banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent from identities XSS

Browse Source
release-0.6
thomascube 19 years ago
parent 9db57c57fe
commit dba5f7c44a
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File

2
CHANGELOG
Unescape Escape View File

@ -68,3 +68,5 @@ CHANGELOG RoundCube Webmail
- Set default user language from config 'locale_string'
- Added sorting patch for message list
- Make default sort col/order configurable
- Fixed XSS in address book and identities

4
program/steps/settings/save_identity.inc
Unescape Escape View File

@ -33,7 +33,7 @@ if ($_POST['_iid'])
if (!isset($_POST[$fname]))
continue;
$a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes($_POST[$fname]));
$a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname])));
}
if (sizeof($a_write_sql))
@ -87,7 +87,7 @@ else
continue;
$a_insert_cols[] = $DB->quoteIdentifier($col);
$a_insert_values[] = sprintf("'%s'", addslashes($_POST[$fname]));
$a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
}
if (sizeof($a_insert_cols))

Write Preview
Loading…
Cancel
Save