Revert "sanitize article content when importing data from feed"

This reverts commit c7fe1b4e9e392e0b9ffa55151c43ea7e2e2ee709.

Conflicts:
	include/functions.php
	include/rssfuncs.php

diff --git a/classes/feeds.php b/classes/feeds.php
index d99aea7c6cd840c78be960f655702cfedbe0775d..e6c9e0e3706a0138406e7e7e9e823ac8f783ffa2 100644 (file)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -628,8 +628,10 @@ class Feeds extends Handler_Protected {
                                                }\r
                                        }\r
 \r
-#                                      $feed_site_url = $line["site_url"];\r
-                                       $article_content = $line["content_preview"];\r
+                                       $feed_site_url = $line["site_url"];\r
+\r
+                                       $article_content = sanitize($this->link, $line["content_preview"],\r
+                                                       false, false, $feed_site_url);\r
 \r
                                        $reply['content'] .= "<div id=\"POSTNOTE-$id\">";\r
                                        if ($line['note']) {\r

diff --git a/classes/handler/public.php b/classes/handler/public.php
index 0aa86a8442afc1237c09df1995a3885e69166632..d3c3fc094cba5d6bd38dbf7a64643c4fb23ea031 100644 (file)
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -61,7 +61,7 @@ class Handler_Public extends Handler {
                                $tpl->setVariable('ARTICLE_EXCERPT',
                                        truncate_string(strip_tags($line["content_preview"]), 100, '...'), true);
 
-                               $content = $line["content_preview"];
+                               $content = sanitize($this->link, $line["content_preview"], false, $owner_uid);
 
                                if ($line['note']) {
                                        $content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" .
@@ -132,7 +132,7 @@ class Handler_Public extends Handler {
                                $article['link']        = $line['link'];
                                $article['title'] = $line['title'];
                                $article['excerpt'] = truncate_string(strip_tags($line["content_preview"]), 100, '...');
-                               $article['content'] = $line["content_preview"];
+                               $article['content'] = sanitize($this->link, $line["content_preview"], false, $owner_uid);
                                $article['updated'] = date('c', strtotime($line["updated"]));
 
                                if ($line['note']) $article['note'] = $line['note'];

diff --git a/classes/rpc.php b/classes/rpc.php
index 56b13dc51410de584538e260f84040335ce40099..cb3eeda98ff73a6e891e5a335a909eac96d91404 100644 (file)
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -584,7 +584,7 @@ class RPC extends Handler_Protected {
                        FROM ttrss_entries, ttrss_user_entries
                        WHERE id = '$article_id' AND ref_id = id AND owner_uid = ".$_SESSION['uid']);
 
-               $content = db_fetch_result($result, 0, "content");
+               $content = sanitize($this->link, db_fetch_result($result, 0, "content"));
                $title = strip_tags(db_fetch_result($result, 0, "title"));
                $article_url = htmlspecialchars(db_fetch_result($result, 0, "link"));
                $marked = sql_bool_to_bool(db_fetch_result($result, 0, "marked"));

diff --git a/include/functions.php b/include/functions.php
index 2994dd438a2dcd08aec6d2d9cca16ef12fad0526..7a5211b5a8ce2117cd0f67bb07d69722a18beb15 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -2686,7 +2686,7 @@
 
        }
 
-       function sanitize($link, $str, $owner = false, $site_url = false) {
+       function sanitize($link, $str, $force_strip_tags = false, $owner = false, $site_url = false) {
                if (!$owner) $owner = $_SESSION["uid"];
 
                $res = trim($str); if (!$res) return '';
@@ -3626,6 +3626,13 @@
                }
        } // function encrypt_password
 
+       function sanitize_article_content($text) {
+               # we don't support CDATA sections in articles, they break our own escaping
+               $text = preg_replace("/\[\[CDATA/", "", $text);
+               $text = preg_replace("/\]\]\>/", "", $text);
+               return db_escape_string($text, false);
+       }
+
        function load_filters($link, $feed_id, $owner_uid, $action_id = false) {
                $filters = array();
 

diff --git a/include/rssfuncs.php b/include/rssfuncs.php
index e413743b6013d28128be6474b6673835bb6e4eb0..fbe671ca4a71a55423497dae286baa7a2933b820 100644 (file)
--- a/include/rssfuncs.php
+++ b/include/rssfuncs.php
@@ -770,8 +770,8 @@
                                }
 
                                # sanitize content
-                               $entry_content = db_escape_string(sanitize($link, $entry_content, $owner_uid, $site_url));
-                               $entry_title = db_escape_string(strip_tags($entry_title));
+                               $entry_content = sanitize_article_content($entry_content);
+                               $entry_title = sanitize_article_content($entry_title);
 
                                if ($debug_enabled) {
                                        _debug("update_rss_feed: done collecting data [TITLE:$entry_title]");