From 605f7d463dc68eccc02c77f989302d7b9035b456 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Fri, 19 May 2006 04:10:58 +0100 Subject: [PATCH] fix url checking, param sanitizing in feed & cat editors, fix browser_has_opacity() --- backend.php | 10 +++++----- functions.js | 6 +++++- prefs.js | 8 ++++++-- tt-rss.js | 3 +-- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/backend.php b/backend.php index d7567330..4d855cea 100644 --- a/backend.php +++ b/backend.php @@ -1603,14 +1603,14 @@ } if ($subop == "editSave") { - $feed_title = db_escape_string($_POST["t"]); - $feed_link = db_escape_string($_POST["l"]); + $feed_title = db_escape_string(trim($_POST["t"])); + $feed_link = db_escape_string(trim($_POST["l"])); $upd_intl = db_escape_string($_POST["ui"]); $purge_intl = db_escape_string($_POST["pi"]); $feed_id = db_escape_string($_POST["id"]); $cat_id = db_escape_string($_POST["catid"]); - $auth_login = db_escape_string($_POST["login"]); - $auth_pass = db_escape_string($_POST["pass"]); + $auth_login = db_escape_string(trim($_POST["login"])); + $auth_pass = db_escape_string(trim($_POST["pass"])); $parent_feed = db_escape_string($_POST["pfeed"]); $private = db_escape_string($_POST["is_pvt"]); $rtl_content = db_escape_string($_POST["is_rtl"]); @@ -1653,7 +1653,7 @@ } if ($subop == "saveCat") { - $cat_title = db_escape_string($_GET["title"]); + $cat_title = db_escape_string(trim($_GET["title"])); $cat_id = db_escape_string($_GET["id"]); $result = db_query($link, "UPDATE ttrss_feed_categories SET diff --git a/functions.js b/functions.js index 3b5e64f7..817946c3 100644 --- a/functions.js +++ b/functions.js @@ -1,7 +1,8 @@ var hotkeys_enabled = true; function browser_has_opacity() { - return navigator.userAgent.match("Gecko") || navigator.userAgent.match("Opera"); + return navigator.userAgent.match("Gecko") != null || + navigator.userAgent.match("Opera") != null; } function exception_error(location, e) { @@ -1054,3 +1055,6 @@ function toggleSubmitNotEmpty(e, submit_id) { } } +function isValidURL(s) { + return s.match("http://") != null || s.match("https://") != null; +} diff --git a/prefs.js b/prefs.js index ccc0d785..1994495a 100644 --- a/prefs.js +++ b/prefs.js @@ -282,8 +282,7 @@ function addFeed() { if (link.value.length == 0) { alert("Error: No feed URL given."); - } else if (link.value.match("http://") == null && - link.value.match("https://") == null) { + } else if (!isValidURL(link.value)) { alert("Error: Invalid feed URL."); } else { notify("Adding feed..."); @@ -746,6 +745,11 @@ function feedEditSave() { notify("Feed title cannot be blank."); return; } + + if (!isValidURL(link)) { + alert("Feed URL is invalid."); + return; + } var auth_login = document.getElementById("iedit_login").value; var auth_pass = document.getElementById("iedit_pass").value; diff --git a/tt-rss.js b/tt-rss.js index 528a0000..6a317146 100644 --- a/tt-rss.js +++ b/tt-rss.js @@ -538,8 +538,7 @@ function qafAdd() { if (link.value.length == 0) { alert("Error: No feed URL given."); - } else if (link.value.match("http://") == null && - link.value.match("https://") == null) { + } else if (!isValidURL(link.value)) { alert("Error: Invalid feed URL."); } else { notify("Adding feed..."); -- 2.39.5