From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Sun, 21 Oct 2012 21:22:44 +0000 (+0400)
Subject: properly escape comment links
X-Git-Tag: 1.6.1~72
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=6e577ba15715cb3ccb9c54bd4e13f3f9ff2c3563;p=tt-rss.git

properly escape comment links
---

diff --git a/classes/feeds.php b/classes/feeds.php
index 5280502c..836bbb06 100644
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -633,14 +633,14 @@ class Feeds extends Handler_Protected {
 
 					if ($num_comments > 0) {
 						if ($line["comments"]) {
-							$comments_url = $line["comments"];
+							$comments_url = htmlspecialchars($line["comments"]);
 						} else {
-							$comments_url = $line["link"];
+							$comments_url = htmlspecialchars($line["link"]);
 						}
 						$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
 					} else {
 						if ($line["comments"] && $line["link"] != $line["comments"]) {
-							$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+							$entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
 						}
 					}
 
diff --git a/include/functions.php b/include/functions.php
index f37578ba..2fb14097 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -3352,14 +3352,14 @@
 
 			if ($num_comments > 0) {
 				if ($line["comments"]) {
-					$comments_url = $line["comments"];
+					$comments_url = htmlspecialchars($line["comments"]);
 				} else {
-					$comments_url = $line["link"];
+					$comments_url = htmlspecialchars($line["link"]);
 				}
 				$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
 			} else {
 				if ($line["comments"] && $line["link"] != $line["comments"]) {
-					$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+					$entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
 				}
 			}