aboutsummaryrefslogtreecommitdiffstats
path: root/view
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
committerMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
commita41c7caa182117b2b7b820550cc20dff8be2c0f0 (patch)
tree19611241fd496b778c2f412ab9ebcc4fb34843bd /view
parentbddeab3ac11efaf786ddb2a6ce3f73d8c06790ab (diff)
parentb3ca31bce7ed0dd5777458005718ba96985cbdc2 (diff)
downloadvolse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.gz
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.bz2
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.zip
Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'
Security fixes See merge request hubzilla/core!2017
Diffstat (limited to 'view')
-rw-r--r--view/theme/redbasic/php/style.php5
1 files changed, 2 insertions, 3 deletions
diff --git a/view/theme/redbasic/php/style.php b/view/theme/redbasic/php/style.php
index 6ff281581..3dbc29a96 100644
--- a/view/theme/redbasic/php/style.php
+++ b/view/theme/redbasic/php/style.php
@@ -36,9 +36,8 @@ if(! App::$install) {
// not --- like the mobile theme does instead.
// Allow layouts to over-ride the schema
-
-if($_REQUEST['schema']) {
- $schema = $_REQUEST['schema'];
+if (isset($_REQUEST['schema']) && preg_match('/^[\w_-]+$/i', $_REQUEST['schema'])) {
+ $schema = $_REQUEST['schema'];
}
if (($schema) && ($schema != '---')) {