1 files changed, 10 insertions, 4 deletions

diff --git a/engine/lib/river.php b/engine/lib/river.php
index 421813441..547d9495e 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -44,10 +44,16 @@ $posted = 0, $annotation_id = 0) {
 	if ($access_id === "") {
 		$access_id = $object->access_id;
 	}
-	$annotation_id = (int)$annotation_id;
 	$type = $object->getType();
 	$subtype = $object->getSubtype();
+
+	$view = sanitise_string($view);
 	$action_type = sanitise_string($action_type);
+	$subject_guid = sanitise_int($subject_guid);
+	$object_guid = sanitise_int($object_guid);
+	$access_id = sanitise_int($access_id);
+	$posted = sanitise_int($posted);
+	$annotation_id = sanitise_int($annotation_id);
 
 	$params = array(
 		'type' => $type,
@@ -102,7 +108,7 @@ $posted = 0, $annotation_id = 0) {
  *
  * @warning not checking access (should we?)
  *
- * @param array $options
+ * @param array $options Parameters:
  *   ids                  => INT|ARR River item id(s)
  *   subject_guids        => INT|ARR Subject guid(s)
  *   object_guids         => INT|ARR Object guid(s)
@@ -209,7 +215,7 @@ function elgg_delete_river(array $options = array()) {
  *
  * @note If using types and subtypes in a query, they are joined with an AND.
  *
- * @param array $options
+ * @param array $options Parameters:
  *   ids                  => INT|ARR River item id(s)
  *   subject_guids        => INT|ARR Subject guid(s)
  *   object_guids         => INT|ARR Object guid(s)
@@ -542,7 +548,7 @@ function elgg_river_get_action_where_sql($types) {
 /**
  * Get the where clause based on river view strings
  *
- * @param array $types Array of view strings
+ * @param array $views Array of view strings
  *
  * @return string
  * @since 1.8.0