From 2367d94a4264b228995e54ab6e1383652f82a2c2 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 28 Jul 2018 15:33:20 -0700 Subject: SECURITY: sanitise vcard fields --- include/network.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'include') diff --git a/include/network.php b/include/network.php index 91a39a6cb..0d37db58d 100644 --- a/include/network.php +++ b/include/network.php @@ -1923,23 +1923,23 @@ function scrape_vcard($url) { $level2 = $item->getElementsByTagName('*'); foreach($level2 as $x) { if(attribute_contains($x->getAttribute('id'),'pod_location')) - $ret['pod_location'] = $x->textContent; + $ret['pod_location'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'fn')) - $ret['fn'] = $x->textContent; + $ret['fn'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'uid')) - $ret['uid'] = $x->textContent; + $ret['uid'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'nickname')) - $ret['nick'] = $x->textContent; + $ret['nick'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'searchable')) - $ret['searchable'] = $x->textContent; + $ret['searchable'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'key')) $ret['public_key'] = $x->textContent; if(attribute_contains($x->getAttribute('class'),'given_name')) - $ret['given_name'] = $x->textContent; + $ret['given_name'] = escape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'family_name')) - $ret['family_name'] = $x->textContent; + $ret['family_name'] = escxape_tags($x->textContent); if(attribute_contains($x->getAttribute('class'),'url')) - $ret['url'] = $x->textContent; + $ret['url'] = escape_tags($x->textContent); if((attribute_contains($x->getAttribute('class'),'photo')) || (attribute_contains($x->getAttribute('class'),'avatar'))) { -- cgit v1.2.3