diff --git a/UI/WebServerResources/SchedulerUI.js b/UI/WebServerResources/SchedulerUI.js index d7d3d981c..bd7ad3943 100644 --- a/UI/WebServerResources/SchedulerUI.js +++ b/UI/WebServerResources/SchedulerUI.js @@ -3076,9 +3076,7 @@ function appendCalendar(folderName, folderPath) { var colorBox = document.createElement("div"); li.appendChild(colorBox); - li.appendChild(document.createTextNode(folderName - .replace("<", "<", "g") - .replace(">", ">", "g"))); + li.appendChild(document.createTextNode(folderName)); colorBox.appendChild(document.createTextNode("OO")); $(colorBox).addClassName("colorBox"); @@ -3119,7 +3117,7 @@ function appendStyleElement(folderPath, color) { function onFolderSubscribeCB(folderData) { var folder = $(folderData["folder"]); if (!folder) { - appendCalendar(folderData["folderName"], folderData["folder"]); + appendCalendar(folderData["folderName"].unescapeHTML(), folderData["folder"]); refreshEvents(); refreshTasks(); changeCalendarDisplay(); diff --git a/UI/WebServerResources/UIxContactsUserFolders.js b/UI/WebServerResources/UIxContactsUserFolders.js index 3a8eb238b..f7e37a771 100644 --- a/UI/WebServerResources/UIxContactsUserFolders.js +++ b/UI/WebServerResources/UIxContactsUserFolders.js @@ -192,7 +192,11 @@ function addFolderBranchToTree(tree, user, folder, nodeId, subId, isLast) { else icon += 'calendar-folder-16x16.png'; var folderId = user + ":" + folderInfos[1].substr(1); - var name = folderInfos[0]; // name has the format "Folername (Firstname Lastname )" + + // name has the format "Foldername (Firstname Lastname )" + // We sanitize the value to avoid XSS issues + var name = folderInfos[0].escapeHTML(); + var pos = name.lastIndexOf(' ('); if (pos > -1) name = name.substring(0, pos); // strip the part with fullname and email