From: Andrew Dolgov <fox@madoka.spb.ru>
Date: Fri, 19 May 2006 03:13:32 +0000 (+0100)
Subject: sanitize input in label-editor subops
X-Git-Tag: 1.2.0~73
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=9a35e16d1e4a78666fcc186d92b989178a028791;p=tt-rss.git

sanitize input in label-editor subops
---

diff --git a/backend.php b/backend.php
index 4d855cea..bb418044 100644
--- a/backend.php
+++ b/backend.php
@@ -2167,8 +2167,8 @@
 
 		if ($subop == "editSave") {
 
-			$regexp = db_escape_string($_GET["r"]);
-			$match = db_escape_string($_GET["m"]);
+			$regexp = db_escape_string(trim($_GET["r"]));
+			$match = db_escape_string(trim($_GET["m"]));
 			$filter_id = db_escape_string($_GET["id"]);
 			$feed_id = db_escape_string($_GET["fid"]);
 			$action_id = db_escape_string($_GET["aid"]); 
@@ -2482,8 +2482,8 @@
 
 		if ($subop == "test") {
 
-			$expr = $_GET["expr"];
-			$descr = $_GET["descr"];
+			$expr = trim($_GET["expr"]);
+			$descr = trim($_GET["descr"]);
 
 			print "<div id=\"infoBoxTitle\">Test label: $descr</div>";
 
@@ -2536,8 +2536,8 @@
 
 		if ($subop == "editSave") {
 
-			$sql_exp = $_GET["s"];
-			$descr = $_GET["d"];
+			$sql_exp = trim($_GET["s"]);
+			$descr = trim($_GET["d"]);
 			$label_id = db_escape_string($_GET["id"]);
 			
 //			print "$sql_exp : $descr : $label_id";