strip all html tags from author and title, fix #287

4 files changed, 32 insertions, 3 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 6e1785a09..c9d2a5dca 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ owncloud-news (1.203)
 * Add an API to make ownCloud cron updates optionally. This can be used to write an update script which can be threaded to dramatically speed up fetching of feeds and reduce the used memory to run the update
 * Add a Python update script which threads the updates
 * Make it possible to turn off cron updates
+* Strip all HTML tags from the author and title
 
 ownCloud-news (1.202)
 * Fixed a bug in the API routes that would request an uneeded id when creating a feed
diff --git a/db/item.php b/db/item.php
index 6a627d8ff..332fd630e 100644
--- a/db/item.php
+++ b/db/item.php
@@ -74,7 +74,7 @@ class Item extends Entity implements IAPI {
 		$this->markFieldUpdated('status');
 		$this->status |= StatusFlag::STARRED;
 	}
-	
+
 	public function isStarred() {
 		return ($this->status & StatusFlag::STARRED) === StatusFlag::STARRED;
 	}
@@ -108,5 +108,16 @@ class Item extends Entity implements IAPI {
 		);
 	}
 
+
+	public function setAuthor($name) {
+		parent::setAuthor(strip_tags($name));
+	}
+
+
+	public function setTitle($title) {
+		parent::setTitle(strip_tags($title));
+	}
+
+
 }
 
diff --git a/templates/part.items.php b/templates/part.items.php
index f20e80c75..f9fc3805f 100644
--- a/templates/part.items.php
+++ b/templates/part.items.php
@@ -19,11 +19,11 @@
 			</ul>
 		</div>
 
-		<h1 class="item_heading">{{ item.title|ocRemoveTags:['em', 'b', 'i'] }}</h1>
+		<h1 class="item_heading">{{ item.title }}</h1>
 		<h1 class="item_title">
 			<a ng-click="itemBusinessLayer.setRead(item.id)"
 				target="_blank" ng-href="{{ item.url|ocSanitizeURL }}">
-				{{ item.title|ocRemoveTags:['em', 'b', 'i'] }}
+				{{ item.title }}
 			</a>
 		</h1>
 
diff --git a/tests/unit/db/ItemTest.php b/tests/unit/db/ItemTest.php
index 6c1c5ea6c..d48c8da12 100644
--- a/tests/unit/db/ItemTest.php
+++ b/tests/unit/db/ItemTest.php
@@ -102,4 +102,21 @@ class ItemTest extends \PHPUnit_Framework_TestCase {
 			), $item->toAPI());
 	}
 
+
+	public function testSetAuthor(){
+		$item = new Item();
+		$item->setAuthor('<a>my link</li>');
+		$this->assertEquals('my link', $item->getAuthor());
+		$this->assertContains('author', $item->getUpdatedFields());
+	}
+
+
+	public function testSetTitle(){
+		$item = new Item();
+		$item->setTitle('<a>my link</li>');
+		$this->assertEquals('my link', $item->getTitle());
+		$this->assertContains('title', $item->getUpdatedFields());
+	}
+
+
 }
\ No newline at end of file