aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-07-28 15:33:20 -0700
committerzotlabs <mike@macgirvin.com>2018-07-28 15:33:20 -0700
commit2367d94a4264b228995e54ab6e1383652f82a2c2 (patch)
tree932861fb6957058e1df587afb9e86ad707c52224
parent38c2070aabf590d90ccd854e0542affe2ca6a2a2 (diff)
downloadvolse-hubzilla-2367d94a4264b228995e54ab6e1383652f82a2c2.tar.gz
volse-hubzilla-2367d94a4264b228995e54ab6e1383652f82a2c2.tar.bz2
volse-hubzilla-2367d94a4264b228995e54ab6e1383652f82a2c2.zip
SECURITY: sanitise vcard fields
-rw-r--r--include/network.php16
1 files changed, 8 insertions, 8 deletions
diff --git a/include/network.php b/include/network.php
index 91a39a6cb..0d37db58d 100644
--- a/include/network.php
+++ b/include/network.php
@@ -1923,23 +1923,23 @@ function scrape_vcard($url) {
$level2 = $item->getElementsByTagName('*');
foreach($level2 as $x) {
if(attribute_contains($x->getAttribute('id'),'pod_location'))
- $ret['pod_location'] = $x->textContent;
+ $ret['pod_location'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'fn'))
- $ret['fn'] = $x->textContent;
+ $ret['fn'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'uid'))
- $ret['uid'] = $x->textContent;
+ $ret['uid'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'nickname'))
- $ret['nick'] = $x->textContent;
+ $ret['nick'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'searchable'))
- $ret['searchable'] = $x->textContent;
+ $ret['searchable'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'key'))
$ret['public_key'] = $x->textContent;
if(attribute_contains($x->getAttribute('class'),'given_name'))
- $ret['given_name'] = $x->textContent;
+ $ret['given_name'] = escape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'family_name'))
- $ret['family_name'] = $x->textContent;
+ $ret['family_name'] = escxape_tags($x->textContent);
if(attribute_contains($x->getAttribute('class'),'url'))
- $ret['url'] = $x->textContent;
+ $ret['url'] = escape_tags($x->textContent);
if((attribute_contains($x->getAttribute('class'),'photo'))
|| (attribute_contains($x->getAttribute('class'),'avatar'))) {