Merge pull request #1547 from GPCsolutions/jsinjection

Qual: Prevent potential JS injection

htdocs/core/js/lib_head.js

@@ -554,7 +554,9 @@ function newpopup(url,title) {
 	tmp=url;
 	var l = (argc > 2) ? argv[2] : 600;
 	var h = (argc > 3) ? argv[3] : 400;
-	var wfeatures="directories=0,menubar=0,status=0,resizable=0,scrollbars=1,toolbar=0,width="+l+",height="+h+",left=" + eval("(screen.width - l)/2") + ",top=" + eval("(screen.height - h)/2");
+	var left = (screen.width - l)/2;
+	var top = (screen.height - h)/2;
+	var wfeatures = "directories=0,menubar=0,status=0,resizable=0,scrollbars=1,toolbar=0,width=" + l +",height=" + h + ",left=" + left + ",top=" + top;
 	fen=window.open(tmp,title,wfeatures);
 	return false;
 }