From 795406fb7e571c58461d3aa9b550b30091468172 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Mon, 28 May 2012 14:41:48 +0200
Subject: [PATCH] Contacts: Fix XSS.

---
 js/contacts.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/js/contacts.js b/js/contacts.js
index 256b5ad6..34afdcc4 100644
--- a/js/contacts.js
+++ b/js/contacts.js
@@ -6,7 +6,7 @@ function ucwords (str) {
 
 String.prototype.strip_tags = function(){
 	tags = this;
-	stripped = tags.replace(/[\<\>]/gi, "");
+	stripped = tags.replace(/<(.|\n)*?>/g, '');
 	return stripped;
 };
 
@@ -159,7 +159,7 @@ Contacts={
 			
 			// Name has changed. Update it and reorder.
 			$('#fn').change(function(){
-				var name = $('#fn').val();
+				var name = $('#fn').val().strip_tags();
 				var item = $('#contacts [data-id="'+Contacts.UI.Card.id+'"]');
 				$(item).find('a').html(name);
 				var added = false;