From 79fe0a16588b4b4c2bf75f73fd73d7ea3bde10fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Doursenaud?= Date: Wed, 23 Apr 2014 14:21:58 +0200 Subject: [PATCH] Qual: Prevent potential JS injection --- htdocs/core/js/lib_head.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/core/js/lib_head.js b/htdocs/core/js/lib_head.js index a9b7f9e4c18..b6b5993b9d4 100644 --- a/htdocs/core/js/lib_head.js +++ b/htdocs/core/js/lib_head.js @@ -554,7 +554,9 @@ function newpopup(url,title) { tmp=url; var l = (argc > 2) ? argv[2] : 600; var h = (argc > 3) ? argv[3] : 400; - var wfeatures="directories=0,menubar=0,status=0,resizable=0,scrollbars=1,toolbar=0,width="+l+",height="+h+",left=" + eval("(screen.width - l)/2") + ",top=" + eval("(screen.height - h)/2"); + var left = (screen.width - l)/2; + var top = (screen.height - h)/2; + var wfeatures = "directories=0,menubar=0,status=0,resizable=0,scrollbars=1,toolbar=0,width=" + l +",height=" + h + ",left=" + left + ",top=" + top; fen=window.open(tmp,title,wfeatures); return false; }