Escape HTML in raw source of events and tasks

Fixes #3718

NEWS

@@ -4,6 +4,7 @@
 Bug fixes
  - [web] fixed generic avatar in lists (#3719)
  - [web] fixed validation in Sieve filter editor
+ - [web] properly encode events and tasks rawsource to avoid XSS issues (#3718)
 
 3.1.2 (2016-06-06)
 ------------------

UI/Scheduler/UIxComponentEditor.m

@@ -875,7 +875,7 @@ static NSArray *reminderValues = nil;
   [content appendFormat: @"%@", [[self clientObject] contentAsString]];
   [response setHeader: @"text/plain; charset=utf-8" 
             forKey: @"content-type"];
-  [response appendContentString: content];
+  [response appendContentString: [content stringByEscapingHTMLString]];
 
   return response;
 }

UI/WebServerResources/js/Scheduler/ComponentController.js

@@ -167,23 +167,23 @@
           template: [
             '<md-dialog flex="40" flex-sm="80" flex-xs="100" aria-label="' + l('View Raw Source') + '">',
             '  <md-dialog-content class="md-dialog-content">',
-            '    <pre>',
+            '    <pre ng-bind-html="data"></pre>',
-            data,
-            '    </pre>',
             '  </md-dialog-content>',
             '  <md-dialog-actions>',
             '    <md-button ng-click="close()">' + l('Close') + '</md-button>',
             '  </md-dialog-actions>',
             '</md-dialog>'
           ].join(''),
-          controller: ComponentRawSourceDialogController
+          controller: ComponentRawSourceDialogController,
+          locals: { data: data }
         });
 
         /**
          * @ngInject
          */
-        ComponentRawSourceDialogController.$inject = ['scope', '$mdDialog'];
+        ComponentRawSourceDialogController.$inject = ['scope', '$mdDialog', 'data'];
-        function ComponentRawSourceDialogController(scope, $mdDialog) {
+        function ComponentRawSourceDialogController(scope, $mdDialog, data) {
+          scope.data = data;
           scope.close = function() {
             $mdDialog.hide();
           };