(fix) Escaping of unexpected characters in emails

Properly encode characters in DOM attributes. Fixes #3241
2026-03-02 13:46:23 +00:00 · 2015-06-11 13:14:19 -04:00
parent 76196bf6f4
commit 667e38ff0c
1 changed files with 25 additions and 14 deletions
--- a/UI/Contacts/UIxContactView.m
+++ b/UI/Contacts/UIxContactView.m
@@ -1,6 +1,6 @@
 /*
  Copyright (C) 2004 SKYRIX Software AG
-  Copyright (C) 2005-2014 Inverse inc.
+  Copyright (C) 2005-2015 Inverse inc.

  This file is part of SOGo.
 
@@ -138,9 +138,13 @@
  if ([email length] > 0)
    {
      fn = [card fn];
-      fn = [fn stringByReplacingString: @"\""  withString: @""];
-      fn = [fn stringByReplacingString: @"'"  withString: @"\\\'"];
-      attrs = [NSString stringWithFormat: @"onclick=\"return openMailTo('%@ <%@>');\"", fn, email];
+      if ([fn length] > 0)
+        attrs = [NSString stringWithFormat: @"%@ <%@>", fn, email];
+      else
+        attrs = email;
+      attrs = [attrs stringByReplacingString: @"'"  withString: @"\\'"];
+      attrs = [attrs stringByReplacingString: @"\""  withString: @"\\\""];
+      attrs = [NSString stringWithFormat: @"onclick=\"return openMailTo('%@');\"", attrs];
    }
  else
    {
@@ -181,16 +185,23 @@
      for (i = 0; i < [emails count]; i++)
 	{
 	  email = [[emails objectAtIndex: i] flattenedValuesForKey: @""];
-          fn = [card fn];
-          fn = [fn stringByReplacingString: @"\""  withString: @""];
-          fn = [fn stringByReplacingString: @"'"  withString: @"\\\'"];
-          attrs = [NSString stringWithFormat: @"onclick=\"return openMailTo('%@ <%@>');\"", fn, email];
-          
-          [secondaryEmails addObject: [self _cardStringWithLabel: nil
-                                                           value: email
-                                            byEscapingHTMLString: YES
-                                                    asLinkScheme: @"mailto:"
-                                              withLinkAttributes: attrs]];
+          if ([email length])
+            {
+              fn = [card fn];
+              if ([fn length])
+                attrs = [NSString stringWithFormat: @"%@ <%@>", fn, email];
+              else
+                attrs = email;
+              attrs = [attrs stringByReplacingString: @"'"  withString: @"\\'"];
+              attrs = [attrs stringByReplacingString: @"\""  withString: @"\\\""];
+              attrs = [NSString stringWithFormat: @"onclick=\"return openMailTo('%@');\"", attrs];
+
+              [secondaryEmails addObject: [self _cardStringWithLabel: nil
+                                                               value: email
+                                                byEscapingHTMLString: YES
+                                                        asLinkScheme: @"mailto:"
+                                                  withLinkAttributes: attrs]];
+            }
        }
    }
  else