From a2a89e8720cfd44f885c34d5626d78b6b20a6b3b Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Wed, 26 Jun 2013 16:55:39 -0400
Subject: [PATCH 1/5] Fix loading of MSExchangeFreeBusySOAPResponseMap

---
 SoObjects/Appointments/GNUmakefile          |  2 +-
 SoObjects/Appointments/MSExchangeFreeBusy.m | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/SoObjects/Appointments/GNUmakefile b/SoObjects/Appointments/GNUmakefile
index 10fd04297..5d0a40152 100644
--- a/SoObjects/Appointments/GNUmakefile
+++ b/SoObjects/Appointments/GNUmakefile
@@ -50,7 +50,7 @@ Appointments_OBJC_FILES = \
 
 Appointments_RESOURCE_FILES +=		\
 	product.plist			\
-	\
+	MSExchangeFreeBusySOAPResponseMap.plist \
 	MSExchangeFreeBusySOAPRequest.wo
 
 Appointments_LANGUAGES = Arabic BrazilianPortuguese Catalan Czech Danish Dutch English Finnish French German Hungarian Icelandic Italian NorwegianBokmal NorwegianNynorsk Polish Russian Slovak SpanishSpain SpanishArgentina Swedish Ukrainian Welsh
diff --git a/SoObjects/Appointments/MSExchangeFreeBusy.m b/SoObjects/Appointments/MSExchangeFreeBusy.m
index 0aa0f8b19..c11ca9f31 100644
--- a/SoObjects/Appointments/MSExchangeFreeBusy.m
+++ b/SoObjects/Appointments/MSExchangeFreeBusy.m
@@ -20,6 +20,7 @@
  * Boston, MA 02111-1307, USA.
  */
 
+#import <Foundation/NSBundle.h>
 #import <Foundation/NSCalendarDate.h>
 #import <Foundation/NSDictionary.h>
 
@@ -97,8 +98,10 @@ size_t curl_body_function_freebusy(void *ptr, size_t size, size_t nmemb, void *i
   MSExchangeFreeBusySOAPRequest *soapRequest;
   MSExchangeFreeBusyResponse *freeBusyResponse;
   NSString *rawRequest, *url, *body, *hostname, *httpauth, *authname, *password;
+  NSString *mapFile;
   NSArray *infos = nil;
   NSDictionary *root;
+  NSBundle *bundle;
   
   CURL *curl;
   struct curl_slist *headerlist=NULL;
@@ -161,7 +164,13 @@ size_t curl_body_function_freebusy(void *ptr, size_t size, size_t nmemb, void *i
                 }            
               if (sax == nil && parser != nil)
                 {
-                  sax = [[SaxObjectDecoder alloc] initWithMappingAtPath:@"./MSExchangeFreeBusySOAPResponseMap.plist"];
+                  bundle = [NSBundle bundleForClass: [self class]];
+                  mapFile = [bundle pathForResource: @"MSExchangeFreeBusySOAPResponseMap" ofType: @"plist"];
+                  if (![mapFile length])
+                  {
+                    [self errorWithFormat: @"mapFile not found (MSExchangeFreeBusySOAPResponseMap.plist)"];
+                  }
+                  sax = [[SaxObjectDecoder alloc] initWithMappingAtPath: mapFile];
                   [parser setContentHandler:sax];
                   //[parser setErrorHandler:sax];
                 }

From 25dbd4849de23b9ceb747ff061dffd0f1cf98cde Mon Sep 17 00:00:00 2001
From: Ludovic Marcotte <lmarcotte@inverse.ca>
Date: Thu, 27 Jun 2013 11:06:07 -0400
Subject: [PATCH 2/5] Properly escape the foldername to avoid XSS issues

---
 UI/WebServerResources/SchedulerUI.js            | 6 ++----
 UI/WebServerResources/UIxContactsUserFolders.js | 6 +++++-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/UI/WebServerResources/SchedulerUI.js b/UI/WebServerResources/SchedulerUI.js
index d7d3d981c..bd7ad3943 100644
--- a/UI/WebServerResources/SchedulerUI.js
+++ b/UI/WebServerResources/SchedulerUI.js
@@ -3076,9 +3076,7 @@ function appendCalendar(folderName, folderPath) {
 
         var colorBox = document.createElement("div");
         li.appendChild(colorBox);
-        li.appendChild(document.createTextNode(folderName
-                                               .replace("&lt;", "<", "g")
-                                               .replace("&gt;", ">", "g")));
+        li.appendChild(document.createTextNode(folderName));
         colorBox.appendChild(document.createTextNode("OO"));
 
