diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-02-02 19:46:38 +0400 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-02-02 20:54:30 +0400 |
| commit | 66b96e4440961483d026473fc6242599b3d51550 (patch) | |
| tree | 54393769e43f2241a9de0d149e11fc2e054d121a /apps/contacts/ajax/setproperty.php | |
| parent | 92b8f3238658782e6eb5a4285185a8fae6665f05 (diff) | |
Sanitize in- and output.
Diffstat (limited to 'apps/contacts/ajax/setproperty.php')
| -rw-r--r-- | apps/contacts/ajax/setproperty.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/apps/contacts/ajax/setproperty.php b/apps/contacts/ajax/setproperty.php index cf3fe582247..f9e2a8e8647 100644 --- a/apps/contacts/ajax/setproperty.php +++ b/apps/contacts/ajax/setproperty.php @@ -37,9 +37,13 @@ $line = OC_Contacts_App::getPropertyLineByChecksum($vcard, $checksum); $value = $_POST['value']; if(is_array($value)){ ksort($value); // NOTE: Important, otherwise the compound value will be set in the order the fields appear in the form! + foreach(array_keys($value) as $key) { + OC_Log::write('contacts','ajax/setproperty.php: setting: '.$key.': '.$value[$key], OC_Log::DEBUG); + } + $value = OC_VObject::escapeSemicolons($value); } OC_Log::write('contacts','ajax/setproperty.php: setting: '.$vcard->children[$line]->name.': '.$value, OC_Log::DEBUG); -$vcard->children[$line]->setValue($value); +$vcard->children[$line]->setValue(strip_tags($value)); // Add parameters $postparameters = isset($_POST['parameters'])?$_POST['parameters']:array(); |