banananetwork
/
tt-rss
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

remove db_unescape_string() hack

Browse Source
master
Andrew Dolgov 18 years ago
parent 83fe113a39
commit 474390311f
4 changed files with 26 additions and 32 deletions
Show Stats Download Patch File Download Diff File

18
functions.php
Unescape Escape View File

@ -386,8 +386,8 @@
$result = db_query($link, "SELECT update_interval,auth_login,auth_pass $result = db_query($link, "SELECT update_interval,auth_login,auth_pass
FROM ttrss_feeds WHERE id = '$feed'"); FROM ttrss_feeds WHERE id = '$feed'");
$auth_login = db_unescape_string(db_fetch_result($result, 0, "auth_login")); $auth_login = db_fetch_result($result, 0, "auth_login");
$auth_pass = db_unescape_string(db_fetch_result($result, 0, "auth_pass")); $auth_pass = db_fetch_result($result, 0, "auth_pass");
$update_interval = db_fetch_result($result, 0, "update_interval"); $update_interval = db_fetch_result($result, 0, "update_interval");
@ -2141,7 +2141,7 @@
$is_selected = ""; $is_selected = "";
} }
printf("<option $is_selected value='%d'>%s</option>", printf("<option $is_selected value='%d'>%s</option>",
$line["id"], htmlspecialchars(db_unescape_string($line["title"]))); $line["id"], htmlspecialchars($line["title"]));
} }
print "</select>"; print "</select>";
@ -2170,7 +2170,7 @@
$is_selected = ""; $is_selected = "";
} }
printf("<option $is_selected value='%d'>%s</option>", printf("<option $is_selected value='%d'>%s</option>",
$line["id"], htmlspecialchars(db_unescape_string($line["title"]))); $line["id"], htmlspecialchars($line["title"]));
} }
print "</select>"; print "</select>";
@ -2525,8 +2525,6 @@
$feed_title = "?"; $feed_title = "?";
} }
$feed_title = db_unescape_string($feed_title);
if ($feed < -10) error_reporting (0); if ($feed < -10) error_reporting (0);
if (preg_match("/^-?[0-9][0-9]*$/", $feed) != false) { if (preg_match("/^-?[0-9][0-9]*$/", $feed) != false) {
@ -2899,10 +2897,6 @@
} }
} }
function escape_for_form($s) {
return htmlspecialchars(db_unescape_string($s));
}
function make_guid_from_title($title) { function make_guid_from_title($title) {
return preg_replace("/[ \"\',.:;]/", "-", return preg_replace("/[ \"\',.:;]/", "-",
mb_strtolower(strip_tags($title), 'utf-8')); mb_strtolower(strip_tags($title), 'utf-8'));
@ -3121,7 +3115,7 @@
error_reporting (DEFAULT_ERROR_LEVEL); error_reporting (DEFAULT_ERROR_LEVEL);
printFeedEntry($label_id, printFeedEntry($label_id,
$class, db_unescape_string($line["description"]), $class, $line["description"],
$count, "images/label.png", $link); $count, "images/label.png", $link);
} }
@ -3182,7 +3176,7 @@
while ($line = db_fetch_assoc($result)) { while ($line = db_fetch_assoc($result)) {
$feed = trim(db_unescape_string($line["title"])); $feed = trim($line["title"]);
if (!$feed) $feed = "[Untitled]"; if (!$feed) $feed = "[Untitled]";

20
modules/pref-feeds.php
Unescape Escape View File

@ -101,7 +101,7 @@
$class = ($feedctr % 2) ? "even" : "odd"; $class = ($feedctr % 2) ? "even" : "odd";
print "<li class='$class' id=\"FBROW-".$details["id"]."\">$check_box". print "<li class='$class' id=\"FBROW-".$details["id"]."\">$check_box".
"$feed_icon " . db_unescape_string($details["title"]) . "$feed_icon " . $details["title"] .
"&nbsp;<span class='subscribers'>($subscribers)</span></li>"; "&nbsp;<span class='subscribers'>($subscribers)</span></li>";
++$feedctr; ++$feedctr;
@ -130,8 +130,8 @@
"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND "SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
owner_uid = " . $_SESSION["uid"]); owner_uid = " . $_SESSION["uid"]);
$title = htmlspecialchars(db_unescape_string(db_fetch_result($result, $title = htmlspecialchars(db_fetch_result($result,
0, "title"))); 0, "title"));
$icon_file = ICONS_DIR . "/$feed_id.ico"; $icon_file = ICONS_DIR . "/$feed_id.ico";
@ -159,8 +159,8 @@
name=\"title\" value=\"$title\"></td></tr>"; name=\"title\" value=\"$title\"></td></tr>";
$feed_url = db_fetch_result($result, 0, "feed_url"); $feed_url = db_fetch_result($result, 0, "feed_url");
$feed_url = htmlspecialchars(db_unescape_string(db_fetch_result($result, $feed_url = htmlspecialchars(db_fetch_result($result,
0, "feed_url"))); 0, "feed_url"));
print "<tr><td>".__('Feed URL:')."</td>"; print "<tr><td>".__('Feed URL:')."</td>";
print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\" print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\"
@ -259,13 +259,13 @@
print "</td>"; print "</td>";
$auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login")); $auth_login = htmlspecialchars(db_fetch_result($result, 0, "auth_login"));
print "<tr><td>".__('Login:')."</td>"; print "<tr><td>".__('Login:')."</td>";
print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\" print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\"
name=\"auth_login\" value=\"$auth_login\"></td></tr>"; name=\"auth_login\" value=\"$auth_login\"></td></tr>";
$auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass")); $auth_pass = htmlspecialchars(db_fetch_result($result, 0, "auth_pass"));
print "<tr><td>".__('Password:')."</td>"; print "<tr><td>".__('Password:')."</td>";
print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\"
@ -652,7 +652,7 @@
print "<tr class=\"$class\" $this_row_id>"; print "<tr class=\"$class\" $this_row_id>";
$edit_title = htmlspecialchars(db_unescape_string($line["title"])); $edit_title = htmlspecialchars($line["title"]);
if (!$edit_cat_id || $action != "edit") { if (!$edit_cat_id || $action != "edit") {
@ -880,8 +880,8 @@
$feed_id = $line["id"]; $feed_id = $line["id"];
$cat_id = $line["cat_id"]; $cat_id = $line["cat_id"];
$edit_title = htmlspecialchars(db_unescape_string($line["title"])); $edit_title = htmlspecialchars($line["title"]);
$edit_cat = htmlspecialchars(db_unescape_string($line["category"])); $edit_cat = htmlspecialchars($line["category"]);
$hidden = sql_bool_to_bool($line["hidden"]); $hidden = sql_bool_to_bool($line["hidden"]);

6
modules/pref-filters.php
Unescape Escape View File

@ -10,7 +10,7 @@
$result = db_query($link, $result = db_query($link,
"SELECT * FROM ttrss_filters WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); "SELECT * FROM ttrss_filters WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
$reg_exp = htmlspecialchars(db_unescape_string(db_fetch_result($result, 0, "reg_exp"))); $reg_exp = htmlspecialchars(db_fetch_result($result, 0, "reg_exp"));
$filter_type = db_fetch_result($result, 0, "filter_type"); $filter_type = db_fetch_result($result, 0, "filter_type");
$feed_id = db_fetch_result($result, 0, "feed_id"); $feed_id = db_fetch_result($result, 0, "feed_id");
$action_id = db_fetch_result($result, 0, "action_id"); $action_id = db_fetch_result($result, 0, "action_id");
@ -285,11 +285,11 @@
print "<tr class=\"$class\" $this_row_id>"; print "<tr class=\"$class\" $this_row_id>";
$line["reg_exp"] = htmlspecialchars(db_unescape_string($line["reg_exp"])); $line["reg_exp"] = htmlspecialchars($line["reg_exp"]);
if (!$line["feed_title"]) $line["feed_title"] = __("All feeds"); if (!$line["feed_title"]) $line["feed_title"] = __("All feeds");
$line["feed_title"] = htmlspecialchars(db_unescape_string($line["feed_title"])); $line["feed_title"] = htmlspecialchars($line["feed_title"]);
print "<td align='center'><input onclick='toggleSelectPrefRow(this, \"filter\");' print "<td align='center'><input onclick='toggleSelectPrefRow(this, \"filter\");'
type=\"checkbox\" id=\"FICHK-".$line["id"]."\"></td>"; type=\"checkbox\" id=\"FICHK-".$line["id"]."\"></td>";

14
modules/pref-labels.php
Unescape Escape View File

@ -21,8 +21,8 @@
$line = db_fetch_assoc($result); $line = db_fetch_assoc($result);
$sql_exp = htmlspecialchars(db_unescape_string($line["sql_exp"])); $sql_exp = htmlspecialchars($line["sql_exp"]);
$description = htmlspecialchars(db_unescape_string($line["description"])); $description = htmlspecialchars($line["description"]);
print "<div id=\"infoBoxTitle\">Label editor</div>"; print "<div id=\"infoBoxTitle\">Label editor</div>";
print "<div class=\"infoBoxContents\">"; print "<div class=\"infoBoxContents\">";
@ -78,8 +78,9 @@
if ($subop == "test") { if ($subop == "test") {
$expr = db_unescape_string(trim($_GET["expr"])); // no escaping here on purpose
$descr = db_unescape_string(trim($_GET["descr"])); $expr = trim($_GET["expr"]);
$descr = db_escape_string(trim($_GET["descr"]));
if (!$expr) { if (!$expr) {
print "<div>Error: SQL expression is blank.</div>"; print "<div>Error: SQL expression is blank.</div>";
@ -260,9 +261,8 @@
print "<tr class=\"$class\" $this_row_id>"; print "<tr class=\"$class\" $this_row_id>";
$line["sql_exp"] = htmlspecialchars(db_unescape_string($line["sql_exp"])); $line["sql_exp"] = htmlspecialchars($line["sql_exp"]);
$line["description"] = htmlspecialchars( $line["description"] = htmlspecialchars($line["description"]);
db_unescape_string($line["description"]));
if (!$line["description"]) $line["description"] = "[No caption]"; if (!$line["description"]) $line["description"] = "[No caption]";

Write Preview
Loading…
Cancel
Save