Escape HTML in raw source of Cards

NEWS

@@ -4,7 +4,8 @@
 Bug fixes
  - [web] fixed generic avatar in lists (#3719)
  - [web] fixed validation in Sieve filter editor
- - [web] properly encode events and tasks rawsource to avoid XSS issues (#3718)
+ - [web] properly encode rawsource of events and tasks to avoid XSS issues (#3718)
+ - [web] properly encode rawsource of cards to avoid XSS issues
 
 3.1.2 (2016-06-06)
 ------------------

UI/Contacts/UIxContactActions.m

@@ -20,6 +20,8 @@
 
 #import <Foundation/NSArray.h>
 
+#import <NGExtensions/NSString+misc.h>
+
 #import <NGObjWeb/WOContext.h>
 #import <NGObjWeb/WORequest.h>
 #import <NGObjWeb/WOResponse.h>
@@ -140,7 +142,7 @@
   [content appendFormat: @"%@", [[self clientObject] contentAsString]];
   [response setHeader: @"text/plain; charset=utf-8" 
             forKey: @"content-type"];
-  [response appendContentString: content];
+  [response appendContentString: [content stringByEscapingHTMLString]];
 
   return response;
 }

UI/Templates/ContactsUI/UIxContactViewTemplate.wox

@@ -192,7 +192,7 @@
           </md-button>
         </md-card-actions>
         <md-card-content>
-          <pre>{{editor.rawSource}}</pre>
+          <pre ng-bind-html="editor.rawSource"><!-- raw --></pre>
         </md-card-content>
       </md-card>
     </div>