Changeset 69 in subversion

Timestamp:

Oct 31, 2005 7:01:40 PM (8 years ago)

Author:

roundcube

Message:

Prevent from identities XSS

Location:

trunk/roundcubemail

Files:

• CHANGELOG (modified) (1 diff)
• program/steps/settings/save_identity.inc (modified) (2 diffs)

trunk/roundcubemail/CHANGELOG

@@ -69 +69 @@
 - Added sorting patch for message list
 - Make default sort col/order configurable
+- Fixed XSS in address book and identities
+

trunk/roundcubemail/program/steps/settings/save_identity.inc

@@ -34 +34 @@
       continue;
 
-    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
@@ -88 +88 @@
     
     $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }