
function forgotpass() {
startup_gettext();
- @$hash = $_REQUEST["hash"];
+ @$hash = clean($_REQUEST["hash"]);
header('Content-Type: text/html; charset=utf-8');
print "<html><head><title>Tiny Tiny RSS</title>
print "<h1>".__("Password recovery")."</h1>";
print "<div class='content'>";
- @$method = $_POST['method'];
+ @$method = clean($_POST['method']);
if ($hash) {
- $login = $_REQUEST["login"];
+ $login = clean($_REQUEST["login"]);
if ($login) {
$sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
print "</form>";
} else if ($method == 'do') {
- $login = $_POST["login"];
- $email = $_POST["email"];
- $test = $_POST["test"];
+ $login = clean($_POST["login"]);
+ $email = clean($_POST["email"]);
+ $test = clean($_POST["test"]);
if (($test != 4 && $test != 'four') || !$email || !$login) {
print_error(__('Some of the required form parameters are missing or incorrect.'));
<div class="content">
<?php
- @$op = $_REQUEST["subop"];
+ @$op = clean($_REQUEST["subop"]);
$updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
if ($op == "performupdate") {
public function pluginhandler() {
$host = new PluginHost();
- $plugin = basename($_REQUEST["plugin"]);
- $method = $_REQUEST["pmethod"];
+ $plugin = basename(clean($_REQUEST["plugin"]));
+ $method = clean($_REQUEST["pmethod"]);
$host->load($plugin, PluginHost::KIND_USER, 0);
$host->load_data();
}
function catchall($method) {
- $plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]);
+ $plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"]));
if ($plugin) {
if (method_exists($plugin, $method)) {
}
function renamecat() {
- $title = $_REQUEST['title'];
- $id = $_REQUEST['id'];
+ $title = clean($_REQUEST['title']);
+ $id = clean($_REQUEST['id']);
if ($title) {
$sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
private function get_category_items($cat_id) {
- if ($_REQUEST['mode'] != 2)
+ if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"];
else
$search = "";
// first one is set by API
- $show_empty_cats = $_REQUEST['force_show_empty'] ||
- ($_REQUEST['mode'] != 2 && !$search);
+ $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+ (clean($_REQUEST['mode']) != 2 && !$search);
$items = array();
function makefeedtree() {
- if ($_REQUEST['mode'] != 2)
+ if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"];
else
$search = "";
$enable_cats = get_pref('ENABLE_FEED_CATS');
- if ($_REQUEST['mode'] == 2) {
+ if (clean($_REQUEST['mode']) == 2) {
if ($enable_cats) {
$cat = $this->feedlist_init_cat(-1);
}
if ($enable_cats) {
- $show_empty_cats = $_REQUEST['force_show_empty'] ||
- ($_REQUEST['mode'] != 2 && !$search);
+ $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+ (clean($_REQUEST['mode']) != 2 && !$search);
$sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
$fl['identifier'] = 'id';
$fl['label'] = 'name';
- if ($_REQUEST['mode'] != 2) {
+ if (clean($_REQUEST['mode']) != 2) {
$fl['items'] = array($root);
} else {
$fl['items'] = $root['items'];
}
function savefeedorder() {
- $data = json_decode($_POST['payload'], true);
+ $data = json_decode(clean($_POST['payload']), true);
- #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+ #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items']))
}
function removeicon() {
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
WHERE id = ? AND owner_uid = ?");
}
$icon_file = $tmp_file;
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 65535) {
global $update_intervals;
- $feed_id = $_REQUEST["id"];
+ $feed_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
owner_uid = ?");
global $purge_intervals;
global $update_intervals;
- $feed_ids = $_REQUEST["ids"];
+ $feed_ids = clean($_REQUEST["ids"]);
print_notice("Enable the options you wish to apply using checkboxes on the right:");
function editsaveops($batch) {
- $feed_title = trim($_POST["title"]);
- $feed_url = trim($_POST["feed_url"]);
- $upd_intl = (int) $_POST["update_interval"];
- $purge_intl = (int) $_POST["purge_interval"];
- $feed_id = (int) $_POST["id"]; /* editSave */
- $feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */
- $cat_id = (int) $_POST["cat_id"];
- $auth_login = trim($_POST["auth_login"]);
- $auth_pass = trim($_POST["auth_pass"]);
- $private = checkbox_to_sql_bool($_POST["private"]);
+ $feed_title = trim(clean($_POST["title"]));
+ $feed_url = trim(clean($_POST["feed_url"]));
+ $upd_intl = (int) clean($_POST["update_interval"]);
+ $purge_intl = (int) clean($_POST["purge_interval"]);
+ $feed_id = (int) clean($_POST["id"]); /* editSave */
