From 1570a65381372fca86f5a16f1ec94d59af4babfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Fri, 21 Feb 2014 15:44:13 +0100 Subject: [fix] content is now cleaned by HTML purifier from prevent XSS attack --- inc/poche/Poche.class.php | 6 ++++++ inc/poche/global.inc.php | 2 ++ 2 files changed, 8 insertions(+) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index e852c7e9..34f2ff5a 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -427,6 +427,12 @@ class Poche $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled'); $body = $content['rss']['channel']['item']['description']; + // clean content from prevent xss attack + $config = HTMLPurifier_Config::createDefault(); + $purifier = new HTMLPurifier($config); + $title = $purifier->purify($title); + $body = $purifier->purify($body); + //search for possible duplicate if not in import mode if (!$import) { $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId()); diff --git a/inc/poche/global.inc.php b/inc/poche/global.inc.php index e2beade1..d22b0588 100644 --- a/inc/poche/global.inc.php +++ b/inc/poche/global.inc.php @@ -29,6 +29,8 @@ require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedItem.php'; require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php'; require_once INCLUDES . '/3rdparty/FlattrItem.class.php'; +require_once INCLUDES . '/3rdparty/htmlpurifier/HTMLPurifier.auto.php'; + # Composer its autoloader for automatically loading Twig if (! file_exists(ROOT . '/vendor/autoload.php')) { Poche::$canRenderTemplates = false; -- cgit v1.2.3