From 10831dd274ff65d4852b47dbc398adae61845206 Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <nukeawhale@gmail.com>
Date: Sat, 4 May 2013 00:15:41 +0200
Subject: use html purifier for sanitation

---
 utility/feedfetcher.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'utility')

diff --git a/utility/feedfetcher.php b/utility/feedfetcher.php
index e153669ac..0083f1969 100644
--- a/utility/feedfetcher.php
+++ b/utility/feedfetcher.php
@@ -42,19 +42,22 @@ class FeedFetcher implements IFeedFetcher {
 	private $faviconFetcher;
 	private $simplePieFactory;
 	private $time;
+	private $purifier;
 
 	public function __construct(API $api, 
 	                            SimplePieAPIFactory $simplePieFactory,
 	                            FaviconFetcher $faviconFetcher,
 	                            TimeFactory $time,
 	                            $cacheDirectory, 
-	                            $cacheDuration){
+	                            $cacheDuration,
+	                            $purifier){
 		$this->api = $api;
 		$this->cacheDirectory = $cacheDirectory;
 		$this->cacheDuration = $cacheDuration;
 		$this->faviconFetcher = $faviconFetcher;
 		$this->simplePieFactory = $simplePieFactory;
 		$this->time = $time;
+		$this->purifier = $purifier;
 	}
 
 
@@ -116,7 +119,8 @@ class FeedFetcher implements IFeedFetcher {
 		$item->setGuid($guid);
 		$item->setGuidHash(md5($guid));
 		$item->setBody(str_replace('<a', '<a target="_blank"', 
-			$simplePieItem->get_content()));
+			// escape XSS
+			$this->purifier->purify($simplePieItem->get_content())));
 		$item->setPubDate($simplePieItem->get_date('U'));
 		$item->setLastModified($this->time->getTime());
 
-- 
cgit v1.2.3