Contacts: Fix XSS.

author Thomas Tanghus <thomas@tanghus.net>

Mon, 28 May 2012 12:38:31 +0000 (14:38 +0200)

committer Thomas Tanghus <thomas@tanghus.net>

Mon, 28 May 2012 12:42:57 +0000 (14:42 +0200)
author Thomas Tanghus <thomas@tanghus.net>
Mon, 28 May 2012 12:38:31 +0000 (14:38 +0200)
committer Thomas Tanghus <thomas@tanghus.net>
Mon, 28 May 2012 12:42:57 +0000 (14:42 +0200)
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js

index 256b5ad6d0a670aad01579cafc1530c62042d574..34afdcc4e41fbf80b2b2482a322a2d797b65de62 100644 (file)
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -6,7 +6,7 @@ function ucwords (str) {
  
  String.prototype.strip_tags = function(){
         tags = this;
-       stripped = tags.replace(/[\<\>]/gi, "");
+       stripped = tags.replace(/<(.|\n)*?>/g, '');
         return stripped;
  };
  
@@ -159,7 +159,7 @@ Contacts={
                         
                         // Name has changed. Update it and reorder.
                         $('#fn').change(function(){
-                               var name = $('#fn').val();
+                               var name = $('#fn').val().strip_tags();
                                 var item = $('#contacts [data-id="'+Contacts.UI.Card.id+'"]');
                                 $(item).find('a').html(name);
                                 var added = false;
author	Thomas Tanghus <thomas@tanghus.net>
	Mon, 28 May 2012 12:38:31 +0000 (14:38 +0200)
committer	Thomas Tanghus <thomas@tanghus.net>
	Mon, 28 May 2012 12:42:57 +0000 (14:42 +0200)