function setpref() {
$value = str_replace("\n", "<br/>", $_REQUEST['value']);
- $key = db_escape_string($_REQUEST["key"]);
- $value = db_escape_string($value);
+ // set_pref escapes input, so no need to double escape it here
- set_pref($this->link, $key, $value);
+ set_pref($this->link, $key, $value, $_SESSION['uid'], false);
print json_encode(array("param" =>$key, "value" => $value));
}
}
}
- function set_pref($link, $pref_name, $value, $user_id = false) {
+ function set_pref($link, $pref_name, $value, $user_id = false, $strip_tags = true) {
$pref_name = db_escape_string($pref_name);
- $value = db_escape_string($value);
+ $value = db_escape_string($value, $strip_tags);
if (!$user_id) {
$user_id = $_SESSION["uid"];