Permalink
Browse files

Contacts: Backport XSS fix.

  • Loading branch information...
1 parent 3775c0d commit 54a371700554ed21a5cb7db03126b6c95ae4cbd3 @tanghus tanghus committed May 21, 2012
Showing with 3 additions and 0 deletions.
  1. +3 −0 apps/contacts/lib/vcard.php
@@ -188,6 +188,9 @@ protected static function updateValuesFromAdd($aid, &$vcard) { // any suggestion
if($upgrade && in_array($property->name, $stringprops)) {
self::decodeProperty($property);
}
+ if(in_array($property->name, $stringprops)) {
+ $property->value = strip_tags($property->value);
+ }
// Fix format of type parameters.
if($upgrade && in_array($property->name, $typeprops)) {
OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG);

0 comments on commit 54a3717

Please sign in to comment.