         $(colorBox).addClassName("colorBox");
@@ -3119,7 +3117,7 @@ function appendStyleElement(folderPath, color) {
 function onFolderSubscribeCB(folderData) {
     var folder = $(folderData["folder"]);
     if (!folder) {
-        appendCalendar(folderData["folderName"], folderData["folder"]);
+        appendCalendar(folderData["folderName"].unescapeHTML(), folderData["folder"]);
         refreshEvents();
         refreshTasks();
         changeCalendarDisplay();
diff --git a/UI/WebServerResources/UIxContactsUserFolders.js b/UI/WebServerResources/UIxContactsUserFolders.js
index 3a8eb238b..f7e37a771 100644
--- a/UI/WebServerResources/UIxContactsUserFolders.js
+++ b/UI/WebServerResources/UIxContactsUserFolders.js
@@ -192,7 +192,11 @@ function addFolderBranchToTree(tree, user, folder, nodeId, subId, isLast) {
     else
         icon += 'calendar-folder-16x16.png';
     var folderId = user + ":" + folderInfos[1].substr(1);
-    var name = folderInfos[0]; // name has the format "Folername (Firstname Lastname <email>)"
+
+    // name has the format "Foldername (Firstname Lastname <email>)"
+    // We sanitize the value to avoid XSS issues
+    var name = folderInfos[0].escapeHTML(); 
+
     var pos = name.lastIndexOf(' (');
     if (pos > -1)
         name = name.substring(0, pos); // strip the part with fullname and email

From 4359b05da8ba291b9bbc00e330d65575a4dbb253 Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Thu, 27 Jun 2013 11:33:44 -0400
Subject: [PATCH 3/5] updated NEWS

---
 NEWS | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/NEWS b/NEWS
index 2849bd1ec..cc95fd884 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,10 @@
+2.0.6b (2013-06-27)
+------------------
+
+Bug fixes
+ - Properly escape the foldername to avoid XSS issues
+ - Fix loading of MSExchangeFreeBusySOAPResponseMap
+
 2.0.6a (2013-06-25)
 ------------------
 

From 70cd64a626470e0c07ac0f8cb7119cab6e763bfa Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Thu, 27 Jun 2013 11:34:06 -0400
Subject: [PATCH 4/5] Update ChangeLog

---
 ChangeLog | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index cb2235b73..c5005f5d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,46 @@
+commit 4359b05da8ba291b9bbc00e330d65575a4dbb253
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Thu Jun 27 11:33:44 2013 -0400
+
+    updated NEWS
+
+M	NEWS
+
+commit 25dbd4849de23b9ceb747ff061dffd0f1cf98cde
+Author: Ludovic Marcotte <lmarcotte@inverse.ca>
+Date:   Thu Jun 27 11:06:07 2013 -0400
+
+    Properly escape the foldername to avoid XSS issues
+
+M	UI/WebServerResources/SchedulerUI.js
+M	UI/WebServerResources/UIxContactsUserFolders.js
+
+commit a2a89e8720cfd44f885c34d5626d78b6b20a6b3b
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Wed Jun 26 16:55:39 2013 -0400
+
+    Fix loading of MSExchangeFreeBusySOAPResponseMap
+
+M	SoObjects/Appointments/GNUmakefile
+M	SoObjects/Appointments/MSExchangeFreeBusy.m
+
+commit 2581f6c56895820d126fbbcdc45512f0c17a67df
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Tue Jun 25 09:19:37 2013 -0400
+
+    Update for 2.0.6a
+
+M	NEWS
+M	Version
+
+commit 20369631c9425d47d4e86d98d914c9d64b820c56
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Tue Jun 25 09:17:03 2013 -0400
+
+    Update ChangeLog
+
+M	ChangeLog
+
 commit 1221da24439397bf66c9701ba356bd61fe4eff12
 Author: Jean Raby <jraby@inverse.ca>
 Date:   Tue Jun 25 09:12:27 2013 -0400

From f42d52743df169d6bfdc58428e920dd6208a1879 Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Thu, 27 Jun 2013 11:35:17 -0400
Subject: [PATCH 5/5] bump version to 2.0.6b

---
 Version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Version b/Version
index 17167dc90..67a949875 100644
--- a/Version
+++ b/Version
@@ -4,4 +4,4 @@
 
 MAJOR_VERSION=2
 MINOR_VERSION=0
-SUBMINOR_VERSION=6a
+SUBMINOR_VERSION=6b