[fix] content is now cleaned by HTML purifier from prevent XSS attack

inc/poche/Poche.class.php

@@ -427,6 +427,12 @@ class Poche
                 $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
                 $body = $content['rss']['channel']['item']['description'];
 
+                // clean content from prevent xss attack
+                $config = HTMLPurifier_Config::createDefault();
+                $purifier = new HTMLPurifier($config);
+                $title = $purifier->purify($title);
+                $body = $purifier->purify($body);
+
                 //search for possible duplicate if not in import mode
                 if (!$import) {
                     $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());

inc/poche/global.inc.php

@@ -29,6 +29,8 @@ require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedItem.php';
 require_once INCLUDES . '/3rdparty/libraries/feedwriter/FeedWriter.php';
 require_once INCLUDES . '/3rdparty/FlattrItem.class.php';
 
+require_once INCLUDES . '/3rdparty/htmlpurifier/HTMLPurifier.auto.php';
+
 # Composer its autoloader for automatically loading Twig
 if (! file_exists(ROOT . '/vendor/autoload.php')) {
     Poche::$canRenderTemplates = false;