diff options
author | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-21 15:44:13 +0100 |
---|---|---|
committer | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-21 15:44:13 +0100 |
commit | 1570a65381372fca86f5a16f1ec94d59af4babfa (patch) | |
tree | 6b9c5191eefdf1e6853dda61aa7098f0799a73fb /inc/poche/Poche.class.php | |
parent | d4949327efa15b492cab1bef3fe074290a328a17 (diff) | |
download | wallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.tar.gz wallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.tar.zst wallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.zip |
[fix] content is now cleaned by HTML purifier from prevent XSS attack
Diffstat (limited to 'inc/poche/Poche.class.php')
-rwxr-xr-x | inc/poche/Poche.class.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index e852c7e9..34f2ff5a 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php | |||
@@ -427,6 +427,12 @@ class Poche | |||
427 | $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled'); | 427 | $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled'); |
428 | $body = $content['rss']['channel']['item']['description']; | 428 | $body = $content['rss']['channel']['item']['description']; |
429 | 429 | ||
430 | // clean content from prevent xss attack | ||
431 | $config = HTMLPurifier_Config::createDefault(); | ||
432 | $purifier = new HTMLPurifier($config); | ||
433 | $title = $purifier->purify($title); | ||
434 | $body = $purifier->purify($body); | ||
435 | |||
430 | //search for possible duplicate if not in import mode | 436 | //search for possible duplicate if not in import mode |
431 | if (!$import) { | 437 | if (!$import) { |
432 | $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId()); | 438 | $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId()); |