Articles published through API lose formatting

oka · March 7, 2018, 9:25am

Hey,

I’m using Tiny Tiny RSS v17.4 and I have a small problem with the API.
What I’m trying to do is keep the HTML formatting of articles when I publish them through the API call. Currently this is being stripped (which is a very sane thing to do), but I’m the only one using the API for this instance and would like to get rid of the tag stripping. As a result I would like to be able to publish articles through the API or database call and keep the formatting of those articles.

I’ve tried editing the /classes/api.php to skip the strip_tags function there before it’s being passed to the database handler but that didn’t work out. I’m also not quite sure where the data is being passed or sanitized next.

I’ve also tried injecting published articles straight into the DB using MySQL, in an attempt to skip using the API but I got stuck on a constraint:

ERROR 1452 (23000): Cannot add or update a child row: a foreign key constraint fails (ttrss.ttrss_user_entries, CONSTRAINT ttrss_user_entries_ibfk_1 FOREIGN KEY (ref_id) REFERENCES ttrss_entries (id) ON DELETE CASCADE)

Does anyone have an idea or a hint on what I could try next?

Kind Regards

fox · March 7, 2018, 9:38am

removing strip_tags() should be enough, try checking if markup is there in the database when you have published the article.

before display html content goes through sanitize(). it doesn’t remove all markup though, there’s a whitelist.

btw: instead of modifying already existing api call i suggest adding a separate one with a plugin.

well yes, you will also need to add a ttrss_entries record first, ttrss_user_entries links to it. you can see how create_published_article() does it.

oka · March 8, 2018, 3:16pm

Hey, thanks for your time and reply.

I didn’t end up writing a plugin because my PHP is really bad sorry, but I tried the following things:

Removing the strip_tags() didn’t give me markup in database.
In my spaghetticode where I use the API to make the published call, I now make a database call using the headline[‘id’] field to target the article that lost markup. Using an update query allowed me to put the HTML straight back into the DB.

But now in the published feed still all markup is removed. I’m puzzled, is this where the sanitize() comes into play? Sorry for bothering you with this shit but could you point me in the direction what happens after the create_published_article() in article.php is called to the point where it is added to the feed so I can track its flow and find out where the whitelist is?

Kind Regards

fox · March 8, 2018, 3:31pm

sanitize() happens just before stuff is displayed by tt-rss or exported via API. it does not remove all markup though, a lot of stuff is whitelisted.

you can adjust sanitize() whitelist if some tags that you need are missing, note that blacklisted tags are usually blacklisted for a reason - they either have the potential to break tt-rss UI or used maliciously.

i suggest you don’t disable sanitize(), that would be a terrible idea, security-wise.

well, data is entered in the database → you open published feed → Feeds::view() is called → it fetches stuff from the database (see queryFeedHeadlines()) and sanitizes the output (while stripping html everywhere else).