From 88946d331aad96ecbdf9d570853121e5a7eb07ab Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 20 Jan 2017 13:13:31 -0500
Subject: Replace all setTimeout strings with functions

This fixes a cross-site scripting vulnerability.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 js/functions.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'js/functions.js')

diff --git a/js/functions.js b/js/functions.js
index 384382554..63ff4121b 100755
--- a/js/functions.js
+++ b/js/functions.js
@@ -668,7 +668,7 @@ function hotkey_prefix_timeout() {
 			Element.hide('cmdline');
 		}
 
-		setTimeout("hotkey_prefix_timeout()", 1000);
+		setTimeout(hotkey_prefix_timeout, 1000);
 
 	} catch  (e) {
 		exception_error("hotkey_prefix_timeout", e);
@@ -1325,7 +1325,7 @@ function unsubscribeFeed(feed_id, title) {
 						updateFeedList();
 					} else {
 						if (feed_id == getActiveFeedId())
-							setTimeout("viewfeed({feed:-5})", 100);
+							setTimeout(function() { viewfeed({feed:-5}) }, 100);
 
 						if (feed_id < 0) updateFeedList();
 					}
-- 
cgit v1.2.3-54-g00ecf