api: sanitize article content

This commit is contained in:
Andrew Dolgov 2012-10-29 16:01:41 +04:00
parent b3682750bb
commit db9e00e339
2 changed files with 10 additions and 3 deletions

View File

@ -187,6 +187,7 @@ class API extends Handler {
$include_attachments = (bool)db_escape_string($_REQUEST["include_attachments"]); $include_attachments = (bool)db_escape_string($_REQUEST["include_attachments"]);
$since_id = (int)db_escape_string($_REQUEST["since_id"]); $since_id = (int)db_escape_string($_REQUEST["since_id"]);
$include_nested = (bool)db_escape_string($_REQUEST["include_nested"]); $include_nested = (bool)db_escape_string($_REQUEST["include_nested"]);
$sanitize_content = true;
/* do not rely on params below */ /* do not rely on params below */
@ -197,7 +198,7 @@ class API extends Handler {
$headlines = api_get_headlines($this->link, $feed_id, $limit, $offset, $headlines = api_get_headlines($this->link, $feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, false, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, false,
$include_attachments, $since_id, $search, $search_mode, $match_on, $include_attachments, $since_id, $search, $search_mode, $match_on,
$include_nested); $include_nested, $sanitize_content);
print $this->wrap(self::STATUS_OK, $headlines); print $this->wrap(self::STATUS_OK, $headlines);
} else { } else {

View File

@ -4585,7 +4585,8 @@
function api_get_headlines($link, $feed_id, $limit, $offset, function api_get_headlines($link, $feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $order, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $order,
$include_attachments, $since_id, $include_attachments, $since_id,
$search = "", $search_mode = "", $match_on = "", $include_nested = false) { $search = "", $search_mode = "", $match_on = "",
$include_nested = false, $sanitize_content = true) {
$qfh_ret = queryFeedHeadlines($link, $feed_id, $limit, $qfh_ret = queryFeedHeadlines($link, $feed_id, $limit,
$view_mode, $is_cat, $search, $search_mode, $match_on, $view_mode, $is_cat, $search, $search_mode, $match_on,
@ -4629,8 +4630,13 @@
} }
if ($show_content) { if ($show_content) {
if ($sanitize_content) {
$headline_row["content"] = sanitize($link,
$line["content_preview"], false, false, $line["site_url"]);
} else {
$headline_row["content"] = $line["content_preview"]; $headline_row["content"] = $line["content_preview"];
} }
}
// unify label output to ease parsing // unify label output to ease parsing
if ($labels["no-labels"] == 1) $labels = array(); if ($labels["no-labels"] == 1) $labels = array();