harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add $deliver flag to item_store() and item_store_update() [default true]. If false, do not send any notifications or process tag_deliver. This should avoid any network activity from happening as the result of a channel (actually item) import. Other minor fixes in the handling of the $allow_exec flag and further protecting CSS passed to widgets from rogue code and XSS.

Browse Source
This commit is contained in:
redmatrix
2016-01-16 14:00:22 -08:00
parent f66c6bfebf
commit 110ef6201e
7 changed files with 18 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
include/widgets.php
View File

@@ -915,8 +915,8 @@ function widget_photo($arr) {
// ensure they can't sneak in an eval(js) function
if(strpos($style,'(') !== false)
return '';
if(strpbrk($style,'(\'"<>') !== false)
$style = '';
if(array_key_exists('zrl', $arr) && isset($arr['zrl']))
$zrl = (($arr['zrl']) ? true : false);
@@ -956,8 +956,8 @@ function widget_cover_photo($arr) {
// ensure they can't sneak in an eval(js) function
if(strpos($style,'(') !== false)
return '';
if(strpbrk($style,'(\'"<>') !== false)
$style = '';
$c = get_cover_photo($channel_id,'html');