Sanitize toaddress for emailing private links

diff --git a/apps/files_sharing/ajax/email.php b/apps/files_sharing/ajax/email.php
index ca63f540f9304e35f8098da5c93a340486b2ac8b..0765bdd9885b2f1748d40acd0be66acdf79da97e 100644 (file)
--- a/apps/files_sharing/ajax/email.php
+++ b/apps/files_sharing/ajax/email.php
@@ -5,9 +5,10 @@ OCP\JSON::callCheck();
 
 $user = OCP\USER::getUser();
 // TODO translations
+$toaddress = OCP\Util::sanitizeHtml($_POST['toaddress']);
 $type = (strpos($_POST['file'], '.') === false) ? 'folder' : 'file';
 $subject = $user.' shared a '.$type.' with you';
 $link = $_POST['link'];
 $text = $user.' shared the '.$type.' '.$_POST['file'].' with you. It is available for download here: '.$link;
 $fromaddress = OCP\Config::getUserValue($user, 'settings', 'email', 'sharing-noreply@'.OCP\Util::getServerHost());
-OC_Mail::send($_POST['toaddress'], $_POST['toaddress'], $subject, $text, $fromaddress, $user);
+OCP\Util::sendMail($toaddress, $toaddress, $subject, $text, $fromaddress, $user);