api: sanitize article content

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)
diff --git a/classes/api.php b/classes/api.php

index 744e67ce6d4f5020761920bd42c154f6bafd6ce3..6e5ed4aa8f628486b655cd2420ff7ad3ab9bd3d1 100644 (file)
--- a/classes/api.php
+++ b/classes/api.php
@@ -187,6 +187,7 @@ class API extends Handler {
                         $include_attachments = (bool)db_escape_string($_REQUEST["include_attachments"]);
                         $since_id = (int)db_escape_string($_REQUEST["since_id"]);
                         $include_nested = (bool)db_escape_string($_REQUEST["include_nested"]);
+                       $sanitize_content = true;
  
                         /* do not rely on params below */
  
@@ -197,7 +198,7 @@ class API extends Handler {
                         $headlines = api_get_headlines($this->link, $feed_id, $limit, $offset,
                                 $filter, $is_cat, $show_excerpt, $show_content, $view_mode, false,
                                 $include_attachments, $since_id, $search, $search_mode, $match_on,
-                               $include_nested);
+                               $include_nested, $sanitize_content);
  
                         print $this->wrap(self::STATUS_OK, $headlines);
                 } else {
diff --git a/include/functions.php b/include/functions.php

index 7a5211b5a8ce2117cd0f67bb07d69722a18beb15..263d9d8fee30a735489a88ca6352cbb0023df05c 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -4585,7 +4585,8 @@
         function api_get_headlines($link, $feed_id, $limit, $offset,
                                 $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $order,
                                 $include_attachments, $since_id,
-                               $search = "", $search_mode = "", $match_on = "", $include_nested = false) {
+                               $search = "", $search_mode = "", $match_on = "",
+                               $include_nested = false, $sanitize_content = true) {
  
                         $qfh_ret = queryFeedHeadlines($link, $feed_id, $limit,
                                 $view_mode, $is_cat, $search, $search_mode, $match_on,
@@ -4629,7 +4630,12 @@
                                 }
  
                                 if ($show_content) {
-                                       $headline_row["content"] = $line["content_preview"];
+                                       if ($sanitize_content) {
+                                               $headline_row["content"] = sanitize($link,
+                                                       $line["content_preview"], false, false, $line["site_url"]);
+                                       } else {
+                                               $headline_row["content"] = $line["content_preview"];
+                                       }
                                 }
  
                                 // unify label output to ease parsing
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Mon, 29 Oct 2012 12:01:41 +0000 (16:01 +0400)
classes/api.php		patch \| blob \| blame \| history
include/functions.php		patch \| blob \| blame \| history