valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

properly escape comment links

This commit is contained in:
Andrew Dolgov 2012-10-22 01:22:44 +04:00
parent 5c56897349
commit 6e577ba157
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
classes/feeds.php
View File

@ -633,14 +633,14 @@ class Feeds extends Handler_Protected {
if ($num_comments > 0) { if ($num_comments > 0) {
if ($line["comments"]) { if ($line["comments"]) {
$comments_url = $line["comments"]; $comments_url = htmlspecialchars($line["comments"]);
} else { } else {
$comments_url = $line["link"]; $comments_url = htmlspecialchars($line["link"]);
} }
$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>"; $entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
} else { } else {
if ($line["comments"] && $line["link"] != $line["comments"]) { if ($line["comments"] && $line["link"] != $line["comments"]) {
$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>"; $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
} }
} }

6
include/functions.php
View File

@ -3352,14 +3352,14 @@
if ($num_comments > 0) { if ($num_comments > 0) {
if ($line["comments"]) { if ($line["comments"]) {
$comments_url = $line["comments"]; $comments_url = htmlspecialchars($line["comments"]);
} else { } else {
$comments_url = $line["link"]; $comments_url = htmlspecialchars($line["link"]);
} }
$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>"; $entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
} else { } else {
if ($line["comments"] && $line["link"] != $line["comments"]) { if ($line["comments"] && $line["link"] != $line["comments"]) {
$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>"; $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
} }
} }