mirror of
https://github.com/moparisthebest/wallabag
synced 2024-11-23 17:42:15 -05:00
[fix] content is now cleaned by HTML purifier from prevent XSS attack
This commit is contained in:
parent
d4949327ef
commit
1570a65381
@ -427,6 +427,12 @@ class Poche
|
|||||||
$title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
|
$title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
|
||||||
$body = $content['rss']['channel']['item']['description'];
|
$body = $content['rss']['channel']['item']['description'];
|
||||||
|
|
||||||
|
// clean content from prevent xss attack
|
||||||
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
|
$purifier = new HTMLPurifier($config);
|
||||||
|
$title = $purifier->purify($title);
|
||||||
|
$body = $purifier->purify($body);
|
||||||
|
|
||||||
//search for possible duplicate if not in import mode
|
//search for possible duplicate if not in import mode
|
||||||
if (!$import) {
|
if (!$import) {
|
||||||
$duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());
|
$duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());
|
||||||
|
@ -29,6 +29,8 @@ require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedItem.php';
|
|||||||
require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php';
|
require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php';
|
||||||
require_once INCLUDES . '/3rdparty/FlattrItem.class.php';
|
require_once INCLUDES . '/3rdparty/FlattrItem.class.php';
|
||||||
|
|
||||||
|
require_once INCLUDES . '/3rdparty/htmlpurifier/HTMLPurifier.auto.php';
|
||||||
|
|
||||||
# Composer its autoloader for automatically loading Twig
|
# Composer its autoloader for automatically loading Twig
|
||||||
if (! file_exists(ROOT . '/vendor/autoload.php')) {
|
if (! file_exists(ROOT . '/vendor/autoload.php')) {
|
||||||
Poche::$canRenderTemplates = false;
|
Poche::$canRenderTemplates = false;
|
||||||
|
Loading…
Reference in New Issue
Block a user