From f01c8ec4f1324ed8b68e912220735af96c86883c Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Sun, 17 Mar 2013 14:55:55 +0400
Subject: [PATCH] prevent absolutely useless 'exploit' (not really) while
 editing filters (closes #572)

---
 classes/pref/filters.php | 2 +-
 js/functions.js          | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/classes/pref/filters.php b/classes/pref/filters.php
index 74a29c61..20abae1d 100644
--- a/classes/pref/filters.php
+++ b/classes/pref/filters.php
@@ -372,7 +372,7 @@ class Pref_Filters extends Handler_Protected {
 			WHERE id = ".(int)$rule["filter_type"]);
 		$match_on = db_fetch_result($result, 0, "description");
 
-		return T_sprintf("%s on %s in %s", $rule["reg_exp"], $match_on, $feed);
+		return T_sprintf("%s on %s in %s", strip_tags($rule["reg_exp"]), $match_on, $feed);
 	}
 
 	function printRuleName() {
diff --git a/js/functions.js b/js/functions.js
index 72f72dda..e00690c1 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -964,6 +964,8 @@ function createNewRuleElement(parentNode, replaceNode) {
 	try {
 		var form = document.forms["filter_new_rule_form"];
 
+		form.reg_exp.value = form.reg_exp.value.replace(/(<([^>]+)>)/ig,"");
+
 		var query = "backend.php?op=pref-filters&method=printrulename&rule="+
 			param_escape(dojo.formToJson(form));
 
-- 
2.39.2