From e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 Mon Sep 17 00:00:00 2001 From: Hivert Quentin Date: Tue, 16 Dec 2025 10:25:49 +0100 Subject: [PATCH] fix(vulnerability): prevent xss with events, tasks and contacts categories --- UI/Contacts/UIxContactEditor.m | 2 +- UI/Contacts/UIxListEditor.m | 2 +- UI/Scheduler/UIxAppointmentEditor.m | 2 +- UI/Scheduler/UIxTaskEditor.m | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/UI/Contacts/UIxContactEditor.m b/UI/Contacts/UIxContactEditor.m index e01475d87..a4d5f620b 100644 --- a/UI/Contacts/UIxContactEditor.m +++ b/UI/Contacts/UIxContactEditor.m @@ -485,7 +485,7 @@ static Class SOGoContactGCSEntryK = Nil; co = [self clientObject]; card = [co vCard]; request = [context request]; - params = [[request contentAsString] objectFromJSONString]; + params = [[[request contentAsString] stringWithoutHTMLInjection: YES] objectFromJSONString]; forceSave = [[params objectForKey: @"ignoreDuplicate"] boolValue]; [self setAttributes: params]; diff --git a/UI/Contacts/UIxListEditor.m b/UI/Contacts/UIxListEditor.m index 9e9c67309..477714c1d 100644 --- a/UI/Contacts/UIxListEditor.m +++ b/UI/Contacts/UIxListEditor.m @@ -339,7 +339,7 @@ [list retain]; request = [context request]; - params = [[request contentAsString] objectFromJSONString]; + params = [[[request contentAsString] stringWithoutHTMLInjection: YES] objectFromJSONString]; o = [params objectForKey: @"refs"]; if (![o isKindOfClass: [NSArray class]]) diff --git a/UI/Scheduler/UIxAppointmentEditor.m b/UI/Scheduler/UIxAppointmentEditor.m index 5ef8e8e79..27b94ef17 100644 --- a/UI/Scheduler/UIxAppointmentEditor.m +++ b/UI/Scheduler/UIxAppointmentEditor.m @@ -556,7 +556,7 @@ ex = nil; request = [context request]; - params = [[request contentAsString] objectFromJSONString]; + params = [[[request contentAsString] stringWithoutHTMLInjection: NO] objectFromJSONString]; if (params == nil) { ex = [NSException exceptionWithName: @"JSONParsingException" diff --git a/UI/Scheduler/UIxTaskEditor.m b/UI/Scheduler/UIxTaskEditor.m index ad86e5c8f..8f2e136a8 100644 --- a/UI/Scheduler/UIxTaskEditor.m +++ b/UI/Scheduler/UIxTaskEditor.m @@ -335,7 +335,7 @@ ex = nil; request = [context request]; - params = [[request contentAsString] objectFromJSONString]; + params = [[[request contentAsString] stringWithoutHTMLInjection: NO] objectFromJSONString]; if (params == nil) { ex = [NSException exceptionWithName: @"JSONParsingException"