From 1eac9260c8313f0cfc77837ec676f4e6d68bd833 Mon Sep 17 00:00:00 2001
From: Michael Larabel <michael@phoronix.com>
Date: Sat, 12 Feb 2022 04:20:40 -0600
Subject: [PATCH] phoromatic: Reject HTML encoded character input and other
 strings that likely have no use within the context of Phoromatic inputs

---
 pts-core/phoromatic/phoromatic_functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
index ffbef1c5ed..b7966d86a0 100644
--- a/pts-core/phoromatic/phoromatic_functions.php
+++ b/pts-core/phoromatic/phoromatic_functions.php
@@ -33,7 +33,7 @@ function phoromatic_quit_if_invalid_input_found($input_keys = null)
 	// backup as to sanitization and stripping elsewhere, safeguard namely check for things like < for fields that shouldn't have it
 	// plus a few simple backups as safeguards for words that really have no legit relevance within Phoromatic...
 
-	foreach(array('<', 'document.write', '../', 'onerror', 'onload', 'alert(') as $invalid_string)
+	foreach(array('<', '>', 'document.write', '../', 'onerror', 'onload', 'alert(', 'String.', 'confirm(', 'focus=', '&lt', '&gt', '&#') as $invalid_string)
 	{
 		foreach($input_keys as $key)
 		{