diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-05-28 14:41:48 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-05-28 14:41:48 +0200 |
| commit | cf113409adf82d0834181dbdf4586fd2ad262898 (patch) | |
| tree | 1f88434cba84f877c7665d0bc2a6b22b73214ce1 /apps | |
| parent | 53da328aa18038d24738adb28d88ff0e63f2bc20 (diff) | |
| download | nextcloud-server-cf113409adf82d0834181dbdf4586fd2ad262898.tar.gz nextcloud-server-cf113409adf82d0834181dbdf4586fd2ad262898.zip | |
Contacts: Fix XSS.
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/contacts/js/contacts.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 256b5ad6d0a..34afdcc4e41 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -6,7 +6,7 @@ function ucwords (str) { String.prototype.strip_tags = function(){ tags = this; - stripped = tags.replace(/[\<\>]/gi, ""); + stripped = tags.replace(/<(.|\n)*?>/g, ''); return stripped; }; @@ -159,7 +159,7 @@ Contacts={ // Name has changed. Update it and reorder. $('#fn').change(function(){ - var name = $('#fn').val(); + var name = $('#fn').val().strip_tags(); var item = $('#contacts [data-id="'+Contacts.UI.Card.id+'"]'); $(item).find('a').html(name); var added = false; |