+ $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
+ $cat_id = (int) clean($_POST["cat_id"]);
+ $auth_login = trim(clean($_POST["auth_login"]));
+ $auth_pass = trim(clean($_POST["auth_pass"]));
+ $private = checkbox_to_sql_bool(clean($_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
- $_POST["include_in_digest"]);
+ clean($_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool(
- $_POST["cache_images"]);
+ clean($_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool(
- $_POST["hide_images"]);
+ clean($_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool(
- $_POST["always_display_enclosures"]);
+ clean($_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool(
- $_POST["mark_unread_on_update"]);
+ clean($_POST["mark_unread_on_update"]));
- $feed_language = trim($_POST["feed_language"]);
+ $feed_language = trim(clean($_POST["feed_language"]));
if (!$batch) {
- if ($_POST["need_auth"] !== 'on') {
+ if (clean($_POST["need_auth"]) !== 'on') {
$auth_login = '';
$auth_pass = '';
}
foreach (array_keys($_POST) as $k) {
if ($k != "op" && $k != "method" && $k != "ids") {
- $feed_data[$k] = $_POST[$k];
+ $feed_data[$k] = clean($_POST[$k]);
}
}
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
}
function removeCat() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed_category($id, $_SESSION["uid"]);
}
}
function addCat() {
- $feed_cat = trim($_REQUEST["cat"]);
+ $feed_cat = trim(clean($_REQUEST["cat"]));
add_feed_category($feed_cat);
}
onclick=\"showInactiveFeeds()\">" .
__("Inactive feeds") . "</button>";
- $feed_search = $_REQUEST["search"];
+ $feed_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search;
}
function batchAddFeeds() {
- $cat_id = $_REQUEST['cat'];
- $feeds = explode("\n", $_REQUEST['feeds']);
- $login = $_REQUEST['login'];
- $pass = trim($_REQUEST['pass']);
+ $cat_id = clean($_REQUEST['cat']);
+ $feeds = explode("\n", clean($_REQUEST['feeds']));
+ $login = clean($_REQUEST['login']);
+ $pass = trim(clean($_REQUEST['pass']));
foreach ($feeds as $feed) {
$feed = trim($feed);
}
function regenFeedKey() {
- $feed_id = $_REQUEST['id'];
- $is_cat = $_REQUEST['is_cat'] == "true";
+ $feed_id = clean($_REQUEST['id']);
+ $is_cat = clean($_REQUEST['is_cat']) == "true";
$new_key = $this->update_feed_access_key($feed_id, $is_cat);
}
function savefilterorder() {
- $data = json_decode($_POST['payload'], true);
+ $data = json_decode(clean($_POST['payload']), true);
- #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+ #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items']))
}
function testFilterDo() {
- $offset = (int) $_REQUEST["offset"];
- $limit = (int) $_REQUEST["limit"];
+ $offset = (int) clean($_REQUEST["offset"]);
+ $limit = (int) clean($_REQUEST["limit"]);
$filter = array();
$filter["enabled"] = true;
- $filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]);
+ $filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$filter["rules"] = array();
$filter["actions"] = array("dummy-action");
$scope_qparts = array();
$rctr = 0;
- foreach ($_REQUEST["rule"] AS $r) {
+ foreach (clean($_REQUEST["rule"]) AS $r) {
$rule = json_decode($r, true);
if ($rule && $rctr < 5) {
function edit() {
- $filter_id = $_REQUEST["id"];
+ $filter_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2
WHERE id = ? AND owner_uid = ?");
}
private function getRuleName($rule) {
- if (!$rule) $rule = json_decode($_REQUEST["rule"], true);
+ if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
$feeds = $rule["feed_id"];
$feeds_fmt = [];
}
function printRuleName() {
- print $this->getRuleName(json_decode($_REQUEST["rule"], true));
+ print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
}
private function getActionName($action) {
}
function printActionName() {
- print $this->getActionName(json_decode($_REQUEST["action"], true));
+ print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
}
function editSave() {
- if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+ if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter();
}
- $filter_id = $_REQUEST["id"];
- $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
- $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
- $title = $_REQUEST["title"];
+ $filter_id = clean($_REQUEST["id"]);
+ $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+ $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
+ $title = clean($_REQUEST["title"]);
$this->pdo->beginTransaction();
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
$ids_qmarks = arr_qmarks($ids);
