2 files changed, 14 insertions, 14 deletions

diff --git a/program/steps/addressbook/ldapsearchform.inc b/program/steps/addressbook/ldapsearchform.inc
index 5c04406c5..a4e08dcdc 100644
--- a/program/steps/addressbook/ldapsearchform.inc
+++ b/program/steps/addressbook/ldapsearchform.inc
@@ -255,7 +255,7 @@ function get_form_tags($attrib)
     $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
     $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
     
-    if ($_GET['_framed'] || $_POST['_framed'])
+    if ($_framed)
       $hiddenfields->add(array('name' => '_framed', 'value' => 1));
     
     $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 32a6243fd..5135e4b04 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -23,7 +23,7 @@
 if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
   {
   show_message('formincomplete', 'warning');
-  rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+  rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
   return;
   }
 
@@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email');
 $contacts_table = get_table_name('contacts');
 
 // update an existing contact
-if ($_POST['_cid'])
+if (!empty($_POST['_cid']))
   {
   $a_write_sql = array();
 
@@ -44,7 +44,7 @@ if ($_POST['_cid'])
     
     $a_write_sql[] = sprintf("%s=%s",
                              $DB->quoteIdentifier($col),
-                             $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+                             $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
     }
 
   if (sizeof($a_write_sql))
@@ -65,7 +65,7 @@ if ($_POST['_cid'])
     $_action = 'show';
     show_message('successfullysaved', 'confirmation');    
     
-    if ($_POST['_framed'])
+    if ($_framed)
       {
       // define list of cols to be displayed
       $a_show_cols = array('name', 'email');
@@ -115,20 +115,20 @@ else
   if (isset($_GET['_emails']) && isset($_GET['_names']))
     {
     $sql   .= "AND email IN (";
-    $emails = explode(',', $_GET['_emails']);
-    $names  = explode(',', $_GET['_names']);
+    $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
+    $names  = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
     $count  = count($emails);
     $n = 0;
     foreach ($emails as $email)
       {
       $end  = (++$n == $count) ? '' : ',';
-      $sql .= $DB->quote(strip_tags($email)) . $end;
+      $sql .= $DB->quote($email) . $end;
       }
     $sql .= ")";
     $ldap_form = true; 
     }
   else if (isset($_POST['_email'])) 
-    $sql  .= "AND email = " . $DB->quote(strip_tags($_POST['_email']));
+    $sql  .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));
 
   $sql_result = $DB->query($sql);
 
@@ -151,9 +151,9 @@ else
     foreach ($emails as $email) 
       {
       $DB->query("INSERT INTO $contacts_table 
-                 (user_id, name, email)
-                 VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . 
-                                      $DB->quote(strip_tags($email)) . ")");
+                 (user_id, name, email
+                 VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," . 
+                                      $DB->quote($email) . ")");
       $insert_id[] = $DB->insert_id();
       }
     }
@@ -166,7 +166,7 @@ else
         continue;
     
       $a_insert_cols[] = $col;
-      $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+      $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
       }
     
     if (sizeof($a_insert_cols))
@@ -187,7 +187,7 @@ else
       $_action = 'show';
       $_GET['_cid'] = $insert_id;
 
-      if ($_POST['_framed'])
+      if ($_framed)
         {
         // add contact row or jump to the page where it should appear
         $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);