diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-05-21 21:47:15 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-05-21 21:47:15 +0200 |
| commit | a896da0d91844ed1332fae4d476582308af7c537 (patch) | |
| tree | 955df2ef79bae9386e9d51632a9de72076ec92a5 /apps | |
| parent | ede89ee405c88af2eea3306d226cc8a349eb8a51 (diff) | |
| download | nextcloud-server-a896da0d91844ed1332fae4d476582308af7c537.tar.gz nextcloud-server-a896da0d91844ed1332fae4d476582308af7c537.zip | |
Contacts: XSS fix. Still some more to check.
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/contacts/lib/vcard.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php index 91ae3a7514d..2414efe6764 100644 --- a/apps/contacts/lib/vcard.php +++ b/apps/contacts/lib/vcard.php @@ -188,6 +188,9 @@ class OC_Contacts_VCard{ if($upgrade && in_array($property->name, $stringprops)) { self::decodeProperty($property); } + if(in_array($property->name, $stringprops)) { + $property->value = strip_tags($property->value); + } // Fix format of type parameters. if($upgrade && in_array($property->name, $typeprops)) { OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG); |