Contacts: XSS fix. Still some more to check.

diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php
index 91ae3a7514d73a4cf40fde758f795a466a84d246..2414efe6764c75a2f961a6a2bc5358535c07a112 100644 (file)
--- a/apps/contacts/lib/vcard.php
+++ b/apps/contacts/lib/vcard.php
@@ -188,6 +188,9 @@ class OC_Contacts_VCard{
                        if($upgrade && in_array($property->name, $stringprops)) {
                                self::decodeProperty($property);
                        }
+                       if(in_array($property->name, $stringprops)) {
+                               $property->value = strip_tags($property->value);
+                       }
                        // Fix format of type parameters.
                        if($upgrade && in_array($property->name, $typeprops)) {
                                OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG);