diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-05-28 14:38:31 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-05-28 14:42:57 +0200 |
| commit | 817f9ff57d127e4f3b4402c05a8628ff8ab6f513 (patch) | |
| tree | bd52e7cfd5b47d1bef19ae23db3cac1d57555b28 /apps/contacts/js | |
| parent | 1eebbaebdb8d36564c07e616d74dd7fac0929c46 (diff) | |
| download | nextcloud-server-817f9ff57d127e4f3b4402c05a8628ff8ab6f513.tar.gz nextcloud-server-817f9ff57d127e4f3b4402c05a8628ff8ab6f513.zip | |
Contacts: Fix XSS.
Diffstat (limited to 'apps/contacts/js')
| -rw-r--r-- | apps/contacts/js/contacts.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 256b5ad6d0a..34afdcc4e41 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -6,7 +6,7 @@ function ucwords (str) { String.prototype.strip_tags = function(){ tags = this; - stripped = tags.replace(/[\<\>]/gi, ""); + stripped = tags.replace(/<(.|\n)*?>/g, ''); return stripped; }; @@ -159,7 +159,7 @@ Contacts={ // Name has changed. Update it and reorder. $('#fn').change(function(){ - var name = $('#fn').val(); + var name = $('#fn').val().strip_tags(); var item = $('#contacts [data-id="'+Contacts.UI.Card.id+'"]'); $(item).find('a').html(name); var added = false; |