aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc/poche/Poche.class.php
diff options
context:
space:
mode:
authorNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-21 15:44:13 +0100
committerNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-21 15:44:13 +0100
commit1570a65381372fca86f5a16f1ec94d59af4babfa (patch)
tree6b9c5191eefdf1e6853dda61aa7098f0799a73fb /inc/poche/Poche.class.php
parentd4949327efa15b492cab1bef3fe074290a328a17 (diff)
downloadwallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.tar.gz
wallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.tar.zst
wallabag-1570a65381372fca86f5a16f1ec94d59af4babfa.zip
[fix] content is now cleaned by HTML purifier from prevent XSS attack
Diffstat (limited to 'inc/poche/Poche.class.php')
-rwxr-xr-xinc/poche/Poche.class.php6
1 files changed, 6 insertions, 0 deletions
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index e852c7e9..34f2ff5a 100755
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -427,6 +427,12 @@ class Poche
427 $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled'); 427 $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
428 $body = $content['rss']['channel']['item']['description']; 428 $body = $content['rss']['channel']['item']['description'];
429 429
430 // clean content from prevent xss attack
431 $config = HTMLPurifier_Config::createDefault();
432 $purifier = new HTMLPurifier($config);
433 $title = $purifier->purify($title);
434 $body = $purifier->purify($body);
435
430 //search for possible duplicate if not in import mode 436 //search for possible duplicate if not in import mode
431 if (!$import) { 437 if (!$import) {
432 $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId()); 438 $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());