Skip to content

Commit 6d30164

Browse files
David-DevelopmentDavid-Development
committed
Fix #286 
1 parent b5777cd commit 6d30164

File tree

2 files changed

+13
-7
lines changed

2 files changed

+13
-7
lines changed

News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/reader/owncloud/InsertFeedIntoDatabase.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121

2222
package de.luhmer.owncloudnewsreader.reader.owncloud;
2323

24+
import org.apache.commons.lang3.StringEscapeUtils;
2425
import org.json.JSONObject;
2526

2627
import java.util.ArrayList;
@@ -47,10 +48,12 @@ private static Feed parseFeed(JSONObject e)
4748

4849
Feed feed = new Feed();
4950
feed.setId(e.optLong("id"));
50-
feed.setFeedTitle(e.optString("title"));
5151
feed.setFolderId(e.optLong("folderId"));
5252
feed.setFaviconUrl(faviconLink);
53-
feed.setLink(e.optString("url"));
53+
54+
//Possible XSS fields
55+
feed.setFeedTitle(StringEscapeUtils.escapeHtml4(e.optString("title")));
56+
feed.setLink(StringEscapeUtils.escapeHtml4(e.optString("url")));
5457
//feed.setLink(e.optString("link"));
5558

5659
return feed;

News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/reader/owncloud/InsertItemIntoDatabase.java

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121

2222
package de.luhmer.owncloudnewsreader.reader.owncloud;
2323

24+
import org.apache.commons.lang3.StringEscapeUtils;
2425
import org.json.JSONException;
2526
import org.json.JSONObject;
2627

@@ -69,21 +70,23 @@ private static RssItem parseItem(JSONObject e) throws JSONException {
6970
RssItem rssItem = new RssItem();
7071
rssItem.setId(e.getLong("id"));
7172
rssItem.setFeedId(e.optLong("feedId"));
72-
rssItem.setLink(url);
73-
rssItem.setTitle(e.optString("title"));
7473
rssItem.setGuid(guid);
7574
rssItem.setGuidHash(e.optString("guidHash"));
7675
rssItem.setBody(content);
77-
rssItem.setAuthor(e.optString("author"));
7876
rssItem.setLastModified(new Date(e.optLong("lastModified")));
79-
rssItem.setEnclosureLink(enclosureLink);
80-
rssItem.setEnclosureMime(enclosureMime);
8177
rssItem.setRead(!e.optBoolean("unread"));
8278
rssItem.setRead_temp(rssItem.getRead());
8379
rssItem.setStarred(e.optBoolean("starred"));
8480
rssItem.setStarred_temp(rssItem.getStarred());
8581
rssItem.setPubDate(pubDate);
8682

83+
//Possible XSS fields
84+
rssItem.setTitle(StringEscapeUtils.escapeHtml4(e.optString("title")));
85+
rssItem.setAuthor(StringEscapeUtils.escapeHtml4(e.optString("author")));
86+
rssItem.setLink(StringEscapeUtils.escapeHtml4(url));
87+
rssItem.setEnclosureLink(StringEscapeUtils.escapeHtml4(enclosureLink));
88+
rssItem.setEnclosureMime(StringEscapeUtils.escapeHtml4(enclosureMime));
89+
8790
return rssItem;
8891
/*
8992
new RssItem(0, e.optString("id"),

0 commit comments

Comments
 (0)