prevent absolutely useless 'exploit' (not really) while editing filters (closes ...

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)
diff --git a/classes/pref/filters.php b/classes/pref/filters.php

index 74a29c6198ed4a2c1621d348544156742dd2b296..20abae1d00cbd9a90a96017b8882490b0bff0aff 100644 (file)
--- a/classes/pref/filters.php
+++ b/classes/pref/filters.php
@@ -372,7 +372,7 @@ class Pref_Filters extends Handler_Protected {
                         WHERE id = ".(int)$rule["filter_type"]);
                 $match_on = db_fetch_result($result, 0, "description");
  
-               return T_sprintf("%s on %s in %s", $rule["reg_exp"], $match_on, $feed);
+               return T_sprintf("%s on %s in %s", strip_tags($rule["reg_exp"]), $match_on, $feed);
         }
  
         function printRuleName() {
diff --git a/js/functions.js b/js/functions.js

index 72f72ddaa405dab23439e223cf8c433349cc9fd8..e00690c1c2e6130f3372764d37204dd695fbf9d7 100644 (file)
--- a/js/functions.js
+++ b/js/functions.js
@@ -964,6 +964,8 @@ function createNewRuleElement(parentNode, replaceNode) {
         try {
                 var form = document.forms["filter_new_rule_form"];
  
+               form.reg_exp.value = form.reg_exp.value.replace(/(<([^>]+)>)/ig,"");
+
                 var query = "backend.php?op=pref-filters&method=printrulename&rule="+
                         param_escape(dojo.formToJson(form));
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 17 Mar 2013 10:55:55 +0000 (14:55 +0400)
classes/pref/filters.php		patch \| blob \| history
js/functions.js		patch \| blob \| history