When editing contacts, some invalid characters are not stripped or handled in some way. They make it all the way to the sql statement before things trip up. (Using a prepare statement thankfully prevents injecting a second statement. More details in: http://trac.roundcube.net/ticket/1485504)
I can work on a patch, but I'd appreciate some guidance first: Should the backend explicitly validate the input against a regular expression? What is valid/invalid? How should the interface report bad characters and/or failed contact saves to the user? Thanks, Ziba Webmaster Team University of Michigan _______________________________________________ List info: http://lists.roundcube.net/dev/
