diff options
author | Christian Schneider | 2007-05-03 13:13:44 +0000 |
---|---|---|
committer | Christian Schneider | 2007-05-03 13:13:44 +0000 |
commit | 011f319ee4371438b7640378fec1639277f0442b (patch) | |
tree | ca7e439b54dc6f7eb29496685b05c3bd602e5a04 | |
parent | 0a52de77f6fe1f9a3190f4ff40d04a6d08fbb827 (diff) | |
download | itools-011f319ee4371438b7640378fec1639277f0442b.tar.gz itools-011f319ee4371438b7640378fec1639277f0442b.tar.bz2 itools-011f319ee4371438b7640378fec1639277f0442b.zip |
Close XSS and fix iframe fallback mode of loader
-rw-r--r-- | itjs.class | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -21,7 +21,7 @@ class itjs */ function send_headers() { - if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT'])) # text/plain breaks Opera 8.51/Linux + if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT']) && !$_REQUEST['itjs_call']) # text/plain breaks Opera 8.51/Linux and IFrame fallback header('Content-Type: text/plain; charset=iso-8859-1'); # Berni reported some Firewalls to require this header('Expires: ' . gmdate('D, d M Y H:i:s', time()+10) . ' GMT'); # prevent broken data on IE reloads @@ -35,7 +35,7 @@ function send_headers() */ function serialize($values) { - if ($callback = $_REQUEST['itjs_call']) + if ($callback = it::replace('[^\w.]' => "", $_REQUEST['itjs_call'])) { $header = "<script type='text/javascript'>$callback("; $footer = "," . intval($_REQUEST['itjs_callid']) . ")</script>"; |