API:

- sharedToPublished: add optional sanitize parameter (defaults to true) if disabled, allows inserting HTML into shared article content; - clean() already invokes strip_tags() so it's pointless to do both;
2023-03-05 08:07:55 +03:00 · 2023-03-05 08:07:55 +03:00 · d210ae50ad
parent b7a6c948d0
commit d210ae50ad
1 changed files with 9 additions and 4 deletions
--- a/classes/api.php
+++ b/classes/api.php
@ -1,7 +1,7 @@
 <?php
 class API extends Handler {

-	const API_LEVEL  = 19;
+	const API_LEVEL  = 20;

 	const STATUS_OK  = 0;
 	const STATUS_ERR = 1;
@ -504,9 +504,14 @@ class API extends Handler {
 	}

 	function shareToPublished(): bool {
-		$title = strip_tags(clean($_REQUEST["title"]));
-		$url = strip_tags(clean($_REQUEST["url"]));
-		$content = strip_tags(clean($_REQUEST["content"]));
+		$title = clean($_REQUEST["title"]);
+		$url = clean($_REQUEST["url"]);
+		$sanitize_content = self::_param_to_bool($_REQUEST["sanitize"] ?? true);
+
+		if ($sanitize_content)
+			$content = clean($_REQUEST["content"]);
+		else
+			$content = $_REQUEST["content"];

 		if (Article::_create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
 			return $this->_wrap(self::STATUS_OK, array("status" => 'OK'));