diff options
author | friendica <info@friendica.com> | 2014-05-14 00:55:32 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2014-05-14 00:55:32 -0700 |
commit | 2f1e4a6370da6892433b6d8d57362a5a6565e07c (patch) | |
tree | bb7bce4517e57933128248775f20067f62ba69d8 | |
parent | de550d45ff992436843bc692c52f59e0cba5c2b4 (diff) | |
download | volse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.tar.gz volse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.tar.bz2 volse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.zip |
xss prevention
-rw-r--r-- | include/widgets.php | 5 | ||||
-rw-r--r-- | version.inc | 2 | ||||
-rw-r--r-- | view/css/choklet_bannertwo.css | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/include/widgets.php b/include/widgets.php index 0f6d70ff7..0ed79f1eb 100644 --- a/include/widgets.php +++ b/include/widgets.php @@ -746,6 +746,11 @@ function widget_photo($arr) { if(array_key_exists('style',$arr) && isset($arr['style'])) $style = $arr['style']; + // ensure they can't sneak in an eval(js) function + + if(strpos($style,'(') !== false) + return ''; + if(array_key_exists('zrl',$arr) && isset($arr['zrl'])) $zrl = (($arr['zrl']) ? true : false); diff --git a/version.inc b/version.inc index 2ac8372b9..bb7d12c4b 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2014-05-13.674 +2014-05-14.675 diff --git a/view/css/choklet_bannertwo.css b/view/css/choklet_bannertwo.css index 63917cb26..386f8ead3 100644 --- a/view/css/choklet_bannertwo.css +++ b/view/css/choklet_bannertwo.css @@ -10,6 +10,8 @@ header #banner { margin-top: 75px; width: 100%; margin-bottom: 20px; + margin-left: auto; + margin-right: auto; overflow-x: hidden; } |