From beaa76feb2a119ada452ada7a0a5c3ebef31855b Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Mon, 12 Mar 2012 20:17:19 +0100
Subject: [PATCH] Strip tags

---
 apps/contacts/ajax/addproperty.php | 3 +++
 apps/contacts/ajax/setproperty.php | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php
index c90af217c87..f8a3cbe029b 100644
--- a/apps/contacts/ajax/addproperty.php
+++ b/apps/contacts/ajax/addproperty.php
@@ -67,6 +67,9 @@ foreach($current as $item) {
 
 if(is_array($value)) {
 	ksort($value);  // NOTE: Important, otherwise the compound value will be set in the order the fields appear in the form!
+	$value = array_map('strip_tags', $value);
+} else {
+	$value = strip_tags($value);
 }
 
 $property = $vcard->addProperty($name, $value); //, $parameters);
diff --git a/apps/contacts/ajax/setproperty.php b/apps/contacts/ajax/setproperty.php
index cf3fe582247..ef26b34e9a4 100644
--- a/apps/contacts/ajax/setproperty.php
+++ b/apps/contacts/ajax/setproperty.php
@@ -37,6 +37,10 @@ $line = OC_Contacts_App::getPropertyLineByChecksum($vcard, $checksum);
 $value = $_POST['value'];
 if(is_array($value)){
 	ksort($value);  // NOTE: Important, otherwise the compound value will be set in the order the fields appear in the form!
+	$value = array_map('strip_tags', $value);
+	$value = OC_VObject::escapeSemicolons($value);
+} else {
+	$value = strip_tags($value);
 }
 OC_Log::write('contacts','ajax/setproperty.php: setting: '.$vcard->children[$line]->name.': '.$value, OC_Log::DEBUG);
 $vcard->children[$line]->setValue($value);