summaryrefslogtreecommitdiff
path: root/program/steps/addressbook
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2005-10-31 23:47:03 +0000
committerthomascube <thomas@roundcube.net>2005-10-31 23:47:03 +0000
commit9db57c57feeb113d370e52480c63b6cd00d292b2 (patch)
tree058b79e0f7644acea9201b2e871f8c1f83408646 /program/steps/addressbook
parent7cc38e0bebb30f12b1c643ea96a038453be185e1 (diff)
Prevent from address book XSS
Diffstat (limited to 'program/steps/addressbook')
-rw-r--r--program/steps/addressbook/save.inc4
1 files changed, 2 insertions, 2 deletions
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 814f50a34..3e2cfae8f 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -34,7 +34,7 @@ if ($_POST['_cid'])
if (!isset($_POST[$fname]))
continue;
- $a_write_sql[] = sprintf("%s='%s'", $col, addslashes($_POST[$fname]));
+ $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname])));
}
if (sizeof($a_write_sql))
@@ -103,7 +103,7 @@ else
continue;
$a_insert_cols[] = $col;
- $a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
+ $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
}
if (sizeof($a_insert_cols))