blallo/tt-rss
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

prevent absolutely useless 'exploit' (not really) while editing filters (closes #572)

Browse source
This commit is contained in:
Andrew Dolgov 2013-03-17 14:55:55 +04:00
parent 26e2b18433
commit f01c8ec4f1
2 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
classes/pref/filters.php
View file

@ -372,7 +372,7 @@ class Pref_Filters extends Handler_Protected {
WHERE id = ".(int)$rule["filter_type"]);
$match_on = db_fetch_result($result, 0, "description");
return T_sprintf("%s on %s in %s", $rule["reg_exp"], $match_on, $feed);
return T_sprintf("%s on %s in %s", strip_tags($rule["reg_exp"]), $match_on, $feed);
}
function printRuleName() {

2
js/functions.js
View file

@ -964,6 +964,8 @@ function createNewRuleElement(parentNode, replaceNode) {
try {
var form = document.forms["filter_new_rule_form"];
form.reg_exp.value = form.reg_exp.value.replace(/(<([^>]+)>)/ig,"");
var query = "backend.php?op=pref-filters&method=printrulename&rule="+
param_escape(dojo.formToJson(form));