force strip_tags() on all user input unless explicitly allowed

classes/api.php

@@ -26,7 +26,7 @@ class API extends Handler {
 				return false;
 			}
 
-			$this->seq = (int) $_REQUEST['seq'];
+			$this->seq = (int) clean($_REQUEST['seq']);
 
 			return true;
 		}
@@ -53,9 +53,9 @@ class API extends Handler {
 		@session_destroy();
 		@session_start();
 
-		$login = $_REQUEST["user"];
-		$password = $_REQUEST["password"];
-		$password_base64 = base64_decode($_REQUEST["password"]);
+		$login = clean($_REQUEST["user"]);
+		$password = clean($_REQUEST["password"]);
+		$password_base64 = base64_decode(clean($_REQUEST["password"]));
 
 		if (SINGLE_USER_MODE) $login = "admin";
 
@@ -100,8 +100,8 @@ class API extends Handler {
 	}
 
 	function getUnread() {
-		$feed_id = $_REQUEST["feed_id"];
-		$is_cat = $_REQUEST["is_cat"];
+		$feed_id = clean($_REQUEST["feed_id"]);
+		$is_cat = clean($_REQUEST["is_cat"]);
 
 		if ($feed_id) {
 			$this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat)));
@@ -116,11 +116,11 @@ class API extends Handler {
 	}
 
 	function getFeeds() {
-		$cat_id = $_REQUEST["cat_id"];
-		$unread_only = API::param_to_bool($_REQUEST["unread_only"]);
-		$limit = (int) $_REQUEST["limit"];
-		$offset = (int) $_REQUEST["offset"];
-		$include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+		$cat_id = clean($_REQUEST["cat_id"]);
+		$unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+		$limit = (int) clean($_REQUEST["limit"]);
+		$offset = (int) clean($_REQUEST["offset"]);
+		$include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
 
 		$feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested);
 
@@ -128,9 +128,9 @@ class API extends Handler {
 	}
 
 	function getCategories() {
-		$unread_only = API::param_to_bool($_REQUEST["unread_only"]);
-		$enable_nested = API::param_to_bool($_REQUEST["enable_nested"]);
-		$include_empty = API::param_to_bool($_REQUEST['include_empty']);
+		$unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+		$enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"]));
+		$include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
 
 		// TODO do not return empty categories, return Uncategorized and standard virtual cats
 
@@ -185,39 +185,39 @@ class API extends Handler {
 	}
 
 	function getHeadlines() {
-		$feed_id = $_REQUEST["feed_id"];
+		$feed_id = clean($_REQUEST["feed_id"]);
 		if ($feed_id != "") {
 
 			if (is_numeric($feed_id)) $feed_id = (int) $feed_id;
 
-			$limit = (int)$_REQUEST["limit"];
+			$limit = (int)clean($_REQUEST["limit"]);
 
 			if (!$limit || $limit >= 200) $limit = 200;
 
-			$offset = (int)$_REQUEST["skip"];
-			$filter = $_REQUEST["filter"];
-			$is_cat = API::param_to_bool($_REQUEST["is_cat"]);
-			$show_excerpt = API::param_to_bool($_REQUEST["show_excerpt"]);
-			$show_content = API::param_to_bool($_REQUEST["show_content"]);
+			$offset = (int)clean($_REQUEST["skip"]);
+			$filter = clean($_REQUEST["filter"]);
+			$is_cat = API::param_to_bool(clean($_REQUEST["is_cat"]));
+			$show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"]));
+			$show_content = API::param_to_bool(clean($_REQUEST["show_content"]));
 			/* all_articles, unread, adaptive, marked, updated */
-			$view_mode = $_REQUEST["view_mode"];
-			$include_attachments = API::param_to_bool($_REQUEST["include_attachments"]);
-			$since_id = (int)$_REQUEST["since_id"];
-			$include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+			$view_mode = clean($_REQUEST["view_mode"]);
+			$include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"]));
+			$since_id = (int)clean($_REQUEST["since_id"]);
+			$include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
 			$sanitize_content = !isset($_REQUEST["sanitize"]) ||
 				API::param_to_bool($_REQUEST["sanitize"]);
-			$force_update = API::param_to_bool($_REQUEST["force_update"]);
-			$has_sandbox = API::param_to_bool($_REQUEST["has_sandbox"]);
-			$excerpt_length = (int)$_REQUEST["excerpt_length"];
-			$check_first_id = (int)$_REQUEST["check_first_id"];
-			$include_header = API::param_to_bool($_REQUEST["include_header"]);
+			$force_update = API::param_to_bool(clean($_REQUEST["force_update"]));
+			$has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"]));
+			$excerpt_length = (int)clean($_REQUEST["excerpt_length"]);
+			$check_first_id = (int)clean($_REQUEST["check_first_id"]);
+			$include_header = API::param_to_bool(clean($_REQUEST["include_header"]));
 
 			$_SESSION['hasSandbox'] = $has_sandbox;
 
 			$skip_first_id_check = false;
 
 			$override_order = false;
-			switch ($_REQUEST["order_by"]) {
+			switch (clean($_REQUEST["order_by"])) {
 				case "title":
 					$override_order = "ttrss_entries.title, date_entered, updated";
 					break;
@@ -232,7 +232,7 @@ class API extends Handler {
 
 			/* do not rely on params below */
 
-			$search = $_REQUEST["search"];
+			$search = clean($_REQUEST["search"]);
 
 			list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset,
 				$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order,
@@ -250,10 +250,10 @@ class API extends Handler {
 	}
 
 	function updateArticle() {
-		$article_ids = explode(",", $_REQUEST["article_ids"]);
-		$mode = (int) $_REQUEST["mode"];
-		$data = $_REQUEST["data"];
-		$field_raw = (int)$_REQUEST["field"];
+		$article_ids = explode(",", clean($_REQUEST["article_ids"]));
+		$mode = (int) clean($_REQUEST["mode"]);
+		$data = clean($_REQUEST["data"]);
+		$field_raw = (int)clean($_REQUEST["field"]);
 
 		$field = "";
 		$set_to = "";
@@ -321,7 +321,7 @@ class API extends Handler {
 
 	function getArticle() {
 
-		$article_ids = explode(",", $_REQUEST["article_id"]);
+		$article_ids = explode(",", clean($_REQUEST["article_id"]));
 		$sanitize_content = !isset($_REQUEST["sanitize"]) ||
 			API::param_to_bool($_REQUEST["sanitize"]);
 
