From 011f319ee4371438b7640378fec1639277f0442b Mon Sep 17 00:00:00 2001
From: Christian Schneider
Date: Thu, 3 May 2007 13:13:44 +0000
Subject: Close XSS and fix iframe fallback mode of loader

---
 itjs.class | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'itjs.class')

diff --git a/itjs.class b/itjs.class
index 45617e8..e49f98f 100644
--- a/itjs.class
+++ b/itjs.class
@@ -21,7 +21,7 @@ class itjs
  */
 function send_headers()
 {
-	if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT']))	# text/plain breaks Opera 8.51/Linux
+	if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT']) && !$_REQUEST['itjs_call'])	# text/plain breaks Opera 8.51/Linux and IFrame fallback
 		header('Content-Type: text/plain; charset=iso-8859-1');	# Berni reported some Firewalls to require this
 
 	header('Expires: ' . gmdate('D, d M Y H:i:s', time()+10) . ' GMT');	# prevent broken data on IE reloads
@@ -35,7 +35,7 @@ function send_headers()
  */
 function serialize($values)
 {
-	if ($callback = $_REQUEST['itjs_call'])
+	if ($callback = it::replace('[^\w.]' => "", $_REQUEST['itjs_call']))
 	{
 		$header = "<script type='text/javascript'>$callback(";
 		$footer = "," . intval($_REQUEST['itjs_callid']) . ")</script>";
-- 
cgit v1.2.3