diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-05-21 21:49:35 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-05-21 21:49:35 +0200 |
| commit | 54a371700554ed21a5cb7db03126b6c95ae4cbd3 (patch) | |
| tree | ec93199ca242270b9cfa619d6a3414a6dfaf5d0b | |
| parent | 3775c0d8b222d1f53ec7759d32fc63f20e99d1e1 (diff) | |
| download | nextcloud-server-54a371700554ed21a5cb7db03126b6c95ae4cbd3.tar.gz nextcloud-server-54a371700554ed21a5cb7db03126b6c95ae4cbd3.zip | |
Contacts: Backport XSS fix.
| -rw-r--r-- | apps/contacts/lib/vcard.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php index 91ae3a7514d..2414efe6764 100644 --- a/apps/contacts/lib/vcard.php +++ b/apps/contacts/lib/vcard.php @@ -188,6 +188,9 @@ class OC_Contacts_VCard{ if($upgrade && in_array($property->name, $stringprops)) { self::decodeProperty($property); } + if(in_array($property->name, $stringprops)) { + $property->value = strip_tags($property->value); + } // Fix format of type parameters. if($upgrade && in_array($property->name, $typeprops)) { OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG); |