1
0
mirror of https://github.com/moparisthebest/wallabag synced 2024-11-27 11:22:17 -05:00

[fix] content is now cleaned by HTML purifier from prevent XSS attack

This commit is contained in:
Nicolas Lœuillet 2014-02-21 15:44:13 +01:00
parent d4949327ef
commit 1570a65381
2 changed files with 8 additions and 0 deletions

View File

@ -427,6 +427,12 @@ class Poche
$title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled'); $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
$body = $content['rss']['channel']['item']['description']; $body = $content['rss']['channel']['item']['description'];
// clean content from prevent xss attack
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$title = $purifier->purify($title);
$body = $purifier->purify($body);
//search for possible duplicate if not in import mode //search for possible duplicate if not in import mode
if (!$import) { if (!$import) {
$duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId()); $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());

View File

@ -29,6 +29,8 @@ require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedItem.php';
require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php'; require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php';
require_once INCLUDES . '/3rdparty/FlattrItem.class.php'; require_once INCLUDES . '/3rdparty/FlattrItem.class.php';
require_once INCLUDES . '/3rdparty/htmlpurifier/HTMLPurifier.auto.php';
# Composer its autoloader for automatically loading Twig # Composer its autoloader for automatically loading Twig
if (! file_exists(ROOT . '/vendor/autoload.php')) { if (! file_exists(ROOT . '/vendor/autoload.php')) {
Poche::$canRenderTemplates = false; Poche::$canRenderTemplates = false;