Escape HTML in JSON of calendar module

Fixes #2598
2014-02-05 16:02:38 -05:00 · 2014-02-05 16:02:38 -05:00 · 1a7fc2a0e9
parent f7a20d0a83
commit 1a7fc2a0e9
4 changed files with 23 additions and 10 deletions
--- a/1
+++ b/1
@ -38,6 +38,7 @@ Bug fixes
 - warn user when dnd failed because of a resource conflict (#1613)
 - respect the maximum number of bookings when viewing the freebusy information of a resource (#2560)
 - encode HTML entities when forwarding an HTML message inline in plain text composition mode (#2411)
+ - encode HTML entities in JSON data returned by Calendar module (#2598)

 2.1.1b (2013-12-04)
 -------------------
--- a/UI/Scheduler/UIxAppointmentEditor.m
+++ b/UI/Scheduler/UIxAppointmentEditor.m
@ -31,6 +31,7 @@
 #import <NGObjWeb/WOResponse.h>
 #import <NGObjWeb/NSException+HTTP.h>
 #import <NGExtensions/NSCalendarDate+misc.h>
+#import <NGExtensions/NSString+misc.h>

 #import <NGCards/iCalAlarm.h>
 #import <NGCards/iCalCalendar.h>
@ -518,7 +519,7 @@
  created_by = [event createdBy];

  data = [NSDictionary dictionaryWithObjectsAndKeys:
-                       [componentCalendar displayName], @"calendar",
+                       [[componentCalendar displayName] stringByEscapingHTMLString], @"calendar",
                       [event tag], @"component",
                       [dateFormatter formattedDate: eventStartDate], @"startDate",
                       [dateFormatter formattedTime: eventStartDate], @"startTime",
@ -526,10 +527,10 @@
                       [dateFormatter formattedTime: eventEndDate], @"endTime",
                     //([event hasRecurrenceRules] ? @"1": @"0"), @"isRecurring",
                       ([event isAllDay] ? @"1": @"0"), @"isAllDay",
-                       [event summary], @"summary",
-                       [event location], @"location",
-		       created_by, @"created_by",
-                       [event comment], @"description",
+                       [[event summary] stringByEscapingHTMLString], @"summary",
+                       [[event location] stringByEscapingHTMLString], @"location",
+		       [created_by stringByEscapingHTMLString], @"created_by",
+                       [[event comment] stringByEscapingHTMLString], @"description",
                       nil];
  
  [result appendContentString: [data jsonRepresentation]];
--- a/UI/Scheduler/UIxCalListingActions.m
+++ b/UI/Scheduler/UIxCalListingActions.m
@ -41,6 +41,7 @@
 #import <NGExtensions/NGCalendarDateRange.h>
 #import <NGExtensions/NSCalendarDate+misc.h>
 #import <NGExtensions/NSObject+Logs.h>
+#import <NGExtensions/NSString+misc.h>

 #import <SOGo/SOGoDateFormatter.h>
 #import <SOGo/SOGoPermissions.h>
@ -55,7 +56,6 @@
 #import <Appointments/SOGoAppointmentFolders.h>
 #import <Appointments/SOGoAppointmentObject.h>
 #import <Appointments/SOGoWebAppointmentFolder.h>
-#import <Appointments/SOGoFreeBusyObject.h>

 #import <UI/Common/WODirectAction+SOGo.h>

@ -310,12 +310,14 @@ static NSArray *tasksFields = nil;
  NSEnumerator *folders, *currentInfos;
  SOGoAppointmentFolder *currentFolder;
  NSMutableDictionary *newInfo;
-  NSMutableArray *infos;
+  NSMutableArray *infos, *newInfoForComponent;
  NSNull *marker;
  SOGoAppointmentFolders *clientObject;
  SOGoUser *ownerUser;
  NSString *owner, *role, *calendarName;
  BOOL isErasable, folderIsRemote;
+  id currentInfo;
+  int i, count;

  infos = [NSMutableArray array];
  marker = [NSNull null];
@ -395,8 +397,17 @@ static NSArray *tasksFields = nil;
 	      // Possible improvement: only call _fixDates if event is recurrent
 	      // or the view range span a daylight saving time change
              [self _fixDates: newInfo];
-              [infos addObject: [newInfo objectsForKeys: fields
-                                         notFoundMarker: marker]];
+              newInfoForComponent = [NSMutableArray arrayWithArray: [newInfo objectsForKeys: fields
+                                                                             notFoundMarker: marker]];
+              // Escape HTML
+              count = [newInfoForComponent count];
+              for (i = 0; i < count; i++)
+                {
+                  currentInfo = [newInfoForComponent objectAtIndex: i];
+                  if ([currentInfo respondsToSelector: @selector (stringByEscapingHTMLString)])
+                    [newInfoForComponent replaceObjectAtIndex: i withObject: [currentInfo stringByEscapingHTMLString]];
+                }
+              [infos addObject: newInfoForComponent];
            }
        }
    }
--- a/UI/WebServerResources/SchedulerUI.js
+++ b/UI/WebServerResources/SchedulerUI.js
@ -1783,7 +1783,7 @@ function newBaseEventDIV(eventRep, event, eventText) {
    textDiv.addClassName("text");
    var iconSpan = createElement("span", null, "icons");
    textDiv.appendChild(iconSpan);
-    textDiv.appendChild(document.createTextNode(eventText.replace(/(\\r)?\\n/g, "<BR/>")));
+    textDiv.update(eventText.replace(/(\\r)?\\n/g, "<BR/>"));

    // Add alarm and classification icons
    if (event[9] == 1)