More in-/output sanitation,

diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php
index edcf794f497b22b727f84d7f80537dc77a49cbc6..3d766b6a60ae56bf705ef2be2df0bb6149261792 100644 (file)
--- a/apps/contacts/ajax/createaddressbook.php
+++ b/apps/contacts/ajax/createaddressbook.php
@@ -15,7 +15,7 @@ OC_JSON::checkLoggedIn();
 OC_JSON::checkAppEnabled('contacts');
 
 $userid = OC_User::getUser();
-$bookid = OC_Contacts_Addressbook::add($userid, $_POST['name'], null);
+$bookid = OC_Contacts_Addressbook::add($userid, strip_tags($_POST['name']), null);
 if(!$bookid) {
        OC_JSON::error(array('data' => array('message' => $l->t('Error adding addressbook.'))));
        OC_Log::write('contacts','ajax/createaddressbook.php: Error adding addressbook: '.$_POST['name'], OC_Log::ERROR);

diff --git a/apps/contacts/templates/part.chooseaddressbook.rowfields.php b/apps/contacts/templates/part.chooseaddressbook.rowfields.php
index 0cbfe2bf803c606b3e0b0337d8c3c41ef8989267..95a4b2362aa7e36eed4f19dd72560015d37911c5 100644 (file)
--- a/apps/contacts/templates/part.chooseaddressbook.rowfields.php
+++ b/apps/contacts/templates/part.chooseaddressbook.rowfields.php
@@ -1,5 +1,5 @@
 <?php
        // FIXME: Make this readable.
        echo "<td width=\"20px\"><input id=\"active_" . $_['addressbook']["id"] . "\" type=\"checkbox\" onClick=\"Contacts.UI.Addressbooks.activation(this, " . $_['addressbook']["id"] . ")\"" . (OC_Contacts_Addressbook::isActive($_['addressbook']["id"]) ? ' checked="checked"' : '') . "></td>";
-       echo "<td><label for=\"active_" . $_['addressbook']["id"] . "\">" . $_['addressbook']["displayname"] . "</label></td>";
+       echo "<td><label for=\"active_" . $_['addressbook']["id"] . "\">" . htmlspecialchars($_['addressbook']["displayname"]) . "</label></td>";
        echo "<td width=\"20px\"><a href=\"#\" onclick=\"Contacts.UI.showCardDAVUrl('" . OC_User::getUser() . "', '" . $_['addressbook']["uri"] . "');\" title=\"" . $l->t("CardDav Link") . "\" class=\"action\"><img  class=\"svg action\" src=\"../../core/img/actions/public.svg\"></a></td><td width=\"20px\"><a href=\"export.php?bookid=" . $_['addressbook']["id"] . "\" title=\"" . $l->t("Download") . "\" class=\"action\"><img  class=\"svg action\" src=\"../../core/img/actions/download.svg\"></a></td><td width=\"20px\"><a  href=\"#\" title=\"" . $l->t("Edit") . "\" class=\"action\" onclick=\"Contacts.UI.Addressbooks.editAddressbook(this, " . $_['addressbook']["id"] . ");\"><img class=\"svg action\" src=\"../../core/img/actions/rename.svg\"></a></td><td width=\"20px\"><a href=\"#\" onclick=\"Contacts.UI.Addressbooks.deleteAddressbook('" . $_['addressbook']["id"] . "');\" title=\"" . $l->t("Delete") . "\" class=\"action\"><img  class=\"svg action\" src=\"../../core/img/actions/delete.svg\"></a></td>";

diff --git a/apps/contacts/templates/part.editaddressbook.php b/apps/contacts/templates/part.editaddressbook.php
index 48fe5c3b378fbd63425420064b7af7bd2d57fc3e..c1c585687c46b2645f6275e2c5ee76671508c26e 100644 (file)
--- a/apps/contacts/templates/part.editaddressbook.php
+++ b/apps/contacts/templates/part.editaddressbook.php
@@ -11,7 +11,7 @@
 <tr>
        <th><?php echo $l->t('Displayname') ?></th>
        <td>
-               <input id="displayname_<?php echo $_['addressbook']['id'] ?>" type="text" value="<?php echo $_['addressbook']['displayname'] ?>">
+               <input id="displayname_<?php echo $_['addressbook']['id'] ?>" type="text" value="<?php echo htmlspecialchars($_['addressbook']['displayname']) ?>">
        </td>
 </tr>
 <?php if (!$_['new']): ?>