From 9db57c57feeb113d370e52480c63b6cd00d292b2 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Mon, 31 Oct 2005 18:47:03 -0500
Subject: [PATCH] Prevent from address book XSS

---
 program/steps/addressbook/save.inc |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 814f50a..3e2cfae 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -34,7 +34,7 @@
     if (!isset($_POST[$fname]))
       continue;
     
-    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
   if (sizeof($a_write_sql))
@@ -103,7 +103,7 @@
       continue;
     
     $a_insert_cols[] = $col;
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }
     
   if (sizeof($a_insert_cols))

--
Gitblit v1.9.1