From 605f7d463dc68eccc02c77f989302d7b9035b456 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.spb.ru>
Date: Fri, 19 May 2006 04:10:58 +0100
Subject: [PATCH] fix url checking, param sanitizing in feed & cat editors, fix
 browser_has_opacity()

---
 backend.php  | 10 +++++-----
 functions.js |  6 +++++-
 prefs.js     |  8 ++++++--
 tt-rss.js    |  3 +--
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/backend.php b/backend.php
index d7567330..4d855cea 100644
--- a/backend.php
+++ b/backend.php
@@ -1603,14 +1603,14 @@
 		}
 
 		if ($subop == "editSave") {
-			$feed_title = db_escape_string($_POST["t"]);
-			$feed_link = db_escape_string($_POST["l"]);
+			$feed_title = db_escape_string(trim($_POST["t"]));
+			$feed_link = db_escape_string(trim($_POST["l"]));
 			$upd_intl = db_escape_string($_POST["ui"]);
 			$purge_intl = db_escape_string($_POST["pi"]);
 			$feed_id = db_escape_string($_POST["id"]);
 			$cat_id = db_escape_string($_POST["catid"]);
-			$auth_login = db_escape_string($_POST["login"]);
-			$auth_pass = db_escape_string($_POST["pass"]);
+			$auth_login = db_escape_string(trim($_POST["login"]));
+			$auth_pass = db_escape_string(trim($_POST["pass"]));
 			$parent_feed = db_escape_string($_POST["pfeed"]);
 			$private = db_escape_string($_POST["is_pvt"]);
 			$rtl_content = db_escape_string($_POST["is_rtl"]);
@@ -1653,7 +1653,7 @@
 		}
 
 		if ($subop == "saveCat") {
-			$cat_title = db_escape_string($_GET["title"]);
+			$cat_title = db_escape_string(trim($_GET["title"]));
 			$cat_id = db_escape_string($_GET["id"]);
 
 			$result = db_query($link, "UPDATE ttrss_feed_categories SET
diff --git a/functions.js b/functions.js
index 3b5e64f7..817946c3 100644
--- a/functions.js
+++ b/functions.js
@@ -1,7 +1,8 @@
 var hotkeys_enabled = true;
 
 function browser_has_opacity() {
-	return navigator.userAgent.match("Gecko") || navigator.userAgent.match("Opera");
+	return navigator.userAgent.match("Gecko") != null || 
+		navigator.userAgent.match("Opera") != null;
 }
 
 function exception_error(location, e) {
@@ -1054,3 +1055,6 @@ function toggleSubmitNotEmpty(e, submit_id) {
 	}
 }
 
+function isValidURL(s) {
+	return s.match("http://") != null || s.match("https://") != null;
+}
diff --git a/prefs.js b/prefs.js
index ccc0d785..1994495a 100644
--- a/prefs.js
+++ b/prefs.js
@@ -282,8 +282,7 @@ function addFeed() {
 
 	if (link.value.length == 0) {
 		alert("Error: No feed URL given.");
-	} else if (link.value.match("http://") == null && 
-			link.value.match("https://") == null) {
+	} else if (!isValidURL(link.value)) {
 		alert("Error: Invalid feed URL.");
 	} else {
 		notify("Adding feed...");
@@ -746,6 +745,11 @@ function feedEditSave() {
 			notify("Feed title cannot be blank.");
 			return;
 		}
+
+		if (!isValidURL(link)) {
+			alert("Feed URL is invalid.");
+			return;
+		}
 	
 		var auth_login = document.getElementById("iedit_login").value;
 		var auth_pass = document.getElementById("iedit_pass").value;
diff --git a/tt-rss.js b/tt-rss.js
index 528a0000..6a317146 100644
--- a/tt-rss.js
+++ b/tt-rss.js
@@ -538,8 +538,7 @@ function qafAdd() {
 
 	if (link.value.length == 0) {
 		alert("Error: No feed URL given.");
-	} else if (link.value.match("http://") == null && 
-			link.value.match("https://") == null) {
+	} else if (!isValidURL(link.value)) {
 		alert("Error: Invalid feed URL.");
 	} else {
 		notify("Adding feed...");
-- 
2.39.2