From 67ce01ec2a1a7854d8e9f615dd65afb949043e86 Mon Sep 17 00:00:00 2001 From: Hivert Quentin Date: Sun, 3 May 2026 15:08:15 +0200 Subject: [PATCH] fix(mail): sanitise mail with ics (invitation to event) --- SoObjects/SOGo/NSString+Utilities.m | 28 +++++++++++++++------- UI/MailPartViewers/UIxMailPartICalViewer.m | 11 ++++++--- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m index 45480cf32..bf90d3cbf 100644 --- a/SoObjects/SOGo/NSString+Utilities.m +++ b/SoObjects/SOGo/NSString+Utilities.m @@ -1031,16 +1031,26 @@ static int cssEscapingCount; newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"]+)" + options: NSRegularExpressionCaseInsensitive error: &error]; + newResult = [regex stringByReplacingMatchesInString: result options: 0 range: NSMakeRange(0, [result length]) withTemplate: @"on***=\"\""]; result = [NSString stringWithString: newResult]; // Remove @import css (in style tags) diff --git a/UI/MailPartViewers/UIxMailPartICalViewer.m b/UI/MailPartViewers/UIxMailPartICalViewer.m index 7831900db..d8f75272e 100644 --- a/UI/MailPartViewers/UIxMailPartICalViewer.m +++ b/UI/MailPartViewers/UIxMailPartICalViewer.m @@ -44,6 +44,7 @@ #import #import #import +#import #import #import #import @@ -81,8 +82,7 @@ { if (!inCalendar) { - inCalendar - = [iCalCalendar parseSingleFromSource: [self flatContentAsString]]; + inCalendar = [iCalCalendar parseSingleFromSource: [self flatContentAsString]]; [inCalendar retain]; } @@ -583,7 +583,12 @@ [[person partStatWithDefault] lowercaseString], @"partstat", nil]]; } - [d setObject: a forKey: @"participants"]; + [d setObject: a forKey: @"participants"]; + + //Sanitise the html content + if([d objectForKey:@"content"]){ + [d setObject: [[d objectForKey:@"content"] stringWithoutHTMLInjection: NO] forKey: @"content"]; + } return d; }