From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 5 Aug 2006 12:00:01 +0000 (+0100)
Subject: disable scripts in rss entry content
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=d48d160c64f104785a6a52372271100e1a9803c6;p=tt-rss.git

disable scripts in rss entry content
---

diff --git a/functions.php b/functions.php
index 2e65f7a3..133a8ccf 100644
--- a/functions.php
+++ b/functions.php
@@ -530,6 +530,13 @@
 
 				}
 
+				# sanitize content
+				$entry_content = preg_replace('/<script.*?>/i', 
+					"<p class=\"scriptWarn\">", $entry_content);
+
+				$entry_content = preg_replace('/<\/script>/i', 
+					"</p>", $entry_content);
+
 				db_query($link, "BEGIN");
 
 				if (db_num_rows($result) == 0) {
diff --git a/tt-rss.css b/tt-rss.css
index f69d2444..8d29213b 100644
--- a/tt-rss.css
+++ b/tt-rss.css
@@ -1145,3 +1145,15 @@ span.debugTS {
 #backReqBox {
 	display : none;
 }
+
+.scriptWarn:before {
+	content : "Disabled script:";
+}
+
+.scriptWarn {
+	color : white;
+	background-color : #903030;
+	border : 1px solid #601010;
+	padding : 3px;
+	font-weight : bold;
+}