From dba5f7c44a92c8e6986fa9395536347508145f60 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Mon, 31 Oct 2005 19:01:40 -0500
Subject: [PATCH] Prevent from identities XSS

---
 CHANGELOG                                |    2 ++
 program/steps/settings/save_identity.inc |    4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7430c45..ebb9d83 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -68,3 +68,5 @@
 - Set default user language from config 'locale_string'
 - Added sorting patch for message list
 - Make default sort col/order configurable
+- Fixed XSS in address book and identities
+
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 680833d..ea186ec 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -33,7 +33,7 @@
     if (!isset($_POST[$fname]))
       continue;
 
-    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes($_POST[$fname]));
+    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname])));
     }
 
   if (sizeof($a_write_sql))
@@ -87,7 +87,7 @@
       continue;
     
     $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
     }
     
   if (sizeof($a_insert_cols))

--
Gitblit v1.9.1