From 110ef6201e0a3731967a662afed1606b7077d0b0 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Sat, 16 Jan 2016 14:00:22 -0800
Subject: add $deliver flag to item_store() and item_store_update() [default
 true]. If false, do not send any notifications or process tag_deliver. This
 should avoid any network activity from happening as the result of a channel
 (actually item) import. Other minor fixes in the handling of the $allow_exec
 flag and further protecting CSS passed to widgets from rogue code and XSS.

---
 include/widgets.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'include/widgets.php')

diff --git a/include/widgets.php b/include/widgets.php
index 7021ef49d..60605cb51 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -915,8 +915,8 @@ function widget_photo($arr) {
 
 	// ensure they can't sneak in an eval(js) function
 
-	if(strpos($style,'(') !== false)
-		return '';
+	if(strpbrk($style,'(\'"<>') !== false)
+		$style = '';
 
 	if(array_key_exists('zrl', $arr) && isset($arr['zrl']))
 		$zrl = (($arr['zrl']) ? true : false);
@@ -956,8 +956,8 @@ function widget_cover_photo($arr) {
 
 	// ensure they can't sneak in an eval(js) function
 
-	if(strpos($style,'(') !== false)
-		return '';
+	if(strpbrk($style,'(\'"<>') !== false)
+		$style = '';
 
 	$c = get_cover_photo($channel_id,'html');
 
-- 
cgit v1.2.3