From 9568dc736aaa758504ab8ae2a2e9e8803b4cc30a Mon Sep 17 00:00:00 2001
From: roundcube <roundcube@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Tue, 1 Nov 2005 00:01:40 +0000
Subject: Prevent from identities XSS

git-svn-id: https://svn.roundcube.net/trunk@69 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 roundcubemail/program/steps/settings/save_identity.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'roundcubemail/program')

diff --git a/roundcubemail/program/steps/settings/save_identity.inc b/roundcubemail/program/steps/settings/save_identity.inc
index 680833d7c..ea186ec12 100644
--- a/roundcubemail/program/steps/settings/save_identity.inc
+++ b/roundcubemail/program/steps/settings/save_identity.inc
@@ -33,7 +33,7 @@ if ($_POST['_iid'])
     if (!isset($_POST[$fname]))
       continue;
 
-    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
   if (sizeof($a_write_sql))
@@ -87,7 +87,7 @@ else
       continue;
     
     $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }
     
   if (sizeof($a_insert_cols))
-- 
cgit v1.2.3