@@ -407,7 +407,7 @@ class API extends Handler {
 	}
 
 	function updateFeed() {
-		$feed_id = (int) $_REQUEST["feed_id"];
+		$feed_id = (int) clean($_REQUEST["feed_id"]);
 
 		if (!ini_get("open_basedir")) {
 			RSSUtils::update_rss_feed($feed_id);
@@ -417,8 +417,8 @@ class API extends Handler {
 	}
 
 	function catchupFeed() {
-		$feed_id = $_REQUEST["feed_id"];
-		$is_cat = $_REQUEST["is_cat"];
+		$feed_id = clean($_REQUEST["feed_id"]);
+		$is_cat = clean($_REQUEST["is_cat"]);
 
 		Feeds::catchup_feed($feed_id, $is_cat);
 
@@ -426,13 +426,13 @@ class API extends Handler {
 	}
 
 	function getPref() {
-		$pref_name = $_REQUEST["pref_name"];
+		$pref_name = clean($_REQUEST["pref_name"]);
 
 		$this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name)));
 	}
 
 	function getLabels() {
-		$article_id = (int)$_REQUEST['article_id'];
+		$article_id = (int)clean($_REQUEST['article_id']);
 
 		$rv = array();
 
@@ -469,9 +469,9 @@ class API extends Handler {
 
 	function setArticleLabel() {
 
-		$article_ids = explode(",", $_REQUEST["article_ids"]);
-		$label_id = (int) $_REQUEST['label_id'];
-		$assign = API::param_to_bool($_REQUEST['assign']);
+		$article_ids = explode(",", clean($_REQUEST["article_ids"]));
+		$label_id = (int) clean($_REQUEST['label_id']);
+		$assign = API::param_to_bool(clean($_REQUEST['assign']));
 
 		$label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]);
 
@@ -510,9 +510,9 @@ class API extends Handler {
 	}
 
 	function shareToPublished() {
-		$title = strip_tags($_REQUEST["title"]);
-		$url = strip_tags($_REQUEST["url"]);
-		$content = strip_tags($_REQUEST["content"]);
+		$title = strip_tags(clean($_REQUEST["title"]));
+		$url = strip_tags(clean($_REQUEST["url"]));
+		$content = strip_tags(clean($_REQUEST["content"]));
 
 		if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
 			$this->wrap(self::STATUS_OK, array("status" => 'OK'));
@@ -809,7 +809,7 @@ class API extends Handler {
 	}
 
 	function unsubscribeFeed() {
-		$feed_id = (int) $_REQUEST["feed_id"];
+		$feed_id = (int) clean($_REQUEST["feed_id"]);
 
 		$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
 			id = ? AND owner_uid = ?");
@@ -824,10 +824,10 @@ class API extends Handler {
 	}
 
 	function subscribeToFeed() {
-		$feed_url = $_REQUEST["feed_url"];
-		$category_id = (int) $_REQUEST["category_id"];
-		$login = $_REQUEST["login"];
-		$password = $_REQUEST["password"];
+		$feed_url = clean($_REQUEST["feed_url"]);
+		$category_id = (int) clean($_REQUEST["category_id"]);
+		$login = clean($_REQUEST["login"]);
+		$password = clean($_REQUEST["password"]);
 
 		if ($feed_url) {
 			$rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password);
@@ -839,7 +839,7 @@ class API extends Handler {
 	}
 
 	function getFeedTree() {
-		$include_empty = API::param_to_bool($_REQUEST['include_empty']);
+		$include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
 
 		$pf = new Pref_Feeds($_REQUEST);
 

classes/article.php

@@ -8,7 +8,7 @@ class Article extends Handler_Protected {
 	}
 
 	function redirect() {
-		$id = $_REQUEST['id'];
+		$id = clean($_REQUEST['id']);
 
 		$sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
 						WHERE id = ? AND id = ref_id AND owner_uid = ?
@@ -28,9 +28,9 @@ class Article extends Handler_Protected {
 	}
 
 	function view() {
-		$id = $_REQUEST["id"];
-		$cids = explode(",", $_REQUEST["cids"]);
-		$mode = $_REQUEST["mode"];
+		$id = clean($_REQUEST["id"]);
+		$cids = explode(",", clean($_REQUEST["cids"]));
+		$mode = clean($_REQUEST["mode"]);
 
 		// in prefetch mode we only output requested cids, main article
 		// just gets marked as read (it already exists in client cache)
@@ -210,7 +210,7 @@ class Article extends Handler_Protected {
 
 		print __("Tags for this article (separated by commas):")."<br>";
 
-		$param = $_REQUEST['param'];
+		$param = clean($_REQUEST['param']);
 
 		$tags = Article::get_article_tags($param);
 
@@ -241,8 +241,8 @@ class Article extends Handler_Protected {
 	}
 
 	function setScore() {
-		$ids = explode(",", $_REQUEST['id']);
-		$score = (int)$_REQUEST['score'];
+		$ids = explode(",", clean($_REQUEST['id']));
+		$score = (int)clean($_REQUEST['score']);
 
 		$ids_qmarks = arr_qmarks($ids);
 
@@ -257,7 +257,7 @@ class Article extends Handler_Protected {
 	}
 
 	function getScore() {
-		$id = $_REQUEST['id'];
+		$id = clean($_REQUEST['id']);
 
 		$sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
 		$sth->execute([$id, $_SESSION['uid']]);
@@ -273,9 +273,9 @@ class Article extends Handler_Protected {
 
 	function setArticleTags() {
 
-		$id = $_REQUEST["id"];
+		$id = clean($_REQUEST["id"]);
 
-		$tags_str = $_REQUEST["tags_str"];
+		$tags_str = clean($_REQUEST["tags_str"]);
 		$tags = array_unique(trim_array(explode(",", $tags_str)));
 
 		$this->pdo->beginTransaction();
@@ -342,7 +342,7 @@ class Article extends Handler_Protected {
 
 
 	function completeTags() {
-		$search = $_REQUEST["search"];
+		$search = clean($_REQUEST["search"]);
 
 		$sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
 				WHERE owner_uid = ? AND
@@ -369,8 +369,8 @@ class Article extends Handler_Protected {
 	private function labelops($assign) {
 		$reply = array();
 
-		$ids = explode(",", $_REQUEST["ids"]);
-		$label_id = $_REQUEST["lid"];
+		$ids = explode(",", clean($_REQUEST["ids"]));
+		$label_id = clean($_REQUEST["lid"]);
 
 		$label = db_escape_string(Labels::find_caption($label_id,
 		$_SESSION["uid"]));

classes/backend.php

@@ -84,7 +84,7 @@ class Backend extends Handler {
 	}
 
 	function help() {
-		$topic = basename($_REQUEST["topic"]);
+		$topic = basename(clean($_REQUEST["topic"]));
 
 		switch ($topic) {
 		case "main":

classes/handler/public.php

@@ -139,7 +139,7 @@ class Handler_Public extends Handler {
 			$tpl->addBlock('feed');
 			$tpl->generateOutputToString($tmp);
 
-			if (@!$_REQUEST["noxml"]) {
+			if (@!clean($_REQUEST["noxml"])) {
 				header("Content-Type: text/xml; charset=utf-8");
 			} else {
 				header("Content-Type: text/plain; charset=utf-8");
@@ -219,8 +219,8 @@ class Handler_Public extends Handler {
 	}
 
 	function getUnread() {
-		$login = $_REQUEST["login"];
-		$fresh = $_REQUEST["fresh"] == "1";
+		$login = clean($_REQUEST["login"]);
+		$fresh = clean($_REQUEST["fresh"]) == "1";
 
 		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
 		$sth->execute([$login]);
@@ -241,7 +241,7 @@ class Handler_Public extends Handler {
 	}
 
 	function getProfiles() {
-		$login = $_REQUEST["login"];
+		$login = clean($_REQUEST["login"]);
 
 		$sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
 			WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
@@ -267,7 +267,7 @@ class Handler_Public extends Handler {
 	}
 
 	function share() {
-		$uuid = $_REQUEST["key"];
+		$uuid = clean($_REQUEST["key"]);
 
 		$sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
 			uuid = ?");
@@ -290,19 +290,19 @@ class Handler_Public extends Handler {
 	}
 
 	function rss() {
-		$feed = $_REQUEST["id"];
-		$key = $_REQUEST["key"];
-		$is_cat = $_REQUEST["is_cat"];
-		$limit = (int)$_REQUEST["limit"];
-		$offset = (int)$_REQUEST["offset"];
+		$feed = clean($_REQUEST["id"]);
+		$key = clean($_REQUEST["key"]);
+		$is_cat = clean($_REQUEST["is_cat"]);
+		$limit = (int)clean($_REQUEST["limit"]);
+		$offset = (int)clean($_REQUEST["offset"]);
 
-		$search = $_REQUEST["q"];
-		$view_mode = $_REQUEST["view-mode"];
-		$order = $_REQUEST["order"];
-		$start_ts = $_REQUEST["ts"];
+		$search = clean($_REQUEST["q"]);
+		$view_mode = clean($_REQUEST["view-mode"]);
+		$order = clean($_REQUEST["order"]);
+		$start_ts = clean($_REQUEST["ts"]);
 
-		$format = $_REQUEST['format'];
-		$orig_guid = $_REQUEST["orig_guid"];
+		$format = clean($_REQUEST['format']);
+		$orig_guid = clean($_REQUEST["orig_guid"]);
 
 		if (!$format) $format = 'atom';
 
@@ -359,16 +359,16 @@ class Handler_Public extends Handler {
 		print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
 			</head><body id='sharepopup' class='ttrss_utility'>";
 
-		$action = $_REQUEST["action"];
+		$action = clean($_REQUEST["action"]);
 
 		if ($_SESSION["uid"]) {
 
 			if ($action == 'share') {
 
-				$title = strip_tags($_REQUEST["title"]);
-				$url = strip_tags($_REQUEST["url"]);
-				$content = strip_tags($_REQUEST["content"]);
-				$labels = strip_tags($_REQUEST["labels"]);
+				$title = strip_tags(clean($_REQUEST["title"]));
+				$url = strip_tags(clean($_REQUEST["url"]));
+				$content = strip_tags(clean($_REQUEST["content"]));
+				$labels = strip_tags(clean($_REQUEST["labels"]));
 
 				Article::create_published_article($title, $url, $content, $labels,
 					$_SESSION["uid"]);
@@ -378,8 +378,8 @@ class Handler_Public extends Handler {
 				print "</script>";
 
 			} else {
-				$title = htmlspecialchars($_REQUEST["title"]);
-				$url = htmlspecialchars($_REQUEST["url"]);
+				$title = htmlspecialchars(clean($_REQUEST["title"]));
+				$url = htmlspecialchars(clean($_REQUEST["url"]));
 
 				?>
 
@@ -466,9 +466,9 @@ class Handler_Public extends Handler {
 	function login() {
 		if (!SINGLE_USER_MODE) {
 
-			$login = $_POST["login"];
-			$password = $_POST["password"];
-			$remember_me = $_POST["remember_me"];
+			$login = clean($_POST["login"]);
+			$password = clean($_POST["password"]);
+			$remember_me = clean($_POST["remember_me"]);
 
 			if ($remember_me) {
 				session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@@ -486,11 +486,11 @@ class Handler_Public extends Handler {
 				}
 
 				$_SESSION["ref_schema_version"] = get_schema_version(true);
-				$_SESSION["bw_limit"] = !!$_POST["bw_limit"];
+				$_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
 
-				if ($_POST["profile"]) {
+				if (clean($_POST["profile"])) {
 
-					$profile = $_POST["profile"];
+					$profile = clean($_POST["profile"]);
 
 					$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
 						WHERE id = ? AND owner_uid = ?");
@@ -505,8 +505,8 @@ class Handler_Public extends Handler {
 				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
 			}
 
-			if ($_REQUEST['return']) {
-				header("Location: " . $_REQUEST['return']);
+			if (clean($_REQUEST['return'])) {
+				header("Location: " . clean($_REQUEST['return']));
 			} else {
 				header("Location: " . get_self_url_prefix());
 			}
@@ -516,7 +516,7 @@ class Handler_Public extends Handler {
 	/* function subtest() {
 		header("Content-type: text/plain; charset=utf-8");
 
-		$url = $_REQUEST["url"];
+		$url = clean($_REQUEST["url"]);
 
 		print "$url\n\n";
 
@@ -532,7 +532,7 @@ class Handler_Public extends Handler {
 
 		if ($_SESSION["uid"]) {
 
-			$feed_url = trim($_REQUEST["feed_url"]);
+			$feed_url = trim(clean($_REQUEST["feed_url"]));
 
 			header('Content-Type: text/html; charset=utf-8');
 			print "<html>
@@ -638,7 +638,7 @@ class Handler_Public extends Handler {
 	function forgotpass() {
 		startup_gettext();
 
