use strip_tags for calendar names

2 files changed, 2 insertions, 2 deletions

diff --git a/apps/calendar/ajax/createcalendar.php b/apps/calendar/ajax/createcalendar.php
index 08bf7b4ee49..8d7b12f9b89 100644
--- a/apps/calendar/ajax/createcalendar.php
+++ b/apps/calendar/ajax/createcalendar.php
@@ -25,7 +25,7 @@ foreach($calendars as $cal){
 }
 
 $userid = OC_User::getUser();
-$calendarid = OC_Calendar_Calendar::addCalendar($userid, htmlspecialchars($_POST['name']), 'VEVENT,VTODO,VJOURNAL', null, 0, $_POST['color']);
+$calendarid = OC_Calendar_Calendar::addCalendar($userid, strip_tags($_POST['name']), 'VEVENT,VTODO,VJOURNAL', null, 0, $_POST['color']);
 OC_Calendar_Calendar::setCalendarActive($calendarid, 1);
 
 $calendar = OC_Calendar_Calendar::find($calendarid);
diff --git a/apps/calendar/ajax/updatecalendar.php b/apps/calendar/ajax/updatecalendar.php
index 90dafd35b68..5add6d92bfa 100644
--- a/apps/calendar/ajax/updatecalendar.php
+++ b/apps/calendar/ajax/updatecalendar.php
@@ -26,7 +26,7 @@ foreach($calendars as $cal){
 
 $calendarid = $_POST['id'];
 $calendar = OC_Calendar_App::getCalendar($calendarid);//access check
-OC_Calendar_Calendar::editCalendar($calendarid, htmlspecialchars($_POST['name']), null, null, null, $_POST['color']);
+OC_Calendar_Calendar::editCalendar($calendarid, strip_tags($_POST['name']), null, null, null, $_POST['color']);
 OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
 
 $calendar = OC_Calendar_App::getCalendar($calendarid);