diff options
| author | redmatrix <git@macgirvin.com> | 2016-01-16 14:00:22 -0800 |
|---|---|---|
| committer | redmatrix <git@macgirvin.com> | 2016-01-16 14:00:22 -0800 |
| commit | 110ef6201e0a3731967a662afed1606b7077d0b0 (patch) | |
| tree | ab940bb7e966d94520bc5bf5fe74ff0b5dd0f938 /include/widgets.php | |
| parent | f66c6bfebfd48274c9b29cd62b1fac933c6530e4 (diff) | |
| download | volse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.tar.gz volse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.tar.bz2 volse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.zip | |
add $deliver flag to item_store() and item_store_update() [default true]. If false, do not send any notifications or process tag_deliver. This should avoid any network activity from happening as the result of a channel (actually item) import. Other minor fixes in the handling of the $allow_exec flag and further protecting CSS passed to widgets from rogue code and XSS.
Diffstat (limited to 'include/widgets.php')
| -rw-r--r-- | include/widgets.php | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/include/widgets.php b/include/widgets.php index 7021ef49d..60605cb51 100644 --- a/include/widgets.php +++ b/include/widgets.php @@ -915,8 +915,8 @@ function widget_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; if(array_key_exists('zrl', $arr) && isset($arr['zrl'])) $zrl = (($arr['zrl']) ? true : false); @@ -956,8 +956,8 @@ function widget_cover_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; $c = get_cover_photo($channel_id,'html'); |