-		@$hash = $_REQUEST["hash"];
+		@$hash = clean($_REQUEST["hash"]);
 
 		header('Content-Type: text/html; charset=utf-8');
 		print "<html><head><title>Tiny Tiny RSS</title>
@@ -656,10 +656,10 @@ class Handler_Public extends Handler {
 		print "<h1>".__("Password recovery")."</h1>";
 		print "<div class='content'>";
 
-		@$method = $_POST['method'];
+		@$method = clean($_POST['method']);
 
 		if ($hash) {
-			$login = $_REQUEST["login"];
+			$login = clean($_REQUEST["login"]);
 
 			if ($login) {
 				$sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
@@ -725,9 +725,9 @@ class Handler_Public extends Handler {
 			print "</form>";
 		} else if ($method == 'do') {
 
-			$login = $_POST["login"];
-			$email = $_POST["email"];
-			$test = $_POST["test"];
+			$login = clean($_POST["login"]);
+			$email = clean($_POST["email"]);
+			$test = clean($_POST["test"]);
 
 			if (($test != 4 && $test != 'four') || !$email || !$login) {
 				print_error(__('Some of the required form parameters are missing or incorrect.'));
@@ -852,7 +852,7 @@ class Handler_Public extends Handler {
 			<div class="content">
 
 			<?php
-				@$op = $_REQUEST["subop"];
+				@$op = clean($_REQUEST["subop"]);
 				$updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
 
 				if ($op == "performupdate") {
@@ -968,8 +968,8 @@ class Handler_Public extends Handler {
 	public function pluginhandler() {
 		$host = new PluginHost();
 
-		$plugin = basename($_REQUEST["plugin"]);
-		$method = $_REQUEST["pmethod"];
+		$plugin = basename(clean($_REQUEST["plugin"]));
+		$method = clean($_REQUEST["pmethod"]);
 
 		$host->load($plugin, PluginHost::KIND_USER, 0);
 		$host->load_data();

classes/pluginhandler.php

@@ -5,7 +5,7 @@ class PluginHandler extends Handler_Protected {
 	}
 
 	function catchall($method) {
-		$plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]);
+		$plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"]));
 
 		if ($plugin) {
 			if (method_exists($plugin, $method)) {

classes/pref/feeds.php

@@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function renamecat() {
-		$title = $_REQUEST['title'];
-		$id = $_REQUEST['id'];
+		$title = clean($_REQUEST['title']);
+		$id = clean($_REQUEST['id']);
 
 		if ($title) {
 			$sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
@@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected {
 
 	private function get_category_items($cat_id) {
 
-		if ($_REQUEST['mode'] != 2)
+		if (clean($_REQUEST['mode']) != 2)
 			$search = $_SESSION["prefs_feed_search"];
 		else
 			$search = "";
 
 		// first one is set by API
-		$show_empty_cats = $_REQUEST['force_show_empty'] ||
-			($_REQUEST['mode'] != 2 && !$search);
+		$show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+			(clean($_REQUEST['mode']) != 2 && !$search);
 
 		$items = array();
 
@@ -103,7 +103,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function makefeedtree() {
 
-		if ($_REQUEST['mode'] != 2)
+		if (clean($_REQUEST['mode']) != 2)
 			$search = $_SESSION["prefs_feed_search"];
 		else
 			$search = "";
@@ -116,7 +116,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		$enable_cats = get_pref('ENABLE_FEED_CATS');
 
-		if ($_REQUEST['mode'] == 2) {
+		if (clean($_REQUEST['mode']) == 2) {
 
 			if ($enable_cats) {
 				$cat = $this->feedlist_init_cat(-1);
@@ -193,8 +193,8 @@ class Pref_Feeds extends Handler_Protected {
 		}
 
 		if ($enable_cats) {
-			$show_empty_cats = $_REQUEST['force_show_empty'] ||
-				($_REQUEST['mode'] != 2 && !$search);
+			$show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+				(clean($_REQUEST['mode']) != 2 && !$search);
 
 			$sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
 				WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
@@ -303,7 +303,7 @@ class Pref_Feeds extends Handler_Protected {
 		$fl['identifier'] = 'id';
 		$fl['label'] = 'name';
 
-		if ($_REQUEST['mode'] != 2) {
+		if (clean($_REQUEST['mode']) != 2) {
 			$fl['items'] = array($root);
 		} else {
 			$fl['items'] = $root['items'];
@@ -389,9 +389,9 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function savefeedorder() {
-		$data = json_decode($_POST['payload'], true);
+		$data = json_decode(clean($_POST['payload']), true);
 
-		#file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+		#file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
 		#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
 		if (!is_array($data['items']))
@@ -425,7 +425,7 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function removeicon() {
-		$feed_id = $_REQUEST["feed_id"];
+		$feed_id = clean($_REQUEST["feed_id"]);
 
 		$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
 			WHERE id = ? AND owner_uid = ?");
@@ -457,7 +457,7 @@ class Pref_Feeds extends Handler_Protected {
 		}
 
 		$icon_file = $tmp_file;
-		$feed_id = $_REQUEST["feed_id"];
+		$feed_id = clean($_REQUEST["feed_id"]);
 
 		if (is_file($icon_file) && $feed_id) {
 			if (filesize($icon_file) < 65535) {
@@ -500,7 +500,7 @@ class Pref_Feeds extends Handler_Protected {
 		global $update_intervals;
 
 
-		$feed_id = $_REQUEST["id"];
+		$feed_id = clean($_REQUEST["id"]);
 
 		$sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
 				owner_uid = ?");
@@ -775,7 +775,7 @@ class Pref_Feeds extends Handler_Protected {
 		global $purge_intervals;
 		global $update_intervals;
 
-		$feed_ids = $_REQUEST["ids"];
+		$feed_ids = clean($_REQUEST["ids"]);
 
 		print_notice("Enable the options you wish to apply using checkboxes on the right:");
 
