Merge pull request #18 from redmatrix/master

updating from original codebase
author: mrjive <mrjive@mrjive.it> 2016-01-21 09:51:32 +0100
committer: mrjive <mrjive@mrjive.it> 2016-01-21 09:51:32 +0100
commit: c49e4f52ae83441c4a1dcf52e433dded8d767679 (patch)
tree: 0a558e33ed4b77a56186721cf13844ba7b28af24 /include/widgets.php
parent: 763c700372ee91f3f840c6fba915cb4d941c34a0 (diff)
parent: 1d891984441fa2f4aa8e311191da23e9ddd6e928 (diff)
download: volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.tar.gz
volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.tar.bz2
volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/include/widgets.php b/include/widgets.php
index 7021ef49d..60605cb51 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -915,8 +915,8 @@ function widget_photo($arr) {
 
 	// ensure they can't sneak in an eval(js) function
 
-	if(strpos($style,'(') !== false)
-		return '';
+	if(strpbrk($style,'(\'"<>') !== false)
+		$style = '';
 
 	if(array_key_exists('zrl', $arr) && isset($arr['zrl']))
 		$zrl = (($arr['zrl']) ? true : false);
@@ -956,8 +956,8 @@ function widget_cover_photo($arr) {
 
 	// ensure they can't sneak in an eval(js) function
 
-	if(strpos($style,'(') !== false)
-		return '';
+	if(strpbrk($style,'(\'"<>') !== false)
+		$style = '';
 
 	$c = get_cover_photo($channel_id,'html');
author	mrjive <mrjive@mrjive.it>	2016-01-21 09:51:32 +0100
committer	mrjive <mrjive@mrjive.it>	2016-01-21 09:51:32 +0100
commit	c49e4f52ae83441c4a1dcf52e433dded8d767679 (patch)
tree	0a558e33ed4b77a56186721cf13844ba7b28af24 /include/widgets.php
parent	763c700372ee91f3f840c6fba915cb4d941c34a0 (diff)
parent	1d891984441fa2f4aa8e311191da23e9ddd6e928 (diff)
download	volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.tar.gz volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.tar.bz2 volse-hubzilla-c49e4f52ae83441c4a1dcf52e433dded8d767679.zip