amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-04-01 19:42:48 +00:00
Code Issues Projects Releases Wiki Activity

Properly escape the foldername to avoid XSS issues

Browse Source
This commit is contained in:
Ludovic Marcotte
2013-06-27 11:06:07 -04:00
parent a2a89e8720
commit 25dbd4849d
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
UI/WebServerResources/SchedulerUI.js
View File

@@ -3076,9 +3076,7 @@ function appendCalendar(folderName, folderPath) {
var colorBox = document.createElement("div");
li.appendChild(colorBox);
li.appendChild(document.createTextNode(folderName
.replace("&lt;", "<", "g")
.replace("&gt;", ">", "g")));
li.appendChild(document.createTextNode(folderName));
colorBox.appendChild(document.createTextNode("OO"));
$(colorBox).addClassName("colorBox");
@@ -3119,7 +3117,7 @@ function appendStyleElement(folderPath, color) {
function onFolderSubscribeCB(folderData) {
var folder = $(folderData["folder"]);
if (!folder) {
appendCalendar(folderData["folderName"], folderData["folder"]);
appendCalendar(folderData["folderName"].unescapeHTML(), folderData["folder"]);
refreshEvents();
refreshTasks();
changeCalendarDisplay();