@@ -924,32 +924,32 @@ class Pref_Feeds extends Handler_Protected {
 
 	function editsaveops($batch) {
 
-		$feed_title = trim($_POST["title"]);
-		$feed_url = trim($_POST["feed_url"]);
-		$upd_intl = (int) $_POST["update_interval"];
-		$purge_intl = (int) $_POST["purge_interval"];
-		$feed_id = (int) $_POST["id"]; /* editSave */
-		$feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */
-		$cat_id = (int) $_POST["cat_id"];
-		$auth_login = trim($_POST["auth_login"]);
-		$auth_pass = trim($_POST["auth_pass"]);
-		$private = checkbox_to_sql_bool($_POST["private"]);
+		$feed_title = trim(clean($_POST["title"]));
+		$feed_url = trim(clean($_POST["feed_url"]));
+		$upd_intl = (int) clean($_POST["update_interval"]);
+		$purge_intl = (int) clean($_POST["purge_interval"]);
+		$feed_id = (int) clean($_POST["id"]); /* editSave */
+		$feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
+		$cat_id = (int) clean($_POST["cat_id"]);
+		$auth_login = trim(clean($_POST["auth_login"]));
+		$auth_pass = trim(clean($_POST["auth_pass"]));
+		$private = checkbox_to_sql_bool(clean($_POST["private"]));
 		$include_in_digest = checkbox_to_sql_bool(
-			$_POST["include_in_digest"]);
+			clean($_POST["include_in_digest"]));
 		$cache_images = checkbox_to_sql_bool(
-			$_POST["cache_images"]);
+			clean($_POST["cache_images"]));
 		$hide_images = checkbox_to_sql_bool(
-			$_POST["hide_images"]);
+			clean($_POST["hide_images"]));
 		$always_display_enclosures = checkbox_to_sql_bool(
-			$_POST["always_display_enclosures"]);
+			clean($_POST["always_display_enclosures"]));
 
 		$mark_unread_on_update = checkbox_to_sql_bool(
-			$_POST["mark_unread_on_update"]);
+			clean($_POST["mark_unread_on_update"]));
 
-		$feed_language = trim($_POST["feed_language"]);
+		$feed_language = trim(clean($_POST["feed_language"]));
 
 		if (!$batch) {
-			if ($_POST["need_auth"] !== 'on') {
+			if (clean($_POST["need_auth"]) !== 'on') {
 				$auth_login = '';
 				$auth_pass = '';
 			}
@@ -1008,7 +1008,7 @@ class Pref_Feeds extends Handler_Protected {
 
 			foreach (array_keys($_POST) as $k) {
 				if ($k != "op" && $k != "method" && $k != "ids") {
-					$feed_data[$k] = $_POST[$k];
+					$feed_data[$k] = clean($_POST[$k]);
 				}
 			}
 
@@ -1102,7 +1102,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function remove() {
 
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
@@ -1112,14 +1112,14 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function removeCat() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 		foreach ($ids as $id) {
 			$this->remove_feed_category($id, $_SESSION["uid"]);
 		}
 	}
 
 	function addCat() {
-		$feed_cat = trim($_REQUEST["cat"]);
+		$feed_cat = trim(clean($_REQUEST["cat"]));
 
 		add_feed_category($feed_cat);
 	}
@@ -1152,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected {
 				onclick=\"showInactiveFeeds()\">" .
 				__("Inactive feeds") . "</button>";
 
-		$feed_search = $_REQUEST["search"];
+		$feed_search = clean($_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_feed_search"] = $feed_search;
@@ -1675,10 +1675,10 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function batchAddFeeds() {
-		$cat_id = $_REQUEST['cat'];
-		$feeds = explode("\n", $_REQUEST['feeds']);
-		$login = $_REQUEST['login'];
-		$pass = trim($_REQUEST['pass']);
+		$cat_id = clean($_REQUEST['cat']);
+		$feeds = explode("\n", clean($_REQUEST['feeds']));
+		$login = clean($_REQUEST['login']);
+		$pass = trim(clean($_REQUEST['pass']));
 
 		foreach ($feeds as $feed) {
 			$feed = trim($feed);
@@ -1714,8 +1714,8 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function regenFeedKey() {
-		$feed_id = $_REQUEST['id'];
-		$is_cat = $_REQUEST['is_cat'] == "true";
+		$feed_id = clean($_REQUEST['id']);
+		$is_cat = clean($_REQUEST['is_cat']) == "true";
 
 		$new_key = $this->update_feed_access_key($feed_id, $is_cat);
 

classes/pref/filters.php

@@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function savefilterorder() {
-		$data = json_decode($_POST['payload'], true);
+		$data = json_decode(clean($_POST['payload']), true);
 
-		#file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+		#file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
 		#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
 		if (!is_array($data['items']))
@@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function testFilterDo() {
-		$offset = (int) $_REQUEST["offset"];
-		$limit = (int) $_REQUEST["limit"];
+		$offset = (int) clean($_REQUEST["offset"]);
+		$limit = (int) clean($_REQUEST["limit"]);
 
 		$filter = array();
 
 		$filter["enabled"] = true;
-		$filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]);
+		$filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
 		$filter["rules"] = array();
 		$filter["actions"] = array("dummy-action");
@@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected {
 		$scope_qparts = array();
 
 		$rctr = 0;
-		foreach ($_REQUEST["rule"] AS $r) {
+		foreach (clean($_REQUEST["rule"]) AS $r) {
 			$rule = json_decode($r, true);
 
 			if ($rule && $rctr < 5) {
@@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function edit() {
 
-		$filter_id = $_REQUEST["id"];
+		$filter_id = clean($_REQUEST["id"]);
 
 		$sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 
 			WHERE id = ? AND owner_uid = ?");
@@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	private function getRuleName($rule) {
-		if (!$rule) $rule = json_decode($_REQUEST["rule"], true);
+		if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
 
 		$feeds = $rule["feed_id"];
 		$feeds_fmt = [];
@@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function printRuleName() {
-		print $this->getRuleName(json_decode($_REQUEST["rule"], true));
+		print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
 	}
 
 	private function getActionName($action) {
@@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function printActionName() {
-		print $this->getActionName(json_decode($_REQUEST["action"], true));
+		print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
 	}
 
 	function editSave() {
-		if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+		if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
 			return $this->testFilter();
 		}
 
-		$filter_id = $_REQUEST["id"];
-		$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-		$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
-		$title = $_REQUEST["title"];
+		$filter_id = clean($_REQUEST["id"]);
+		$enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+		$match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
+		$title = clean($_REQUEST["title"]);
 
 		$this->pdo->beginTransaction();
 
@@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function remove() {
 
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 		$ids_qmarks = arr_qmarks($ids);
 
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) 
@@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected {
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
 		$sth->execute([$filter_id]);
 
-		if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = [];
-		if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = [];
+		if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
+		if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
 		
 		if ($filter_id) {
 			/* create rules */
@@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected {
 			$rules = array();
 			$actions = array();
 
-			foreach ($_REQUEST["rule"] as $rule) {
+			foreach (clean($_REQUEST["rule"]) as $rule) {
 				$rule = json_decode($rule, true);
 				unset($rule["id"]);
 
@@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected {
 				}
 			}
 
-			foreach ($_REQUEST["action"] as $action) {
+			foreach (clean($_REQUEST["action"]) as $action) {
 				$action = json_decode($action, true);
 				unset($action["id"]);
 
@@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function add() {
-		if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+		if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
 			return $this->testFilter();
 		}
 
-		$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-		$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-		$title = $_REQUEST["title"];
-		$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
+		$enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+		$match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+		$title = clean($_REQUEST["title"]);
+		$inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
 		$this->pdo->beginTransaction();
 
@@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function index() {
 
-		$filter_search = $_REQUEST["search"];
+		$filter_search = clean($_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_filter_search"] = $filter_search;
@@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function newrule() {
-		$rule = json_decode($_REQUEST["rule"], true);
+		$rule = json_decode(clean($_REQUEST["rule"]), true);
 
 		if ($rule) {
 			$reg_exp = htmlspecialchars($rule["reg_exp"]);
@@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function newaction() {
-		$action = json_decode($_REQUEST["action"], true);
+		$action = json_decode(clean($_REQUEST["action"]), true);
 
 		if ($action) {
 			$action_param = $action["action_param"];
@@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function join() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		if (count($ids) > 1) {
 			$base_id = array_shift($ids);

classes/pref/labels.php

@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function edit() {
-		$label_id = $_REQUEST['id'];
+		$label_id = clean($_REQUEST['id']);
 
 		$sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
 			id = ? AND owner_uid = ?");
@@ -119,11 +119,11 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function colorset() {
-		$kind = $_REQUEST["kind"];
-		$ids = explode(',', $_REQUEST["ids"]);
-		$color = $_REQUEST["color"];
-		$fg = $_REQUEST["fg"];
-		$bg = $_REQUEST["bg"];
+		$kind = clean($_REQUEST["kind"]);
+		$ids = explode(',', clean($_REQUEST["ids"]));
+		$color = clean($_REQUEST["color"]);
+		$fg = clean($_REQUEST["fg"]);
+		$bg = clean($_REQUEST["bg"]);
 
 		foreach ($ids as $id) {
 
@@ -154,7 +154,7 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function colorreset() {
-		$ids = explode(',', $_REQUEST["ids"]);
+		$ids = explode(',', clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
@@ -174,8 +174,8 @@ class Pref_Labels extends Handler_Protected {
 
 	function save() {
 
-		$id = $_REQUEST["id"];
-		$caption = trim($_REQUEST["caption"]);
+		$id = clean($_REQUEST["id"]);
+		$caption = trim(clean($_REQUEST["caption"]));
 
 		$this->pdo->beginTransaction();
 
@@ -206,7 +206,7 @@ class Pref_Labels extends Handler_Protected {
 
 					$sth->execute([$caption, $old_caption, $_SESSION['uid']]);
 
-					print $_REQUEST["value"];
+					print clean($_REQUEST["value"]);
 				} else {
 					print $old_caption;
 				}
@@ -221,7 +221,7 @@ class Pref_Labels extends Handler_Protected {
 
 	function remove() {
 
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			Labels::remove($id, $_SESSION["uid"]);
@@ -230,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function add() {
-		$caption = $_REQUEST["caption"];
-		$output = $_REQUEST["output"];
+		$caption = clean($_REQUEST["caption"]);
+		$output = clean($_REQUEST["output"]);
 
 		if ($caption) {
 

classes/pref/prefs.php

@@ -60,9 +60,9 @@ class Pref_Prefs extends Handler_Protected {
 
 	function changepassword() {
 
-		$old_pw = $_POST["old_password"];
-		$new_pw = $_POST["new_password"];
-		$con_pw = $_POST["confirm_password"];
+		$old_pw = clean($_POST["old_password"]);
+		$new_pw = clean($_POST["new_password"]);
+		$con_pw = clean($_POST["confirm_password"]);
 
 		if ($old_pw == "") {
 			print "ERROR: ".format_error("Old password cannot be blank.");
@@ -89,7 +89,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function saveconfig() {
-		$boolean_prefs = explode(",", $_POST["boolean_prefs"]);
+		$boolean_prefs = explode(",", clean($_POST["boolean_prefs"]));
 
 		foreach ($boolean_prefs as $pref) {
 			if (!isset($_POST[$pref])) $_POST[$pref] = 'false';
@@ -129,8 +129,8 @@ class Pref_Prefs extends Handler_Protected {
 
 	function changeemail() {
 
-		$email = $_POST["email"];
-		$full_name = $_POST["full_name"];
+		$email = clean($_POST["email"]);
+		$full_name = clean($_POST["full_name"]);
 		$active_uid = $_SESSION["uid"];
 
 		$sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
@@ -880,8 +880,8 @@ class Pref_Prefs extends Handler_Protected {
 		require_once "lib/otphp/lib/otp.php";
 		require_once "lib/otphp/lib/totp.php";
 
-		$password = $_REQUEST["password"];
-		$otp = $_REQUEST["otp"];
+		$password = clean($_REQUEST["password"]);
+		$otp = clean($_REQUEST["otp"]);
 
 		$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
 
@@ -930,7 +930,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function otpdisable() {
-		$password = $_REQUEST["password"];
+		$password = clean($_REQUEST["password"]);
 
 		$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
 
@@ -948,8 +948,8 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function setplugins() {
-		if (is_array($_REQUEST["plugins"]))
-			$plugins = join(",", $_REQUEST["plugins"]);
+		if (is_array(clean($_REQUEST["plugins"])))
+			$plugins = join(",", clean($_REQUEST["plugins"]));
 		else
 			$plugins = "";
 
@@ -957,7 +957,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function clearplugindata() {
-		$name = $_REQUEST["name"];
+		$name = clean($_REQUEST["name"]);
 
