Changeset 68 in subversion

Timestamp:

Oct 31, 2005 6:47:03 PM (8 years ago)

Author:

roundcube

Message:

Prevent from address book XSS

File:

• trunk/roundcubemail/program/steps/addressbook/save.inc (modified) (2 diffs)

trunk/roundcubemail/program/steps/addressbook/save.inc

@@ -35 +35 @@
       continue;
     
-    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
@@ -104 +104 @@
     
     $a_insert_cols[] = $col;
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }