disable html objects in article content, breaks layout

backend.php

@@ -650,6 +650,8 @@
 				$line["content"] = preg_replace("/href=/i", "target=\"_new\" href=", $line["content"]);
 			}
 
+			$line["content"] = sanitize_rss($line["content"]);
+
 			print $line["content"] . "</div>";
 			
 			print "</div>";
@@ -1335,13 +1337,13 @@
 			
 			print "</td>";
 
-			$auth_login = db_fetch_result($result, 0, "auth_login");
+			$auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login"));
 
 			print "<tr><td>Login:</td>";
 			print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event)\"
 				name=\"auth_login\" value=\"$auth_login\"></td></tr>";
 
-			$auth_pass = db_fetch_result($result, 0, "auth_pass");
+			$auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass"));
 
 			print "<tr><td>Password:</td>";
 			print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" 

functions.php

@@ -2449,6 +2449,13 @@
 		$res = preg_replace('/<\/script>/i', 
 			"</p>", $res);
 
+		$res = preg_replace('/<object.*?>.*?<\/object>/i', 
+			"<p class=\"objectWarn\">(Disabled html object 
+			- flash or other embedded content)</p>", $str);
+
+		$res = preg_replace('/<\/object>/i', 
+			"</p>", $res);
+
 		return $res;
 	}
 
@@ -2637,4 +2644,8 @@
 		}
 	}
 
+	function escape_for_form($s) {
+		return htmlspecialchars(db_unescape_string($s));
+	}
+
 ?>

tt-rss.css

@@ -1172,6 +1172,12 @@ span.debugTS {
 	font-weight : bold;
 }
 
+.objectWarn {
+	color : gray;
+	padding : 3px;
+	font-style: italic;
+}
+
 table.loginForm2 {
 	padding : 1em;
 }