 		PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name));
 	}

classes/pref/users.php

@@ -25,7 +25,7 @@ class Pref_Users extends Handler_Protected {
 
 			print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
 
-			$id = (int) $_REQUEST["id"];
+			$id = (int) clean($_REQUEST["id"]);
 
 			print_hidden("id", "$id");
 			print_hidden("op", "pref-users");
@@ -108,7 +108,7 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function userdetails() {
-			$id = (int) $_REQUEST["id"];
+			$id = (int) clean($_REQUEST["id"]);
 
 			$sth = $this->pdo->prepare("SELECT login,
 				".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
@@ -177,11 +177,11 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function editSave() {
-			$login = trim($_REQUEST["login"]);
-			$uid = $_REQUEST["id"];
-			$access_level = (int) $_REQUEST["access_level"];
-			$email = trim($_REQUEST["email"]);
-			$password = $_REQUEST["password"];
+			$login = trim(clean($_REQUEST["login"]));
+			$uid = clean($_REQUEST["id"]);
+			$access_level = (int) clean($_REQUEST["access_level"]);
+			$email = trim(clean($_REQUEST["email"]));
+			$password = clean($_REQUEST["password"]);
 
 			if ($password) {
 				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -199,7 +199,7 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function remove() {
-			$ids = explode(",", $_REQUEST["ids"]);
+			$ids = explode(",", clean($_REQUEST["ids"]));
 
 			foreach ($ids as $id) {
 				if ($id != $_SESSION["uid"] && $id != 1) {
@@ -217,7 +217,7 @@ class Pref_Users extends Handler_Protected {
 
 		function add() {
 
-			$login = trim($_REQUEST["login"]);
+			$login = trim(clean($_REQUEST["login"]));
 			$tmp_user_pwd = make_password(8);
 			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -316,7 +316,7 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function resetPass() {
-			$uid = $_REQUEST["id"];
+			$uid = clean($_REQUEST["id"]);
 			Pref_Users::resetUserPassword($uid, true);
 		}
 
@@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected {
 
 			print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
 
-			$user_search = trim($_REQUEST["search"]);
+			$user_search = trim(clean($_REQUEST["search"]));
 
 			if (array_key_exists("search", $_REQUEST)) {
 				$_SESSION["prefs_user_search"] = $user_search;
@@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected {
 					__('Search')."</button>
 				</div>";
 
-			$sort = $_REQUEST["sort"];
+			$sort = clean($_REQUEST["sort"]);
 
 			if (!$sort || $sort == "undefined") {
 				$sort = "login";

classes/rpc.php

@@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
 	}
 
 	function setprofile() {
-		$_SESSION["profile"] = $_REQUEST["id"];
+		$_SESSION["profile"] = clean($_REQUEST["id"]);
 
 		// default value
 		if (!$_SESSION["profile"]) $_SESSION["profile"] = null;
 	}
 
 	function remprofiles() {
-		$ids = explode(",", trim($_REQUEST["ids"]));
+		$ids = explode(",", trim(clean($_REQUEST["ids"])));
 
 		foreach ($ids as $id) {
 			if ($_SESSION["profile"] != $id) {
@@ -28,7 +28,7 @@ class RPC extends Handler_Protected {
 
 	// Silent
 	function addprofile() {
-		$title = trim($_REQUEST["title"]);
+		$title = trim(clean($_REQUEST["title"]));
 
 		if ($title) {
 			$this->pdo->beginTransaction();
@@ -62,8 +62,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function saveprofile() {
-		$id = $_REQUEST["id"];
-		$title = trim($_REQUEST["value"]);
+		$id = clean($_REQUEST["id"]);
+		$title = trim(clean($_REQUEST["value"]));
 
 		if ($id == 0) {
 			print __("Default profile");
@@ -82,7 +82,7 @@ class RPC extends Handler_Protected {
 
 	// Silent
 	function remarchive() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE
 		  		(SELECT COUNT(*) FROM ttrss_user_entries
@@ -95,10 +95,10 @@ class RPC extends Handler_Protected {
 	}
 
 	function addfeed() {
-		$feed = $_REQUEST['feed'];
-		$cat = $_REQUEST['cat'];
-		$login = $_REQUEST['login'];
-		$pass = trim($_REQUEST['pass']);
+		$feed = clean($_REQUEST['feed']);
+		$cat = clean($_REQUEST['cat']);
+		$login = clean($_REQUEST['login']);
+		$pass = trim(clean($_REQUEST['pass']));
 
 		$rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
 
@@ -106,7 +106,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function togglepref() {
-		$key = $_REQUEST["key"];
+		$key = clean($_REQUEST["key"]);
 		set_pref($key, !get_pref($key));
 		$value = get_pref($key);
 
@@ -115,8 +115,8 @@ class RPC extends Handler_Protected {
 
 	function setpref() {
 		// set_pref escapes input, so no need to double escape it here
-		$key = $_REQUEST['key'];
-		$value = str_replace("\n", "<br/>", $_REQUEST['value']);
+		$key = clean($_REQUEST['key']);
+		$value = nl2br($_REQUEST['value']);
 
 		set_pref($key, $value, false, $key != 'USER_STYLESHEET');
 
@@ -124,8 +124,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function mark() {
-		$mark = $_REQUEST["mark"];
-		$id = $_REQUEST["id"];
+		$mark = clean($_REQUEST["mark"]);
+		$id = clean($_REQUEST["id"]);
 
 		$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?,
 					last_marked = NOW()
@@ -137,7 +137,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function delete() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 		$ids_qmarks = arr_qmarks($ids);
 
 		$sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries
@@ -150,7 +150,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function unarchive() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$this->pdo->beginTransaction();
@@ -203,7 +203,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function archive() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$this->archive_article($id, $_SESSION["uid"]);
@@ -257,8 +257,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function publ() {
-		$pub = $_REQUEST["pub"];
-		$id = $_REQUEST["id"];
+		$pub = clean($_REQUEST["pub"]);
+		$id = clean($_REQUEST["id"]);
 
 		$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET
 			published = ?, last_published = NOW()
@@ -270,7 +270,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function getAllCounters() {
-		$last_article_id = (int) $_REQUEST["last_article_id"];
+		$last_article_id = (int) clean($_REQUEST["last_article_id"]);
 
 		$reply = array();
 
@@ -287,8 +287,8 @@ class RPC extends Handler_Protected {
 
 	/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
 	function catchupSelected() {
-		$ids = explode(",", $_REQUEST["ids"]);
-		$cmode = sprintf("%d", $_REQUEST["cmode"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
+		$cmode = sprintf("%d", clean($_REQUEST["cmode"]));
 
 		Article::catchupArticlesById($ids, $cmode);
 
@@ -296,8 +296,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function markSelected() {
-		$ids = explode(",", $_REQUEST["ids"]);
-		$cmode = (int)$_REQUEST["cmode"];
+		$ids = explode(",", clean($_REQUEST["ids"]));
+		$cmode = (int)clean($_REQUEST["cmode"]);
 
 		$this->markArticlesById($ids, $cmode);
 
@@ -305,8 +305,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function publishSelected() {
-		$ids = explode(",", $_REQUEST["ids"]);
-		$cmode = (int)$_REQUEST["cmode"];
+		$ids = explode(",", clean($_REQUEST["ids"]));
+		$cmode = (int)clean($_REQUEST["cmode"]);
 
 		$this->publishArticlesById($ids, $cmode);
 
@@ -314,10 +314,10 @@ class RPC extends Handler_Protected {
 	}
 
 	function sanityCheck() {
-		$_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true";
-		$_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true";
-		$_SESSION["hasMp3"] = $_REQUEST["hasMp3"] === "true";
-		$_SESSION["clientTzOffset"] = $_REQUEST["clientTzOffset"];
+		$_SESSION["hasAudio"] = clean($_REQUEST["hasAudio"]) === "true";
+		$_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
+		$_SESSION["hasMp3"] = clean($_REQUEST["hasMp3"]) === "true";
+		$_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
 
 		$reply = array();
 
@@ -332,7 +332,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function completeLabels() {
-		$search = $_REQUEST["search"];
+		$search = clean($_REQUEST["search"]);
 
 		$sth = $this->pdo->prepare("SELECT DISTINCT caption FROM
 				ttrss_labels2
@@ -351,9 +351,9 @@ class RPC extends Handler_Protected {
 	function updateFeedBrowser() {
 		if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
 
-		$search = $_REQUEST["search"];
-		$limit = $_REQUEST["limit"];
-		$mode = (int) $_REQUEST["mode"];
+		$search = clean($_REQUEST["search"]);
+		$limit = clean($_REQUEST["limit"]);
+		$mode = (int) clean($_REQUEST["mode"]);
 
 		require_once "feedbrowser.php";
 
@@ -365,8 +365,8 @@ class RPC extends Handler_Protected {
 	// Silent
 	function massSubscribe() {
 
-		$payload = json_decode($_REQUEST["payload"], false);
-		$mode = $_REQUEST["mode"];
+		$payload = json_decode(clean($_REQUEST["payload"]), false);
+		$mode = clean($_REQUEST["mode"]);
 
 		if (!$payload || !is_array($payload)) return;
 
@@ -417,11 +417,11 @@ class RPC extends Handler_Protected {
 	}
 
 	function catchupFeed() {
-		$feed_id = $_REQUEST['feed_id'];
-		$is_cat = $_REQUEST['is_cat'] == "true";
-		$mode = $_REQUEST['mode'];
-		$search_query = $_REQUEST['search_query'];
-		$search_lang = $_REQUEST['search_lang'];
+		$feed_id = clean($_REQUEST['feed_id']);
+		$is_cat = clean($_REQUEST['is_cat']) == "true";
+		$mode = clean($_REQUEST['mode']);
+		$search_query = clean($_REQUEST['search_query']);
+		$search_lang = clean($_REQUEST['search_lang']);
 
 		Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]);
 
@@ -429,7 +429,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function setpanelmode() {
-		$wide = (int) $_REQUEST["wide"];
+		$wide = (int) clean($_REQUEST["wide"]);
 
 		setcookie("ttrss_widescreen", $wide,
 			time() + COOKIE_LIFETIME_LONG);
@@ -566,7 +566,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function getlinktitlebyid() {
-		$id = $_REQUEST['id'];
+		$id = clean($_REQUEST['id']);
 
 		$sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries
 			WHERE ref_id = ? AND ref_id = id AND owner_uid = ?");
@@ -583,10 +583,10 @@ class RPC extends Handler_Protected {
 	}
 
 	function log() {
-		$msg = $_REQUEST['msg'];
-		$file = basename($_REQUEST['file']);
-		$line = (int) $_REQUEST['line'];
-		$context = $_REQUEST['context'];
+		$msg = clean($_REQUEST['msg']);
+		$file = basename(clean($_REQUEST['file']));
+		$line = (int) clean($_REQUEST['line']);
+		$context = clean($_REQUEST['context']);
 
 		if ($msg) {
 			Logger::get()->log_error(E_USER_WARNING,

classes/rssutils.php

@@ -304,7 +304,7 @@ class RSSUtils {
 	 */
 	static function update_rss_feed($feed, $no_cache = false) {
 
-		$debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || $_REQUEST['xdebug'];
+		$debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || clean($_REQUEST['xdebug']);
 
 		_debug_suppress(!$debug_enabled);
 		_debug("start", $debug_enabled);
@@ -591,7 +591,7 @@ class RSSUtils {
 			foreach ($items as $item) {
 				$pdo->beginTransaction();
 
-				if ($_REQUEST['xdebug'] == 3) {
+				if (clean($_REQUEST['xdebug']) == 3) {
 					print_r($item);
 				}
 
@@ -640,7 +640,7 @@ class RSSUtils {
 				$entry_content = $item->get_content();
 				if (!$entry_content) $entry_content = $item->get_description();
 
-				if ($_REQUEST["xdebug"] == 2) {
+				if (clean($_REQUEST["xdebug"]) == 2) {
 					print "content: ";
 					print htmlspecialchars($entry_content);
 					print "\n";
@@ -749,7 +749,7 @@ class RSSUtils {
 					$entry_plugin_data .= mb_strtolower(get_class($plugin)) . ",";
 				}
 
-				if ($_REQUEST["xdebug"] == 2) {
+				if (clean($_REQUEST["xdebug"]) == 2) {
 					print "processed content: ";
 					print htmlspecialchars($article["content"]);
 					print "\n";

include/functions.php

@@ -725,6 +725,17 @@
 		}
 	}
 
+	// this is used for user http parameters unless HTML code is actually needed
+	function clean($param) {
+		if (is_array($param)) {
+			return array_map(strip_tags, $param);
+		} else if (is_string($param)) {
+			return strip_tags($param);
+		} else {
+			return $param;
+		}
+	}
+
 	function make_password($length = 8) {
 
 		$password = "";