fix url checking, param sanitizing in feed & cat editors, fix browser_has_opacity()

author Andrew Dolgov <fox@madoka.spb.ru>

Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)

committer Andrew Dolgov <fox@madoka.spb.ru>

Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)
author Andrew Dolgov <fox@madoka.spb.ru>
Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)
committer Andrew Dolgov <fox@madoka.spb.ru>
Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)
diff --git a/backend.php b/backend.php

index d7567330e93a2ce05fd271ceb74b75cf22af87aa..4d855ceadd20b9830b7f56cfe05e739659db639b 100644 (file)
--- a/backend.php
+++ b/backend.php
@@ -1603,14 +1603,14 @@
                 }
  
                 if ($subop == "editSave") {
-                       $feed_title = db_escape_string($_POST["t"]);
-                       $feed_link = db_escape_string($_POST["l"]);
+                       $feed_title = db_escape_string(trim($_POST["t"]));
+                       $feed_link = db_escape_string(trim($_POST["l"]));
                         $upd_intl = db_escape_string($_POST["ui"]);
                         $purge_intl = db_escape_string($_POST["pi"]);
                         $feed_id = db_escape_string($_POST["id"]);
                         $cat_id = db_escape_string($_POST["catid"]);
-                       $auth_login = db_escape_string($_POST["login"]);
-                       $auth_pass = db_escape_string($_POST["pass"]);
+                       $auth_login = db_escape_string(trim($_POST["login"]));
+                       $auth_pass = db_escape_string(trim($_POST["pass"]));
                         $parent_feed = db_escape_string($_POST["pfeed"]);
                         $private = db_escape_string($_POST["is_pvt"]);
                         $rtl_content = db_escape_string($_POST["is_rtl"]);
@@ -1653,7 +1653,7 @@
                 }
  
                 if ($subop == "saveCat") {
-                       $cat_title = db_escape_string($_GET["title"]);
+                       $cat_title = db_escape_string(trim($_GET["title"]));
                         $cat_id = db_escape_string($_GET["id"]);
  
                         $result = db_query($link, "UPDATE ttrss_feed_categories SET
diff --git a/functions.js b/functions.js

index 3b5e64f7057440d61560779080049c461b81b5b9..817946c397737ca2153b90f5cd1b2ce823352258 100644 (file)
--- a/functions.js
+++ b/functions.js
@@ -1,7 +1,8 @@
  var hotkeys_enabled = true;
  
  function browser_has_opacity() {
-       return navigator.userAgent.match("Gecko") || navigator.userAgent.match("Opera");
+       return navigator.userAgent.match("Gecko") != null || 
+               navigator.userAgent.match("Opera") != null;
  }
  
  function exception_error(location, e) {
@@ -1054,3 +1055,6 @@ function toggleSubmitNotEmpty(e, submit_id) {
         }
  }
  
+function isValidURL(s) {
+       return s.match("http://") != null || s.match("https://") != null;
+}
diff --git a/prefs.js b/prefs.js

index ccc0d78597afeda1fd178c32c0c2088ae6ddee09..1994495a9cc4d296c072b48b55a4fcd5c748850a 100644 (file)
--- a/prefs.js
+++ b/prefs.js
@@ -282,8 +282,7 @@ function addFeed() {
  
         if (link.value.length == 0) {
                 alert("Error: No feed URL given.");
-       } else if (link.value.match("http://") == null && 
-                       link.value.match("https://") == null) {
+       } else if (!isValidURL(link.value)) {
                 alert("Error: Invalid feed URL.");
         } else {
                 notify("Adding feed...");
@@ -746,6 +745,11 @@ function feedEditSave() {
                         notify("Feed title cannot be blank.");
                         return;
                 }
+
+               if (!isValidURL(link)) {
+                       alert("Feed URL is invalid.");
+                       return;
+               }
         
                 var auth_login = document.getElementById("iedit_login").value;
                 var auth_pass = document.getElementById("iedit_pass").value;
diff --git a/tt-rss.js b/tt-rss.js

index 528a0000bde1cdb31ad1464dcf77aff57c22f7a0..6a31714692c48edda576153966b80ac39247dff3 100644 (file)
--- a/tt-rss.js
+++ b/tt-rss.js
@@ -538,8 +538,7 @@ function qafAdd() {
  
         if (link.value.length == 0) {
                 alert("Error: No feed URL given.");
-       } else if (link.value.match("http://") == null && 
-                       link.value.match("https://") == null) {
+       } else if (!isValidURL(link.value)) {
                 alert("Error: Invalid feed URL.");
         } else {
                 notify("Adding feed...");
author	Andrew Dolgov <fox@madoka.spb.ru>
	Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)
committer	Andrew Dolgov <fox@madoka.spb.ru>
	Fri, 19 May 2006 03:10:58 +0000 (04:10 +0100)
backend.php		patch \| blob \| blame \| history
functions.js		patch \| blob \| blame \| history
prefs.js		patch \| blob \| blame \| history
tt-rss.js		patch \| blob \| blame \| history