diff options
| author | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2016-01-17 11:26:18 +0100 |
|---|---|---|
| committer | Haakon Meland Eriksen <haakon.eriksen@far.no> | 2016-01-17 11:26:18 +0100 |
| commit | 256472f9eb3a1c929e5b43e2b6eb3bf0b0d5afe6 (patch) | |
| tree | 1f6778002328b27066ba86910f3f87bd060d6660 /include/widgets.php | |
| parent | af8449cef83376c65ff5ae9092dbe69f89294e69 (diff) | |
| parent | 9b3b2efe9aa374565c0c67bbc67c36f9c99d3add (diff) | |
| download | volse-hubzilla-256472f9eb3a1c929e5b43e2b6eb3bf0b0d5afe6.tar.gz volse-hubzilla-256472f9eb3a1c929e5b43e2b6eb3bf0b0d5afe6.tar.bz2 volse-hubzilla-256472f9eb3a1c929e5b43e2b6eb3bf0b0d5afe6.zip | |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'include/widgets.php')
| -rw-r--r-- | include/widgets.php | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/include/widgets.php b/include/widgets.php index 7021ef49d..60605cb51 100644 --- a/include/widgets.php +++ b/include/widgets.php @@ -915,8 +915,8 @@ function widget_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; if(array_key_exists('zrl', $arr) && isset($arr['zrl'])) $zrl = (($arr['zrl']) ? true : false); @@ -956,8 +956,8 @@ function widget_cover_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; $c = get_cover_photo($channel_id,'html'); |