From 393578a609eda46f3b15a80795219717a4a03158 Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Mon, 21 May 2012 21:49:35 +0200 Subject: [PATCH] Contacts: Backport XSS fix. --- lib/vcard.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/vcard.php b/lib/vcard.php index 91ae3a75..2414efe6 100644 --- a/lib/vcard.php +++ b/lib/vcard.php @@ -188,6 +188,9 @@ class OC_Contacts_VCard{ if($upgrade && in_array($property->name, $stringprops)) { self::decodeProperty($property); } + if(in_array($property->name, $stringprops)) { + $property->value = strip_tags($property->value); + } // Fix format of type parameters. if($upgrade && in_array($property->name, $typeprops)) { OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG);