From 516467080bd822cb94a4a9ef58a168dcdaf7535b Mon Sep 17 00:00:00 2001 From: alecpl Date: Fri, 27 May 2011 13:01:05 +0000 Subject: - Fix handling of "<" character in contact data, search fields and folder names, identity name and organization fields (#1487864) --- program/steps/addressbook/save.inc | 9 ++++----- program/steps/addressbook/search.inc | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) (limited to 'program/steps/addressbook') diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 253609780..0092eb103 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -95,7 +95,6 @@ if ($RCMAIL->action == 'upload-photo') { $OUTPUT->send('iframe'); } - // read POST values into hash array $a_record = array(); foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) { @@ -106,7 +105,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) { if ($colprop['childs']) { $values = array(); foreach ($colprop['childs'] as $childcol => $cp) { - $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST); + $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST, true); foreach ((array)$vals as $i => $val) $values[$i][$childcol] = $val; } @@ -117,7 +116,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) { } // assign values and subtypes else if (is_array($_POST[$fname])) { - $values = get_input_value($fname, RCUBE_INPUT_POST); + $values = get_input_value($fname, RCUBE_INPUT_POST, true); $subtypes = get_input_value('_subtype_' . $col, RCUBE_INPUT_POST); foreach ($values as $i => $val) { $subtype = $subtypes[$i] ? ':'.$subtypes[$i] : ''; @@ -125,7 +124,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) { } } else if (isset($_POST[$fname])) { - $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST); + $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST, true); } } @@ -190,7 +189,7 @@ if (!empty($cid)) $record['name'] = $record['email']; foreach (array('name', 'email') as $col) - $a_js_cols[] = (string)$record[$col]; + $a_js_cols[] = Q((string)$record[$col]); // update the changed col in list $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid); diff --git a/program/steps/addressbook/search.inc b/program/steps/addressbook/search.inc index 7d6775507..8d25a8fbc 100644 --- a/program/steps/addressbook/search.inc +++ b/program/steps/addressbook/search.inc @@ -22,7 +22,7 @@ $CONTACTS->set_page(1); $_SESSION['page'] = 1; -$search = trim(get_input_value('_q', RCUBE_INPUT_GET)); +$search = trim(get_input_value('_q', RCUBE_INPUT_GET, true)); $search_request = md5('addr'.$search); // get contacts for this user -- cgit v1.2.3