Prevent from address book XSS

git-svn-id: https://svn.roundcube.net/trunk@68 208e9e7b-5314-0410-a742-e7e81cd9613c
author: roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c> 2005-10-31 23:47:03 +0000
committer: roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c> 2005-10-31 23:47:03 +0000
commit: cea67b32a9f32642d4bc85221bd2eb94eb57740f (patch)
tree: ec8f613f19dfa9a4379505e5c193f2f7cd4bd8f9 /roundcubemail
parent: 4c39bff72f5e5e63a5e3157f6fdd3ce332c40eca (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/roundcubemail/program/steps/addressbook/save.inc b/roundcubemail/program/steps/addressbook/save.inc
index 814f50a34..3e2cfae8f 100644
--- a/roundcubemail/program/steps/addressbook/save.inc
+++ b/roundcubemail/program/steps/addressbook/save.inc
@@ -34,7 +34,7 @@ if ($_POST['_cid'])
     if (!isset($_POST[$fname]))
       continue;
     
-    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
   if (sizeof($a_write_sql))
@@ -103,7 +103,7 @@ else
       continue;
     
     $a_insert_cols[] = $col;
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }
     
   if (sizeof($a_insert_cols))
author	roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c>	2005-10-31 23:47:03 +0000
committer	roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c>	2005-10-31 23:47:03 +0000
commit	cea67b32a9f32642d4bc85221bd2eb94eb57740f (patch)
tree	ec8f613f19dfa9a4379505e5c193f2f7cd4bd8f9 /roundcubemail
parent	4c39bff72f5e5e63a5e3157f6fdd3ce332c40eca (diff)