From a896da0d91844ed1332fae4d476582308af7c537 Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Mon, 21 May 2012 21:47:15 +0200 Subject: [PATCH] Contacts: XSS fix. Still some more to check. --- apps/contacts/lib/vcard.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php index 91ae3a7514..2414efe676 100644 --- a/apps/contacts/lib/vcard.php +++ b/apps/contacts/lib/vcard.php @@ -188,6 +188,9 @@ class OC_Contacts_VCard{ if($upgrade && in_array($property->name, $stringprops)) { self::decodeProperty($property); } + if(in_array($property->name, $stringprops)) { + $property->value = strip_tags($property->value); + } // Fix format of type parameters. if($upgrade && in_array($property->name, $typeprops)) { OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG);