diff --git a/pts-core/objects/pts_result_viewer_embed.php b/pts-core/objects/pts_result_viewer_embed.php
index 8e697a5001..62d6d8dd9a 100644
--- a/pts-core/objects/pts_result_viewer_embed.php
+++ b/pts-core/objects/pts_result_viewer_embed.php
@@ -860,6 +860,8 @@ public static function get_html_options_markup(&$result_file, &$request, $public
$si = $sys->get_identifier();
$ppdx = rtrim(base64_encode($si), '=');
$ppd = self::check_request_for_var($request, 'ppd_' . $ppdx);
+ $ppd = is_numeric($ppd) && $ppd > 0 ? $ppd : 0;
+
$t .= '
';
if($system_count > 1)
@@ -1225,6 +1227,15 @@ public static function check_request_for_var(&$request, $check)
$ret = str_replace('_DD_', '.', $ret);
}
+ foreach(pts_strings::safety_strings_to_reject() as $invalid_string)
+ {
+ if(stripos($ret, $invalid_string) !== false)
+ {
+ echo 'Exited due to invalid input ( ' . $invalid_string . ') attempted: ' . htmlspecialchars($ret);
+ exit;
+ }
+ }
+
return $ret;
}
public static function process_request_to_attributes(&$request, &$result_file, &$extra_attributes)
@@ -1531,7 +1542,7 @@ public static function process_request_to_attributes(&$request, &$result_file, &
}
public static function html_input_field($name, $id, $on_change = null)
{
- return '';
+ return '';
}
public static function html_select_menu($name, $id, $on_change, $elements, $use_index = true, $other_attributes = array(), $selected = false)
{