diff options
-rw-r--r-- | CHANGELOG | 5 | ||||
-rw-r--r-- | appinfo/info.xml | 2 | ||||
-rw-r--r-- | templates/part.items.php | 4 |
3 files changed, 8 insertions, 3 deletions
@@ -1,3 +1,8 @@ +ownCloud-news (0.98) + +* Fix XSS vulnerability in sanitation for json import +* Fix XSS vulnerability in feed and title link + ownCloud-news (0.97) * Fix XSS vulnerability in sanitation diff --git a/appinfo/info.xml b/appinfo/info.xml index ca5be7573..9e489df00 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -5,6 +5,6 @@ <description>An RSS/Atom feed reader. Requires the App Framework app and backgroundjobs need to be enabled. See the README.rst in the apps top directory</description> <licence>AGPL</licence> <author>Alessandro Cosentino, Bernhard Posselt, Jan-Christoph Borchardt. Powered by SimplePie (Ryan Parman, Geoffrey Sneddon, Ryan McCue and contributors).</author> - <version>0.97</version> + <version>0.98</version> <require>5.0.5</require> </info> diff --git a/templates/part.items.php b/templates/part.items.php index 9cc7bd623..f27259d8a 100644 --- a/templates/part.items.php +++ b/templates/part.items.php @@ -21,7 +21,7 @@ <h1 class="item_title"> <a ng-click="itemBusinessLayer.setRead(item.id)" - target="_blank" href="{{ item.url }}"> + target="_blank" ng-href="{{ item.url|ocSanitizeURL }}"> {{ item.title|ocRemoveTags:['em', 'b', 'i'] }} </a> </h1> @@ -29,7 +29,7 @@ <h2 class="item_author"> <span ng-show="itemBusinessLayer.noFeedActive() && feedBusinessLayer.getFeedLink(item.feedId)"> <?php p($l->t('from')) ?> - <a target="_blank" href="{{ feedBusinessLayer.getFeedLink(item.feedId) }}" + <a target="_blank" ng-href="{{ feedBusinessLayer.getFeedLink(item.feedId)|ocSanitizeURL }}" class="from_feed">{{ itemBusinessLayer.getFeedTitle(item.id) }}</a> </span> <span ui-if="item.author"> |