From f2173ecfae41c83c8200024d4b7bd6e0c7202f7a Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Mon, 14 May 2012 11:50:40 -0700
Subject: Fixes possible XSS vector.

---
 engine/lib/views.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/engine/lib/views.php b/engine/lib/views.php
index ca0ce7196..1b013be6f 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -103,7 +103,10 @@ function elgg_get_viewtype() {
 
 	$viewtype = get_input('view', NULL);
 	if ($viewtype) {
-		return $viewtype;
+		// only word characters allowed.
+		if (!preg_match('[\W]', $viewtype)) {
+			return $viewtype;
+		}
 	}
 
 	if (isset($CONFIG->view) && !empty($CONFIG->view)) {
-- 
cgit v1.2.3