From 88946d331aad96ecbdf9d570853121e5a7eb07ab Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 20 Jan 2017 13:13:31 -0500
Subject: Replace all setTimeout strings with functions

This fixes a cross-site scripting vulnerability.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 js/prefs.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'js/prefs.js')

diff --git a/js/prefs.js b/js/prefs.js
index 69e779d45..23d43f366 100755
--- a/js/prefs.js
+++ b/js/prefs.js
@@ -901,10 +901,10 @@ function init_second_stage() {
 		if (method == 'editFeed') {
 			var param = getURLParam('methodparam');
 
-			window.setTimeout('editFeed(' + param + ')', 100);
+			window.setTimeout(function() { editFeed(param) }, 100);
 		}
 
-		setTimeout("hotkey_prefix_timeout()", 5*1000);
+		setTimeout(hotkey_prefix_timeout, 5*1000);
 
 	} catch (e) {
 		exception_error("init_second_stage", e);
-- 
cgit v1.2.3