From: Michael Gapczynski <mtgap@owncloud.com>
Date: Wed, 11 Jul 2012 19:26:22 +0000 (-0400)
Subject: Sanitize toaddress for emailing private links
X-Git-Tag: v4.0.5~15
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ebcf5bce3c04870730d215f3ffde12cdcf1cc428;p=nextcloud-server.git

Sanitize toaddress for emailing private links

Conflicts:
	apps/files_sharing/ajax/email.php
---

diff --git a/apps/files_sharing/ajax/email.php b/apps/files_sharing/ajax/email.php
index bdfa369418d..ba74f646e83 100644
--- a/apps/files_sharing/ajax/email.php
+++ b/apps/files_sharing/ajax/email.php
@@ -3,11 +3,10 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('files_sharing');
 $user = OCP\USER::getUser();
 // TODO translations
+$toaddress = OCP\Util::sanitizeHtml($_POST['toaddress']);
 $type = (strpos($_POST['file'], '.') === false) ? 'folder' : 'file';
 $subject = $user.' shared a '.$type.' with you';
 $link = $_POST['link'];
 $text = $user.' shared the '.$type.' '.$_POST['file'].' with you. It is available for download here: '.$link;
 $fromaddress = OCP\Config::getUserValue($user, 'settings', 'email', 'sharing-noreply@'.OCP\Util::getServerHost());
-OCP\Util::sendMail($_POST['toaddress'], $_POST['toaddress'], $subject, $text, $fromaddress, $user);
-
-?>
+OCP\Util::sendMail($toaddress, $toaddress, $subject, $text, $fromaddress, $user);
\ No newline at end of file