From 06925d9e8502e544a98b7b2dacf618be9e34f25f Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Fri, 18 Apr 2008 06:13:00 +0100 Subject: [PATCH] getArticleLink: add escaping; open_article_in_new_window: add error notifications (closes #202) --- functions.js | 9 +++++++++ modules/backend-rpc.php | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/functions.js b/functions.js index 9e38e45b..d30e6bee 100644 --- a/functions.js +++ b/functions.js @@ -68,10 +68,15 @@ function open_article_callback(transport) { try { if (transport.responseXML) { + var link = transport.responseXML.getElementsByTagName("link")[0]; var id = transport.responseXML.getElementsByTagName("id")[0]; + debug("open_article_callback, received link: " + link); + if (link) { + debug("link url: " + link.firstChild.nodeValue); + window.open(link.firstChild.nodeValue, "_blank"); if (id) { @@ -80,7 +85,11 @@ function open_article_callback(transport) { window.setTimeout("toggleUnread(" + id + ", 0)", 100); } } + } else { + notify_error("Can't open article: received invalid article link"); } + } else { + notify_error("Can't open article: received invalid XML"); } } catch (e) { diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index 5a8452ea..d7ebb594 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -279,7 +279,7 @@ WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."'"); if (db_num_rows($result) == 1) { - $link = strip_tags(db_fetch_result($result, 0, "link")); + $link = htmlspecialchars(strip_tags(db_fetch_result($result, 0, "link"))); print "$link$id"; } else { print "Article not found"; -- 2.39.5