bitPickups/ad-aures_castoPod
1
0
Fork 0
mirror of https://github.com/ad-aures/castopod.git synced 2026-04-04 15:26:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(security): add csrf filter + prevent xss attacks by escaping user input

Browse source 
- update CI4 to v4.1.9's stable production package
- update php and js dependencies to latest
This commit is contained in:
Yassine Doghri 2022-03-04 14:33:48 +00:00
commit cd2e1e1dc3
182 changed files with 4410 additions and 4214 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/Admin/Controllers/PodcastImportController.php
View file

@ -77,6 +77,7 @@ class PodcastImportController extends BaseController
->withInput()
->with('errors', $this->validator->getErrors());
}
try {
ini_set('user_agent', 'Castopod/' . CP_VERSION);
$feed = simplexml_load_file($this->request->getPost('imported_feed_url'));
@ -93,6 +94,7 @@ class PodcastImportController extends BaseController
' ⎋</a>',
]);
}
$nsItunes = $feed->channel[0]->children('http://www.itunes.com/dtds/podcast-1.0.dtd');
$nsPodcast = $feed->channel[0]->children(
'https://github.com/Podcastindex-org/podcast-namespace/blob/main/docs/1.0.md',
@ -128,6 +130,7 @@ class PodcastImportController extends BaseController
$nsPodcast->location->attributes()['osm'] === null ? null : (string) $nsPodcast->location->attributes()['osm'],
);
}
$guid = null;
if (property_exists($nsPodcast, 'guid') && $nsPodcast->guid !== null) {
$guid = (string) $nsPodcast->guid;
@ -313,8 +316,10 @@ class PodcastImportController extends BaseController
while (in_array($slug . '-' . $slugNumber, $slugs, true)) {
++$slugNumber;
}
$slug = $slug . '-' . $slugNumber;
}
$slugs[] = $slug;
$itemDescriptionHtml = match ($this->request->getPost('description_field')) {
'content' => (string) $nsContent->encoded,