From 2f1e4a6370da6892433b6d8d57362a5a6565e07c Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Wed, 14 May 2014 00:55:32 -0700
Subject: xss prevention

---
 include/widgets.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'include/widgets.php')

diff --git a/include/widgets.php b/include/widgets.php
index 0f6d70ff7..0ed79f1eb 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -746,6 +746,11 @@ function widget_photo($arr) {
 	if(array_key_exists('style',$arr) && isset($arr['style']))
 		$style = $arr['style'];
 
+	// ensure they can't sneak in an eval(js) function
+
+	if(strpos($style,'(') !== false)
+		return '';
+
 	if(array_key_exists('zrl',$arr) && isset($arr['zrl']))
 		$zrl = (($arr['zrl']) ? true : false);
 
-- 
cgit v1.2.3