From 80a09407652ec04e8c9fb6cb48e1029e69a15765 Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Fri, 7 Feb 2014 15:52:43 -0500
Subject: [PATCH] Escape HTML in JSON of contacts module

---
 NEWS                                 |  2 +-
 UI/Contacts/UIxContactView.m         |  3 ++-
 UI/Contacts/UIxContactsListActions.m | 23 ++++++++++++++++++++++-
 UI/WebServerResources/ContactsUI.js  | 10 +++++-----
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/NEWS b/NEWS
index 9a2ffc2d2..cd582679f 100644
--- a/NEWS
+++ b/NEWS
@@ -40,7 +40,7 @@ Bug fixes
  - warn user when dnd failed because of a resource conflict (#1613)
  - respect the maximum number of bookings when viewing the freebusy information of a resource (#2560)
  - encode HTML entities when forwarding an HTML message inline in plain text composition mode (#2411)
- - encode HTML entities in JSON data returned by Calendar module (#2598)
+ - encode HTML entities in JSON data (#2598)
  - fixed handling of ACLs on shared calendars with multiple groups (#1854)
  - fixed HTML formatting of appointment notifications for Outlook (#2233)
  - replace slashes by dashes in filenames of attachments to avoid a 404 return code (#2537)
diff --git a/UI/Contacts/UIxContactView.m b/UI/Contacts/UIxContactView.m
index d7e282762..486fff107 100644
--- a/UI/Contacts/UIxContactView.m
+++ b/UI/Contacts/UIxContactView.m
@@ -29,6 +29,7 @@
 #import <NGCards/CardElement.h>
 #import <NGCards/NSArray+NGCards.h>
 #import <NGExtensions/NSString+Ext.h>
+#import <NGExtensions/NSString+misc.h>
 
 #import <SOGo/NSCalendarDate+SOGo.h>
 #import <SOGo/SOGoDateFormatter.h>
@@ -71,7 +72,7 @@
   NSMutableString *cardString;
 
   cardString = [NSMutableString stringWithCapacity: 80];
-  value = [value stringByReplacingString: @"\r" withString: @""];
+  value = [[value stringByReplacingString: @"\r" withString: @""] stringByEscapingHTMLString];
   if ([value length] > 0)
     {
       if ([url length] > 0)
diff --git a/UI/Contacts/UIxContactsListActions.m b/UI/Contacts/UIxContactsListActions.m
index 1b9ab62f4..c3438d46d 100644
--- a/UI/Contacts/UIxContactsListActions.m
+++ b/UI/Contacts/UIxContactsListActions.m
@@ -127,11 +127,32 @@
 - (id <WOActionResults>) contactsListAction
 {
   id <WOActionResults> result;
+  id currentInfo;
   NSArray *contactsList;
+  NSEnumerator *contactsListEnumerator, *keysEnumerator;
+  NSMutableArray *newContactsList;
+  NSMutableDictionary *currentContactDictionary;
+  NSString *key;
 
   contactsList = [self contactInfos];
+  contactsListEnumerator = [contactsList objectEnumerator];
+  newContactsList = [NSMutableArray arrayWithCapacity: [contactsList count]];
+
+  // Escape HTML
+  while ((currentContactDictionary = [contactsListEnumerator nextObject]))
+    {
+      keysEnumerator = [currentContactDictionary keyEnumerator];
+      while ((key = [keysEnumerator nextObject]))
+        {
+          currentInfo = [currentContactDictionary objectForKey: key];
+          if ([currentInfo respondsToSelector: @selector (stringByEscapingHTMLString)])
+            [currentContactDictionary setObject: [currentInfo stringByEscapingHTMLString] forKey: key];
+        }
+      [newContactsList addObject: currentContactDictionary];
+    }
+
   result = [self responseWithStatus: 200
-			  andString: [contactsList jsonRepresentation]];
+			  andString: [newContactsList jsonRepresentation]];
 
   return result;
 }
diff --git a/UI/WebServerResources/ContactsUI.js b/UI/WebServerResources/ContactsUI.js
index ad106b261..93360260a 100644
--- a/UI/WebServerResources/ContactsUI.js
+++ b/UI/WebServerResources/ContactsUI.js
@@ -103,13 +103,13 @@ function contactsListCallback(http) {
                                              null,
                                              null,
                                              row);
-                    cell.appendChild(document.createTextNode(contact["c_cn"]));
+                    cell.update(contact["c_cn"]);
                     cell.title = contact["c_cn"];
 
                     cell = document.createElement("td");
                     row.appendChild(cell);
                     if (contact["c_mail"]) {
-                        cell.appendChild(document.createTextNode(contact["c_mail"]));
+                        cell.update(contact["c_mail"]);
                         cell.title = contact["c_mail"];
                     }
 
@@ -117,17 +117,17 @@ function contactsListCallback(http) {
                         cell = document.createElement("td");
                         row.appendChild(cell);
                         if (contact["c_screenname"])
-                            cell.appendChild(document.createTextNode(contact["c_screenname"]));
+                            cell.update(contact["c_screenname"]);
 
                         cell = document.createElement("td");
                         row.appendChild(cell);
                         if (contact["c_o"])
-                            cell.appendChild(document.createTextNode(contact["c_o"]));
+                            cell.update(contact["c_o"]);
 
                         cell = document.createElement("td");
                         row.appendChild(cell);
                         if (contact["c_telephonenumber"])
-                            cell.appendChild(document.createTextNode(contact["c_telephonenumber"]));
+                            cell.update(contact["c_telephonenumber"]);
                     }
                 }
             }