[fix] content is now cleaned by HTML purifier from prevent XSS attack

2025-08-01 17:38:38 +00:00 · 2014-02-21 15:44:13 +01:00 · 2014-02-21 15:44:13 +01:00 · 1570a65381
commit 1570a65381
parent d4949327ef
2 changed files with 8 additions and 0 deletions
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@ -427,6 +427,12 @@ class Poche
                $title = ($content['rss']['channel']['item']['title'] != '') ? $content['rss']['channel']['item']['title'] : _('Untitled');
                $body = $content['rss']['channel']['item']['description'];

+                // clean content from prevent xss attack
+                $config = HTMLPurifier_Config::createDefault();
+                $purifier = new HTMLPurifier($config);
+                $title = $purifier->purify($title);
+                $body = $purifier->purify($body);
+
                //search for possible duplicate if not in import mode
                if (!$import) {
                    $duplicate = $this->store->retrieveOneByURL($url->getUrl(), $this->user->getId());