amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-03-29 18:12:44 +00:00
Code Issues Projects Releases Wiki Activity

Properly escape the foldername to avoid XSS issues

Browse Source
This commit is contained in:
Ludovic Marcotte
2013-06-27 11:06:07 -04:00
parent a2a89e8720
commit 25dbd4849d
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
UI/WebServerResources/UIxContactsUserFolders.js
View File

@@ -192,7 +192,11 @@ function addFolderBranchToTree(tree, user, folder, nodeId, subId, isLast) {
else
icon += 'calendar-folder-16x16.png';
var folderId = user + ":" + folderInfos[1].substr(1);
var name = folderInfos[0]; // name has the format "Folername (Firstname Lastname <email>)"
// name has the format "Foldername (Firstname Lastname <email>)"
// We sanitize the value to avoid XSS issues
var name = folderInfos[0].escapeHTML();
var pos = name.lastIndexOf(' (');
if (pos > -1)
name = name.substring(0, pos); // strip the part with fullname and email