aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-05-14 00:55:32 -0700
committerfriendica <info@friendica.com>2014-05-14 00:55:32 -0700
commit2f1e4a6370da6892433b6d8d57362a5a6565e07c (patch)
treebb7bce4517e57933128248775f20067f62ba69d8
parentde550d45ff992436843bc692c52f59e0cba5c2b4 (diff)
downloadvolse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.tar.gz
volse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.tar.bz2
volse-hubzilla-2f1e4a6370da6892433b6d8d57362a5a6565e07c.zip
xss prevention
-rw-r--r--include/widgets.php5
-rw-r--r--version.inc2
-rw-r--r--view/css/choklet_bannertwo.css2
3 files changed, 8 insertions, 1 deletions
diff --git a/include/widgets.php b/include/widgets.php
index 0f6d70ff7..0ed79f1eb 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -746,6 +746,11 @@ function widget_photo($arr) {
if(array_key_exists('style',$arr) && isset($arr['style']))
$style = $arr['style'];
+ // ensure they can't sneak in an eval(js) function
+
+ if(strpos($style,'(') !== false)
+ return '';
+
if(array_key_exists('zrl',$arr) && isset($arr['zrl']))
$zrl = (($arr['zrl']) ? true : false);
diff --git a/version.inc b/version.inc
index 2ac8372b9..bb7d12c4b 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-05-13.674
+2014-05-14.675
diff --git a/view/css/choklet_bannertwo.css b/view/css/choklet_bannertwo.css
index 63917cb26..386f8ead3 100644
--- a/view/css/choklet_bannertwo.css
+++ b/view/css/choklet_bannertwo.css
@@ -10,6 +10,8 @@ header #banner {
margin-top: 75px;
width: 100%;
margin-bottom: 20px;
+ margin-left: auto;
+ margin-right: auto;
overflow-x: hidden;
}