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks)
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
$sth->execute([$filter_id]);
- if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = [];
- if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = [];
+ if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
+ if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
if ($filter_id) {
/* create rules */
$rules = array();
$actions = array();
- foreach ($_REQUEST["rule"] as $rule) {
+ foreach (clean($_REQUEST["rule"]) as $rule) {
$rule = json_decode($rule, true);
unset($rule["id"]);
}
}
- foreach ($_REQUEST["action"] as $action) {
+ foreach (clean($_REQUEST["action"]) as $action) {
$action = json_decode($action, true);
unset($action["id"]);
}
function add() {
- if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+ if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter();
}
- $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
- $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $title = $_REQUEST["title"];
- $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
+ $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+ $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $title = clean($_REQUEST["title"]);
+ $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$this->pdo->beginTransaction();
function index() {
- $filter_search = $_REQUEST["search"];
+ $filter_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
}
function newrule() {
- $rule = json_decode($_REQUEST["rule"], true);
+ $rule = json_decode(clean($_REQUEST["rule"]), true);
if ($rule) {
$reg_exp = htmlspecialchars($rule["reg_exp"]);
}
function newaction() {
- $action = json_decode($_REQUEST["action"], true);
+ $action = json_decode(clean($_REQUEST["action"]), true);
if ($action) {
$action_param = $action["action_param"];
}
function join() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
if (count($ids) > 1) {
$base_id = array_shift($ids);
}
function edit() {
- $label_id = $_REQUEST['id'];
+ $label_id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
id = ? AND owner_uid = ?");
}
function colorset() {
- $kind = $_REQUEST["kind"];
- $ids = explode(',', $_REQUEST["ids"]);
- $color = $_REQUEST["color"];
- $fg = $_REQUEST["fg"];
- $bg = $_REQUEST["bg"];
+ $kind = clean($_REQUEST["kind"]);
+ $ids = explode(',', clean($_REQUEST["ids"]));
+ $color = clean($_REQUEST["color"]);
+ $fg = clean($_REQUEST["fg"]);
+ $bg = clean($_REQUEST["bg"]);
foreach ($ids as $id) {
}
function colorreset() {
- $ids = explode(',', $_REQUEST["ids"]);
+ $ids = explode(',', clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
function save() {
- $id = $_REQUEST["id"];
- $caption = trim($_REQUEST["caption"]);
+ $id = clean($_REQUEST["id"]);
+ $caption = trim(clean($_REQUEST["caption"]));
$this->pdo->beginTransaction();
$sth->execute([$caption, $old_caption, $_SESSION['uid']]);
- print $_REQUEST["value"];
+ print clean($_REQUEST["value"]);
} else {
print $old_caption;
}
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
Labels::remove($id, $_SESSION["uid"]);
}
function add() {
- $caption = $_REQUEST["caption"];
- $output = $_REQUEST["output"];
+ $caption = clean($_REQUEST["caption"]);
+ $output = clean($_REQUEST["output"]);
if ($caption) {
function changepassword() {
- $old_pw = $_POST["old_password"];
- $new_pw = $_POST["new_password"];
- $con_pw = $_POST["confirm_password"];
+ $old_pw = clean($_POST["old_password"]);
+ $new_pw = clean($_POST["new_password"]);
+ $con_pw = clean($_POST["confirm_password"]);
if ($old_pw == "") {
print "ERROR: ".format_error("Old password cannot be blank.");
}
function saveconfig() {
- $boolean_prefs = explode(",", $_POST["boolean_prefs"]);
+ $boolean_prefs = explode(",", clean($_POST["boolean_prefs"]));
foreach ($boolean_prefs as $pref) {
if (!isset($_POST[$pref])) $_POST[$pref] = 'false';
function changeemail() {
- $email = $_POST["email"];
- $full_name = $_POST["full_name"];
+ $email = clean($_POST["email"]);
+ $full_name = clean($_POST["full_name"]);
$active_uid = $_SESSION["uid"];
$sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
- $password = $_REQUEST["password"];
- $otp = $_REQUEST["otp"];
+ $password = clean($_REQUEST["password"]);
+ $otp = clean($_REQUEST["otp"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
}
function otpdisable() {
- $password = $_REQUEST["password"];
+ $password = clean($_REQUEST["password"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
}
function setplugins() {
- if (is_array($_REQUEST["plugins"]))
