From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Sun, 21 Oct 2012 21:19:06 +0000 (+0400)
Subject: properly escape article link/PTITLEs (refs #472)
X-Git-Tag: 1.6.1~73
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=5c5689734955ced9ca81690ad9c1b76b71a8712a;p=tt-rss.git

properly escape article link/PTITLEs (refs #472)
---

diff --git a/classes/feeds.php b/classes/feeds.php
index 31224d1d..5280502c 100644
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -503,7 +503,7 @@ class Feeds extends Handler_Protected {
 					$reply['content'] .= "</div>";
 
 					$reply['content'] .= "<div id=\"PTITLE-FULL-$id\" style=\"display : none\">" .
-						strip_tags($line['title']) . "</div>";
+						htmlspecialchars(strip_tags($line['title'])) . "</div>";
 
 					$reply['content'] .= "<span id=\"RTITLE-$id\"
 						onclick=\"return cdmClicked(event, $id);\"
diff --git a/include/functions.php b/include/functions.php
index a80d09cb..f37578ba 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -3372,7 +3372,7 @@
 					</head><body>";
 			}
 
-			$title_escaped = db_escape_string($line['title']);
+			$title_escaped = htmlspecialchars($line['title']);
 
 			$rv['content'] .= "<div id=\"PTITLE-$id\" style=\"display : none\">" .
 				truncate_string(strip_tags($line['title']), 15) . "</div>";
@@ -3400,7 +3400,7 @@
 				$rv['content'] .= "<div class='postTitle'><a target='_blank'
 					title=\"".htmlspecialchars($line['title'])."\"
 					href=\"" .
-					$line["link"] . "\">" .
+					htmlspecialchars($line["link"]) . "\">" .
 					$line["title"] .
 					"<span class='author'>$entry_author</span></a></div>";
 			} else {