properly escape comment links

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)
diff --git a/classes/feeds.php b/classes/feeds.php

index 5280502c4dab84eea0de132cae3ce631c390b90c..836bbb060ce604e7f37414e66b6400bd6fb514d9 100644 (file)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -633,14 +633,14 @@ class Feeds extends Handler_Protected {
  \r
                                         if ($num_comments > 0) {\r
                                                 if ($line["comments"]) {\r
-                                                       $comments_url = $line["comments"];\r
+                                                       $comments_url = htmlspecialchars($line["comments"]);\r
                                                 } else {\r
-                                                       $comments_url = $line["link"];\r
+                                                       $comments_url = htmlspecialchars($line["link"]);\r
                                                 }\r
                                                 $entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";\r
                                         } else {\r
                                                 if ($line["comments"] && $line["link"] != $line["comments"]) {\r
-                                                       $entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";\r
+                                                       $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";\r
                                                 }\r
                                         }\r
  \r
diff --git a/include/functions.php b/include/functions.php

index f37578ba3704b9b89d9198a3bcc614ad36e778a4..2fb14097fa7a38d6933b716efd8f0cc2829a452d 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -3352,14 +3352,14 @@
  
                         if ($num_comments > 0) {
                                 if ($line["comments"]) {
-                                       $comments_url = $line["comments"];
+                                       $comments_url = htmlspecialchars($line["comments"]);
                                 } else {
-                                       $comments_url = $line["link"];
+                                       $comments_url = htmlspecialchars($line["link"]);
                                 }
                                 $entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
                         } else {
                                 if ($line["comments"] && $line["link"] != $line["comments"]) {
-                                       $entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+                                       $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
                                 }
                         }
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sun, 21 Oct 2012 21:22:44 +0000 (01:22 +0400)
classes/feeds.php		patch \| blob \| blame \| history
include/functions.php		patch \| blob \| blame \| history