From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001
From: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date: Wed, 26 Nov 2025 13:22:38 +0100
Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in
 theme query

---
 UI/SOGoUI/UIxComponent.m | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
index a8658e772..012d6edea 100644
--- a/UI/SOGoUI/UIxComponent.m
+++ b/UI/SOGoUI/UIxComponent.m
@@ -395,14 +395,18 @@ static SoProduct      *commonProduct      = nil;
 
 - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
 {
-  NSString *dst, *rel, *theme;
+  NSString *dst, *rel, *theme, *safeTheme;
 
   dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
   rel = [dst urlPathRelativeToPath:[self ownPath]];
 
   theme = [[context request] formValueForKey: @"theme"];
   if ([theme length])
-    rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
+  {
+    safeTheme = [theme stringWithoutHTMLInjection: YES];
+    if([safeTheme isEqualToString: theme])
+      rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
+  }
 
   return rel;
 }