From a896da0d91844ed1332fae4d476582308af7c537 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Mon, 21 May 2012 21:47:15 +0200
Subject: [PATCH] Contacts: XSS fix. Still some more to check.

---
 apps/contacts/lib/vcard.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/contacts/lib/vcard.php b/apps/contacts/lib/vcard.php
index 91ae3a7514..2414efe676 100644
--- a/apps/contacts/lib/vcard.php
+++ b/apps/contacts/lib/vcard.php
@@ -188,6 +188,9 @@ class OC_Contacts_VCard{
 			if($upgrade && in_array($property->name, $stringprops)) {
 				self::decodeProperty($property);
 			}
+			if(in_array($property->name, $stringprops)) {
+				$property->value = strip_tags($property->value);
+			}
 			// Fix format of type parameters.
 			if($upgrade && in_array($property->name, $typeprops)) {
 				OCP\Util::writeLog('contacts','OC_Contacts_VCard::updateValuesFromAdd. before: '.$property->serialize(),OCP\Util::DEBUG);
-- 
GitLab