diff options
| author | roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2005-11-01 00:01:40 +0000 |
|---|---|---|
| committer | roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2005-11-01 00:01:40 +0000 |
| commit | 9568dc736aaa758504ab8ae2a2e9e8803b4cc30a (patch) | |
| tree | 35aeb8c48baded26518d846570041d12fea0ec8e /roundcubemail | |
| parent | cea67b32a9f32642d4bc85221bd2eb94eb57740f (diff) | |
Prevent from identities XSS
git-svn-id: https://svn.roundcube.net/trunk@69 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail')
| -rw-r--r-- | roundcubemail/CHANGELOG | 2 | ||||
| -rw-r--r-- | roundcubemail/program/steps/settings/save_identity.inc | 4 |
2 files changed, 4 insertions, 2 deletions
diff --git a/roundcubemail/CHANGELOG b/roundcubemail/CHANGELOG index 7430c45ce..ebb9d8347 100644 --- a/roundcubemail/CHANGELOG +++ b/roundcubemail/CHANGELOG @@ -68,3 +68,5 @@ CHANGELOG RoundCube Webmail - Set default user language from config 'locale_string' - Added sorting patch for message list - Make default sort col/order configurable +- Fixed XSS in address book and identities + diff --git a/roundcubemail/program/steps/settings/save_identity.inc b/roundcubemail/program/steps/settings/save_identity.inc index 680833d7c..ea186ec12 100644 --- a/roundcubemail/program/steps/settings/save_identity.inc +++ b/roundcubemail/program/steps/settings/save_identity.inc @@ -33,7 +33,7 @@ if ($_POST['_iid']) if (!isset($_POST[$fname])) continue; - $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes($_POST[$fname])); + $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname]))); } if (sizeof($a_write_sql)) @@ -87,7 +87,7 @@ else continue; $a_insert_cols[] = $DB->quoteIdentifier($col); - $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname])); + $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname]))); } if (sizeof($a_insert_cols)) |