9 лет назад · 9ffd56ea68
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -314,7 +314,7 @@ class FreshRSS_feed_Controller extends Minz_ActionController {
 
				 			if (count($entries) > 0) {
			
 
				 				$newGuids = array();
			
 
				 				foreach ($entries as $entry) {
			
 
				-					$newGuids[] = $entry->guid();
			
 
				+					$newGuids[] = safe_ascii($entry->guid());
			
 
				 				}
			
 
				 				// For this feed, check existing GUIDs already in database.
			
 
				 				$existingHashForGuids = $entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
			
--- a/app/Controllers/importExportController.php
+++ b/app/Controllers/importExportController.php
@@ -362,7 +362,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController {
 
				 
			
 
				 		$newGuids = array();
			
 
				 		foreach ($article_object['items'] as $item) {
			
 
				-			$newGuids[] = $item['id'];
			
 
				+			$newGuids[] = safe_ascii($item['id']);
			
 
				 		}
			
 
				 		// For this feed, check existing GUIDs already in database.
			
 
				 		$existingHashForGuids = $this->entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
			
--- a/app/Models/EntryDAO.php
+++ b/app/Models/EntryDAO.php
@@ -123,6 +123,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 		}
			
 
				 		$this->addEntryPrepared->bindParam(':id', $valuesTmp['id']);
			
 
				 		$valuesTmp['guid'] = substr($valuesTmp['guid'], 0, 760);
			
 
				+		$valuesTmp['guid'] = safe_ascii($valuesTmp['guid']);
			
 
				 		$this->addEntryPrepared->bindParam(':guid', $valuesTmp['guid']);
			
 
				 		$valuesTmp['title'] = substr($valuesTmp['title'], 0, 255);
			
 
				 		$this->addEntryPrepared->bindParam(':title', $valuesTmp['title']);
			
@@ -130,6 +131,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 		$this->addEntryPrepared->bindParam(':author', $valuesTmp['author']);
			
 
				 		$this->addEntryPrepared->bindParam(':content', $valuesTmp['content']);
			
 
				 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
			
 
				+		$valuesTmp['link'] = safe_ascii($valuesTmp['link']);
			
 
				 		$this->addEntryPrepared->bindParam(':link', $valuesTmp['link']);
			
 
				 		$this->addEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
			
 
				 		$valuesTmp['lastSeen'] = time();
			
@@ -190,6 +192,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 		$this->updateEntryPrepared->bindParam(':author', $valuesTmp['author']);
			
 
				 		$this->updateEntryPrepared->bindParam(':content', $valuesTmp['content']);
			
 
				 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
			
 
				+		$valuesTmp['link'] = safe_ascii($valuesTmp['link']);
			
 
				 		$this->updateEntryPrepared->bindParam(':link', $valuesTmp['link']);
			
 
				 		$this->updateEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
			
 
				 		$valuesTmp['lastSeen'] = time();
			
@@ -689,6 +692,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 		if (count($guids) < 1) {
			
 
				 			return array();
			
 
				 		}
			
 
				+		$guids = array_unique($guids);
			
 
				 		$sql = 'SELECT guid, ' . $this->sqlHexEncode('hash') . ' AS hex_hash FROM `' . $this->prefix . 'entry` WHERE id_feed=? AND guid IN (' . str_repeat('?,', count($guids) - 1). '?)';
			
 
				 		$stm = $this->bd->prepare($sql);
			
 
				 		$values = array($id_feed);
			
--- a/app/Models/FeedDAO.php
+++ b/app/Models/FeedDAO.php
@@ -5,6 +5,9 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 		$sql = 'INSERT INTO `' . $this->prefix . 'feed` (url, category, name, website, description, `lastUpdate`, priority, `httpAuth`, error, keep_history, ttl) VALUES(?, ?, ?, ?, ?, ?, 10, ?, 0, -2, -2)';
			
 
				 		$stm = $this->bd->prepare($sql);
			
 
				 
			
 
				+		$valuesTmp['url'] = safe_ascii($valuesTmp['url']);
			
 
				+		$valuesTmp['website'] = safe_ascii($valuesTmp['website']);
			
 
				+
			
 
				 		$values = array(
			
 
				 			substr($valuesTmp['url'], 0, 511),
			
 
				 			$valuesTmp['category'],
			
@@ -55,6 +58,13 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
				 	}
			
 
				 
			
 
				 	public function updateFeed($id, $valuesTmp) {
			
 
				+		if (isset($valuesTmp['url'])) {
			
 
				+			$valuesTmp['url'] = safe_ascii($valuesTmp['url']);
			
 
				+		}
			
 
				+		if (isset($valuesTmp['website'])) {
			
 
				+			$valuesTmp['website'] = safe_ascii($valuesTmp['website']);
			
 
				+		}
			
 
				+
			
 
				 		$set = '';
			
 
				 		foreach ($valuesTmp as $key => $v) {
			
 
				 			$set .= $key . '=?, ';
			
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -83,6 +83,9 @@ function checkUrl($url) {
 
				 	}
			
 
				 }
			
 
				 
			
 
				+function safe_ascii($text) {
			
 
				+	return filter_var($text, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
			
 
				+}
			
 
				 
			
 
				 /**
			
 
				  * Test if a given server address is publicly accessible.