diff --git a/NEWS b/NEWS index c8e4a1746..cec4e572f 100644 --- a/NEWS +++ b/NEWS @@ -38,6 +38,7 @@ Bug fixes - warn user when dnd failed because of a resource conflict (#1613) - respect the maximum number of bookings when viewing the freebusy information of a resource (#2560) - encode HTML entities when forwarding an HTML message inline in plain text composition mode (#2411) + - encode HTML entities in JSON data returned by Calendar module (#2598) 2.1.1b (2013-12-04) ------------------- diff --git a/UI/Scheduler/UIxAppointmentEditor.m b/UI/Scheduler/UIxAppointmentEditor.m index 3c4b92b76..2c371c5fe 100644 --- a/UI/Scheduler/UIxAppointmentEditor.m +++ b/UI/Scheduler/UIxAppointmentEditor.m @@ -31,6 +31,7 @@ #import #import #import +#import #import #import @@ -518,7 +519,7 @@ created_by = [event createdBy]; data = [NSDictionary dictionaryWithObjectsAndKeys: - [componentCalendar displayName], @"calendar", + [[componentCalendar displayName] stringByEscapingHTMLString], @"calendar", [event tag], @"component", [dateFormatter formattedDate: eventStartDate], @"startDate", [dateFormatter formattedTime: eventStartDate], @"startTime", @@ -526,10 +527,10 @@ [dateFormatter formattedTime: eventEndDate], @"endTime", //([event hasRecurrenceRules] ? @"1": @"0"), @"isRecurring", ([event isAllDay] ? @"1": @"0"), @"isAllDay", - [event summary], @"summary", - [event location], @"location", - created_by, @"created_by", - [event comment], @"description", + [[event summary] stringByEscapingHTMLString], @"summary", + [[event location] stringByEscapingHTMLString], @"location", + [created_by stringByEscapingHTMLString], @"created_by", + [[event comment] stringByEscapingHTMLString], @"description", nil]; [result appendContentString: [data jsonRepresentation]]; diff --git a/UI/Scheduler/UIxCalListingActions.m b/UI/Scheduler/UIxCalListingActions.m index cbb0b0087..5f99777a7 100644 --- a/UI/Scheduler/UIxCalListingActions.m +++ b/UI/Scheduler/UIxCalListingActions.m @@ -41,6 +41,7 @@ #import #import #import +#import #import #import @@ -55,7 +56,6 @@ #import #import #import -#import #import @@ -310,12 +310,14 @@ static NSArray *tasksFields = nil; NSEnumerator *folders, *currentInfos; SOGoAppointmentFolder *currentFolder; NSMutableDictionary *newInfo; - NSMutableArray *infos; + NSMutableArray *infos, *newInfoForComponent; NSNull *marker; SOGoAppointmentFolders *clientObject; SOGoUser *ownerUser; NSString *owner, *role, *calendarName; BOOL isErasable, folderIsRemote; + id currentInfo; + int i, count; infos = [NSMutableArray array]; marker = [NSNull null]; @@ -395,8 +397,17 @@ static NSArray *tasksFields = nil; // Possible improvement: only call _fixDates if event is recurrent // or the view range span a daylight saving time change [self _fixDates: newInfo]; - [infos addObject: [newInfo objectsForKeys: fields - notFoundMarker: marker]]; + newInfoForComponent = [NSMutableArray arrayWithArray: [newInfo objectsForKeys: fields + notFoundMarker: marker]]; + // Escape HTML + count = [newInfoForComponent count]; + for (i = 0; i < count; i++) + { + currentInfo = [newInfoForComponent objectAtIndex: i]; + if ([currentInfo respondsToSelector: @selector (stringByEscapingHTMLString)]) + [newInfoForComponent replaceObjectAtIndex: i withObject: [currentInfo stringByEscapingHTMLString]]; + } + [infos addObject: newInfoForComponent]; } } } diff --git a/UI/WebServerResources/SchedulerUI.js b/UI/WebServerResources/SchedulerUI.js index 1b56a22da..820f235b0 100644 --- a/UI/WebServerResources/SchedulerUI.js +++ b/UI/WebServerResources/SchedulerUI.js @@ -1783,7 +1783,7 @@ function newBaseEventDIV(eventRep, event, eventText) { textDiv.addClassName("text"); var iconSpan = createElement("span", null, "icons"); textDiv.appendChild(iconSpan); - textDiv.appendChild(document.createTextNode(eventText.replace(/(\\r)?\\n/g, "
"))); + textDiv.update(eventText.replace(/(\\r)?\\n/g, "
")); // Add alarm and classification icons if (event[9] == 1)