From b672fc190d7df163449e91400c6d6a08a3775835 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 11 Nov 2018 17:31:50 +0100
Subject: Tweaks for Vienna RSS (#2093)

* Tweaks for Vienna RSS

https://github.com/FreshRSS/FreshRSS/issues/2091
https://github.com/ViennaRSS/vienna-rss/issues/1197

* Fix get feed by URL

* Fix get item ids returning starred elements

* API add item ids by feed URL

* Add API filter `it`

https://feedhq.readthedocs.io/en/latest/api/reference.html#stream-items-ids

* API add `nt=` filter + refactoring

* No ; prefix for author

https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-435562495

* Add id long form prefix and accept short id form

https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-435631259

* Fix quote problem

https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-435683930

* Isolate bug fix for News+

https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-435687041

* Rework encoding conventions

https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-437441834

* Unicode escaping alternative

Alternative approach to encode XML special characters and other
problematic characters into their Unicode fullwidth version when we
cannot use HTML-encoding because clients disagree wether they should
HTML-decode or not.
https://github.com/FreshRSS/FreshRSS/issues/2091#issuecomment-436059559
---
 lib/lib_rss.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'lib/lib_rss.php')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 4087f6faf..52e4408d2 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -102,6 +102,18 @@ function safe_ascii($text) {
 	return filter_var($text, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
 }
 
+function escapeToUnicodeAlternative($text) {
+	$text = htmlspecialchars_decode($text, ENT_QUOTES);
+	// https://raw.githubusercontent.com/mihaip/google-reader-api/master/wiki/StreamId.wiki
+	return trim(str_replace(
+			//Problematic characters
+			array("'", '"', '^', '<', '>', '?', '&', '\\', '/', ',', ';'),
+			//Use their fullwidth Unicode form instead:
+			array("’", '＂', '＾', '＜', '＞', '？', '＆', '＼', '／', '，', '；'),
+			$text
+		));
+}
+
 /**
  * Test if a given server address is publicly accessible.
  *
-- 
cgit v1.2.3


From 0fce9892ff2b03083706b4f78495539861db98aa Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 12 Nov 2018 09:03:20 +0100
Subject: API encoding tuning (#2120)

Use only minimal XML->Unicode encoding for articles title.
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/2093
---
 app/Models/Feed.php |  2 +-
 lib/lib_rss.php     | 21 +++++++++++++--------
 p/api/greader.php   |  8 ++++----
 3 files changed, 18 insertions(+), 13 deletions(-)

(limited to 'lib/lib_rss.php')

diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index a5ef33d6b..acf3bd981 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -424,7 +424,7 @@ class FreshRSS_Feed extends Minz_Model {
 			$author_names = '';
 			if (is_array($authors)) {
 				foreach ($authors as $author) {
-					$author_names .= escapeToUnicodeAlternative(strip_tags($author->name == '' ? $author->email : $author->name)) . '; ';
+					$author_names .= escapeToUnicodeAlternative(strip_tags($author->name == '' ? $author->email : $author->name), true) . '; ';
 				}
 			}
 			$author_names = substr($author_names, 0, -2);
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 52e4408d2..c445874c8 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -102,16 +102,21 @@ function safe_ascii($text) {
 	return filter_var($text, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
 }
 
-function escapeToUnicodeAlternative($text) {
+function escapeToUnicodeAlternative($text, $extended = true) {
 	$text = htmlspecialchars_decode($text, ENT_QUOTES);
+
+	//Problematic characters
+	$problem = array('&', '<', '>');
+	//Use their fullwidth Unicode form instead:
+	$replace = array('＆', '＜', '＞');
+
 	// https://raw.githubusercontent.com/mihaip/google-reader-api/master/wiki/StreamId.wiki
-	return trim(str_replace(
-			//Problematic characters
-			array("'", '"', '^', '<', '>', '?', '&', '\\', '/', ',', ';'),
-			//Use their fullwidth Unicode form instead:
-			array("’", '＂', '＾', '＜', '＞', '？', '＆', '＼', '／', '，', '；'),
-			$text
-		));
+	if ($extended) {
+		$problem += array("'", '"', '^', '?', '\\', '/', ',', ';');
+		$replace += array("’", '＂', '＾', '？', '＼', '／', '，', '；');
+	}
+
+	return trim(str_replace($problem, $replace, $text));
 }
 
 /**
diff --git a/p/api/greader.php b/p/api/greader.php
index 7c5c54951..7cd312f2c 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -300,7 +300,7 @@ function subscriptionList() {
 	foreach ($res as $line) {
 		$subscriptions[] = array(
 			'id' => 'feed/' . $line['id'],
-			'title' => escapeToUnicodeAlternative($line['name']),
+			'title' => escapeToUnicodeAlternative($line['name'], true),
 			'categories' => array(
 				array(
 					'id' => 'user/-/label/' . htmlspecialchars_decode($line['c_name'], ENT_QUOTES),
@@ -506,7 +506,7 @@ function entriesToArray($entries) {
 			'crawlTimeMsec' => substr($entry->id(), 0, -3),
 			'timestampUsec' => '' . $entry->id(),	//EasyRSS
 			'published' => $entry->date(true),
-			'title' => escapeToUnicodeAlternative($entry->title()),
+			'title' => escapeToUnicodeAlternative($entry->title(), false),
 			'summary' => array('content' => $entry->content()),
 			'alternate' => array(
 				array('href' => htmlspecialchars_decode($entry->link(), ENT_QUOTES)),
@@ -517,14 +517,14 @@ function entriesToArray($entries) {
 			),
 			'origin' => array(
 				'streamId' => 'feed/' . $f_id,
-				'title' => escapeToUnicodeAlternative($f_name),	//EasyRSS
+				'title' => escapeToUnicodeAlternative($f_name, true),	//EasyRSS
 				//'htmlUrl' => $line['f_website'],
 			),
 		);
 		$author = $entry->authors(true);
 		$author = trim($author, '; ');
 		if ($author != '') {
-			$item['author'] = escapeToUnicodeAlternative($author);
+			$item['author'] = escapeToUnicodeAlternative($author, false);
 		}
 		if ($entry->isRead()) {
 			$item['categories'][] = 'user/-/state/com.google/read';
-- 
cgit v1.2.3


From 9f6919ae81fa0194d097bacc8956a05efb6db2c8 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 18 Nov 2018 11:35:13 +0100
Subject: Strip embedded SVG images for now (#2135)

Fix https://github.com/FreshRSS/FreshRSS/issues/2106
Proper SVG support would require custom sanitizing and URL rewriting of
xlink:href, and is left for future work
---
 lib/lib_rss.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/lib_rss.php')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index c445874c8..333920c8c 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -226,6 +226,7 @@ function customSimplePie($attributes = array()) {
 		'font', 'form', 'frame', 'frameset', 'html',
 		'link', 'input', 'marquee', 'meta', 'noscript',
 		'object', 'param', 'plaintext', 'script', 'style',
+		'svg',	//TODO: Support SVG after sanitizing and URL rewriting of xlink:href
 	));
 	$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, array(
 		'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
-- 
cgit v1.2.3