diff options
author | Brett Profitt <brett.profitt@gmail.com> | 2012-05-14 11:50:40 -0700 |
---|---|---|
committer | Brett Profitt <brett.profitt@gmail.com> | 2012-05-14 11:50:40 -0700 |
commit | f2173ecfae41c83c8200024d4b7bd6e0c7202f7a (patch) | |
tree | c6d2eda4b7c05fa2e30bff3ae974bae13e07b53e /engine | |
parent | f90a5e3eee4e4d443c27830b6fcab312e0c0b21c (diff) | |
download | elgg-f2173ecfae41c83c8200024d4b7bd6e0c7202f7a.tar.gz elgg-f2173ecfae41c83c8200024d4b7bd6e0c7202f7a.tar.bz2 |
Fixes possible XSS vector.
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/views.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/engine/lib/views.php b/engine/lib/views.php index ca0ce7196..1b013be6f 100644 --- a/engine/lib/views.php +++ b/engine/lib/views.php @@ -103,7 +103,10 @@ function elgg_get_viewtype() { $viewtype = get_input('view', NULL); if ($viewtype) { - return $viewtype; + // only word characters allowed. + if (!preg_match('[\W]', $viewtype)) { + return $viewtype; + } } if (isset($CONFIG->view) && !empty($CONFIG->view)) { |