mirror of
https://github.com/inverse-inc/sogo.git
synced 2026-07-14 21:04:53 +00:00
Fix encoding of HTML attributes in Contacts module
This commit is contained in:
@@ -7,6 +7,7 @@ Bug fixes
|
||||
- [eas] when using EAS/ItemOperations, use IMAP PEEK operation
|
||||
- [web] fixed recipients when replying from a message in the Sent mailbox (#2625)
|
||||
- [web] fixed localizable strings in Card viewer
|
||||
- [web] properly encode HTML attributes in Contacts module to avoid XSS issues
|
||||
|
||||
2.3.11 (2016-05-12)
|
||||
-------------------
|
||||
|
||||
@@ -151,11 +151,11 @@
|
||||
|
||||
<var:foreach list="personalContactInfos" item="currentContact">
|
||||
<tr var:class="currentContactClasses"
|
||||
var:categories="currentContact.c_categories.asSafeJSString"
|
||||
var:categories="currentContact.c_categories.safeStringByEscapingXMLString"
|
||||
var:id="currentContact.c_name.asCSSIdentifier"
|
||||
var:contactname="currentContact.c_cn.asSafeJSString">
|
||||
<td class="displayName" var:title="currentContact.c_cn.asSafeJSString"><var:string value="currentContact.c_cn" const:escapeHTML="YES" /></td>
|
||||
<td var:title="currentContact.c_mail.asSafeJSString"><var:string value="currentContact.c_mail"/></td>
|
||||
var:contactname="currentContact.c_cn.safeStringByEscapingXMLString">
|
||||
<td class="displayName" var:title="currentContact.c_cn.safeStringByEscapingXMLString"><var:string value="currentContact.c_cn" const:escapeHTML="YES" /></td>
|
||||
<td var:title="currentContact.c_mail.safeStringByEscapingXMLString"><var:string value="currentContact.c_mail"/></td>
|
||||
<td><var:string value="currentContact.c_screenname"/></td>
|
||||
<td><var:string value="currentContact.c_o"/></td>
|
||||
<td><var:string value="currentContact.c_telephonenumber"/></td>
|
||||
|
||||
Reference in New Issue
Block a user