- $plugins = join(",", $_REQUEST["plugins"]);
+ if (is_array(clean($_REQUEST["plugins"])))
+ $plugins = join(",", clean($_REQUEST["plugins"]));
else
$plugins = "";
}
function clearplugindata() {
- $name = $_REQUEST["name"];
+ $name = clean($_REQUEST["name"]);
PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name));
}
print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
- $id = (int) $_REQUEST["id"];
+ $id = (int) clean($_REQUEST["id"]);
print_hidden("id", "$id");
print_hidden("op", "pref-users");
}
function userdetails() {
- $id = (int) $_REQUEST["id"];
+ $id = (int) clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT login,
".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
}
function editSave() {
- $login = trim($_REQUEST["login"]);
- $uid = $_REQUEST["id"];
- $access_level = (int) $_REQUEST["access_level"];
- $email = trim($_REQUEST["email"]);
- $password = $_REQUEST["password"];
+ $login = trim(clean($_REQUEST["login"]));
+ $uid = clean($_REQUEST["id"]);
+ $access_level = (int) clean($_REQUEST["access_level"]);
+ $email = trim(clean($_REQUEST["email"]));
+ $password = clean($_REQUEST["password"]);
if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
}
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) {
function add() {
- $login = trim($_REQUEST["login"]);
+ $login = trim(clean($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
}
function resetPass() {
- $uid = $_REQUEST["id"];
+ $uid = clean($_REQUEST["id"]);
Pref_Users::resetUserPassword($uid, true);
}
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
- $user_search = trim($_REQUEST["search"]);
+ $user_search = trim(clean($_REQUEST["search"]));
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
__('Search')."</button>
</div>";
- $sort = $_REQUEST["sort"];
+ $sort = clean($_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";
}
function setprofile() {
- $_SESSION["profile"] = $_REQUEST["id"];
+ $_SESSION["profile"] = clean($_REQUEST["id"]);
// default value
if (!$_SESSION["profile"]) $_SESSION["profile"] = null;
}
function remprofiles() {
- $ids = explode(",", trim($_REQUEST["ids"]));
+ $ids = explode(",", trim(clean($_REQUEST["ids"])));
foreach ($ids as $id) {
if ($_SESSION["profile"] != $id) {
// Silent
function addprofile() {
- $title = trim($_REQUEST["title"]);
+ $title = trim(clean($_REQUEST["title"]));
if ($title) {
$this->pdo->beginTransaction();
}
function saveprofile() {
- $id = $_REQUEST["id"];
- $title = trim($_REQUEST["value"]);
+ $id = clean($_REQUEST["id"]);
+ $title = trim(clean($_REQUEST["value"]));
if ($id == 0) {
print __("Default profile");
// Silent
function remarchive() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
$sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE
(SELECT COUNT(*) FROM ttrss_user_entries
}
function addfeed() {
- $feed = $_REQUEST['feed'];
- $cat = $_REQUEST['cat'];
- $login = $_REQUEST['login'];
- $pass = trim($_REQUEST['pass']);
+ $feed = clean($_REQUEST['feed']);
+ $cat = clean($_REQUEST['cat']);
+ $login = clean($_REQUEST['login']);
+ $pass = trim(clean($_REQUEST['pass']));
$rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
}
function togglepref() {
- $key = $_REQUEST["key"];
+ $key = clean($_REQUEST["key"]);
set_pref($key, !get_pref($key));
$value = get_pref($key);
function setpref() {
// set_pref escapes input, so no need to double escape it here
- $key = $_REQUEST['key'];
- $value = str_replace("\n", "<br/>", $_REQUEST['value']);
+ $key = clean($_REQUEST['key']);
+ $value = nl2br($_REQUEST['value']);
set_pref($key, $value, false, $key != 'USER_STYLESHEET');
}
function mark() {
- $mark = $_REQUEST["mark"];
- $id = $_REQUEST["id"];
+ $mark = clean($_REQUEST["mark"]);
+ $id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?,
last_marked = NOW()
}
function delete() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
$ids_qmarks = arr_qmarks($ids);
$sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries
}
function unarchive() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$this->pdo->beginTransaction();
}
function archive() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$this->archive_article($id, $_SESSION["uid"]);
}
function publ() {
- $pub = $_REQUEST["pub"];
- $id = $_REQUEST["id"];
+ $pub = clean($_REQUEST["pub"]);
+ $id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET
published = ?, last_published = NOW()
}
function getAllCounters() {
- $last_article_id = (int) $_REQUEST["last_article_id"];
+ $last_article_id = (int) clean($_REQUEST["last_article_id"]);
$reply = array();
