Commit d2b2b139 authored by voleger's avatar voleger

Security fix. See Lightbox2 - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-063

parent f692aab1
...@@ -154,7 +154,12 @@ class lightbox2_handler_field_lightbox2 extends views_handler_field { ...@@ -154,7 +154,12 @@ class lightbox2_handler_field_lightbox2 extends views_handler_field {
// div is hidden it won't show up as a lightbox. We also specify a group // div is hidden it won't show up as a lightbox. We also specify a group
// in the rel attribute in order to link the whole View together for paging. // in the rel attribute in order to link the whole View together for paging.
$group_name = !empty($this->options['custom_group']) ? $this->options['custom_group'] : ($this->options['rel_group'] ? 'lightbox-popup-' . $this->view->name . '-' . implode('/', $this->view->args) : ''); $group_name = !empty($this->options['custom_group']) ? $this->options['custom_group'] : ($this->options['rel_group'] ? 'lightbox-popup-' . $this->view->name . '-' . implode('/', $this->view->args) : '');
return "<a href='$link #lightbox-popup-{$i}' rel='lightmodal[{$group_name}|width:" . ($this->options['width'] ? $this->options['width'] : '600px') . ';height:' . ($this->options['height'] ? $this->options['height'] : '600px') . "][" . $caption . "]'>" . $tokens["[{$this->options['trigger_field']}]"] . "</a> $group_name = check_plain($group_name);
$width = $this->options['width'] ? check_plain($this->options['width']) : '600px';
$height = $this->options['height'] ? check_plain($this->options['height']) : '600px';
$trigger_field = filter_xss_admin($this->options['trigger_field']);
return "<a href='$link #lightbox-popup-{$i}' rel='lightmodal[{$group_name}|width:" . $width . ';height:' . $height . "][" . $caption . "]'>" . $tokens["[{$trigger_field}]"] . "</a>
<div style='display: none;'><div id='lightbox-popup-{$i}' class='lightbox-popup'>$popup</div></div>"; <div style='display: none;'><div id='lightbox-popup-{$i}' class='lightbox-popup'>$popup</div></div>";
} }
else { else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment