valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

filters: do not strip_tags() on regexps

This commit is contained in:
Andrew Dolgov 2015-12-03 10:17:32 +03:00
parent 01bf7f8887
commit 154f14d01b
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
classes/pref/filters.php
View File

@ -232,7 +232,7 @@ class Pref_Filters extends Handler_Protected {
$inverse = sql_bool_to_bool($line["inverse"]) ? "inverse" : ""; $inverse = sql_bool_to_bool($line["inverse"]) ? "inverse" : "";
$rv .= "<span class='$inverse'>" . T_sprintf("%s on %s in %s %s", $rv .= "<span class='$inverse'>" . T_sprintf("%s on %s in %s %s",
strip_tags($line["reg_exp"]), htmlspecialchars($line["reg_exp"]),
$line["field"], $line["field"],
$where, $where,
sql_bool_to_bool($line["inverse"]) ? __("(inverse)") : "") . "</span>"; sql_bool_to_bool($line["inverse"]) ? __("(inverse)") : "") . "</span>";
@ -513,7 +513,7 @@ class Pref_Filters extends Handler_Protected {
$inverse = isset($rule["inverse"]) ? "inverse" : ""; $inverse = isset($rule["inverse"]) ? "inverse" : "";
return "<span class='filterRule $inverse'>" . return "<span class='filterRule $inverse'>" .
T_sprintf("%s on %s in %s %s", strip_tags($rule["reg_exp"]), T_sprintf("%s on %s in %s %s", htmlspecialchars($rule["reg_exp"]),
$filter_type, $feed, isset($rule["inverse"]) ? __("(inverse)") : "") . "</span>"; $filter_type, $feed, isset($rule["inverse"]) ? __("(inverse)") : "") . "</span>";
} }
@ -618,7 +618,7 @@ class Pref_Filters extends Handler_Protected {
foreach ($rules as $rule) { foreach ($rules as $rule) {
if ($rule) { if ($rule) {
$reg_exp = strip_tags($this->dbh->escape_string(trim($rule["reg_exp"]))); $reg_exp = $this->dbh->escape_string(trim($rule["reg_exp"]), false);
$inverse = isset($rule["inverse"]) ? "true" : "false"; $inverse = isset($rule["inverse"]) ? "true" : "false";
$filter_type = (int) $this->dbh->escape_string(trim($rule["filter_type"])); $filter_type = (int) $this->dbh->escape_string(trim($rule["filter_type"]));