/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
function catchupSelected() {
- $ids = explode(",", $_REQUEST["ids"]);
- $cmode = sprintf("%d", $_REQUEST["cmode"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $cmode = sprintf("%d", clean($_REQUEST["cmode"]));
Article::catchupArticlesById($ids, $cmode);
}
function markSelected() {
- $ids = explode(",", $_REQUEST["ids"]);
- $cmode = (int)$_REQUEST["cmode"];
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $cmode = (int)clean($_REQUEST["cmode"]);
$this->markArticlesById($ids, $cmode);
}
function publishSelected() {
- $ids = explode(",", $_REQUEST["ids"]);
- $cmode = (int)$_REQUEST["cmode"];
+ $ids = explode(",", clean($_REQUEST["ids"]));
+ $cmode = (int)clean($_REQUEST["cmode"]);
$this->publishArticlesById($ids, $cmode);
}
function sanityCheck() {
- $_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true";
- $_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true";
- $_SESSION["hasMp3"] = $_REQUEST["hasMp3"] === "true";
- $_SESSION["clientTzOffset"] = $_REQUEST["clientTzOffset"];
+ $_SESSION["hasAudio"] = clean($_REQUEST["hasAudio"]) === "true";
+ $_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
+ $_SESSION["hasMp3"] = clean($_REQUEST["hasMp3"]) === "true";
+ $_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
$reply = array();
}
function completeLabels() {
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT caption FROM
ttrss_labels2
function updateFeedBrowser() {
if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
- $search = $_REQUEST["search"];
- $limit = $_REQUEST["limit"];
- $mode = (int) $_REQUEST["mode"];
+ $search = clean($_REQUEST["search"]);
+ $limit = clean($_REQUEST["limit"]);
+ $mode = (int) clean($_REQUEST["mode"]);
require_once "feedbrowser.php";
// Silent
function massSubscribe() {
- $payload = json_decode($_REQUEST["payload"], false);
- $mode = $_REQUEST["mode"];
+ $payload = json_decode(clean($_REQUEST["payload"]), false);
+ $mode = clean($_REQUEST["mode"]);
if (!$payload || !is_array($payload)) return;
}
function catchupFeed() {
- $feed_id = $_REQUEST['feed_id'];
- $is_cat = $_REQUEST['is_cat'] == "true";
- $mode = $_REQUEST['mode'];
- $search_query = $_REQUEST['search_query'];
- $search_lang = $_REQUEST['search_lang'];
+ $feed_id = clean($_REQUEST['feed_id']);
+ $is_cat = clean($_REQUEST['is_cat']) == "true";
+ $mode = clean($_REQUEST['mode']);
+ $search_query = clean($_REQUEST['search_query']);
+ $search_lang = clean($_REQUEST['search_lang']);
Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]);
}
function setpanelmode() {
- $wide = (int) $_REQUEST["wide"];
+ $wide = (int) clean($_REQUEST["wide"]);
setcookie("ttrss_widescreen", $wide,
time() + COOKIE_LIFETIME_LONG);
}
function getlinktitlebyid() {
- $id = $_REQUEST['id'];
+ $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries
WHERE ref_id = ? AND ref_id = id AND owner_uid = ?");
}
function log() {
- $msg = $_REQUEST['msg'];
- $file = basename($_REQUEST['file']);
- $line = (int) $_REQUEST['line'];
- $context = $_REQUEST['context'];
+ $msg = clean($_REQUEST['msg']);
+ $file = basename(clean($_REQUEST['file']));
+ $line = (int) clean($_REQUEST['line']);
+ $context = clean($_REQUEST['context']);
if ($msg) {
Logger::get()->log_error(E_USER_WARNING,
*/
static function update_rss_feed($feed, $no_cache = false) {
- $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || $_REQUEST['xdebug'];
+ $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || clean($_REQUEST['xdebug']);
_debug_suppress(!$debug_enabled);
_debug("start", $debug_enabled);
foreach ($items as $item) {
$pdo->beginTransaction();
- if ($_REQUEST['xdebug'] == 3) {
+ if (clean($_REQUEST['xdebug']) == 3) {
print_r($item);
}
$entry_content = $item->get_content();
if (!$entry_content) $entry_content = $item->get_description();
- if ($_REQUEST["xdebug"] == 2) {
+ if (clean($_REQUEST["xdebug"]) == 2) {
print "content: ";
print htmlspecialchars($entry_content);
print "\n";
$entry_plugin_data .= mb_strtolower(get_class($plugin)) . ",";
}
- if ($_REQUEST["xdebug"] == 2) {
+ if (clean($_REQUEST["xdebug"]) == 2) {
print "processed content: ";
print htmlspecialchars($article["content"]);
print "\n";
}
}
+ // this is used for user http parameters unless HTML code is actually needed
+ function clean($param) {
+ if (is_array($param)) {
+ return array_map(strip_tags, $param);
+ } else if (is_string($param)) {
+ return strip_tags($param);
+ } else {
+ return $param;
+ }
+ }
+
function make_password($length = 8) {
$password = "";