amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-02-17 07:33:57 +00:00
Code Issues Projects Releases Wiki Activity

fix(vulnerability): prevent xss with events, tasks and contacts categories

Browse Source
This commit is contained in:
Hivert Quentin
2025-12-16 10:25:49 +01:00
parent 47239ba0fd
commit e9b3f2a43d
4 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
UI/Contacts/UIxContactEditor.m
View File

@@ -485,7 +485,7 @@ static Class SOGoContactGCSEntryK = Nil;
co = [self clientObject]; co = [self clientObject];
card = [co vCard]; card = [co vCard];
request = [context request]; request = [context request];
params = [[request contentAsString] objectFromJSONString]; params = [[[request contentAsString] stringWithoutHTMLInjection: YES] objectFromJSONString];
forceSave = [[params objectForKey: @"ignoreDuplicate"] boolValue]; forceSave = [[params objectForKey: @"ignoreDuplicate"] boolValue];
[self setAttributes: params]; [self setAttributes: params];

2
UI/Contacts/UIxListEditor.m
View File

@@ -339,7 +339,7 @@
[list retain]; [list retain];
request = [context request]; request = [context request];
params = [[request contentAsString] objectFromJSONString]; params = [[[request contentAsString] stringWithoutHTMLInjection: YES] objectFromJSONString];
o = [params objectForKey: @"refs"]; o = [params objectForKey: @"refs"];
if (![o isKindOfClass: [NSArray class]]) if (![o isKindOfClass: [NSArray class]])

2
UI/Scheduler/UIxAppointmentEditor.m
View File

@@ -556,7 +556,7 @@
ex = nil; ex = nil;
request = [context request]; request = [context request];
params = [[request contentAsString] objectFromJSONString]; params = [[[request contentAsString] stringWithoutHTMLInjection: NO] objectFromJSONString];
if (params == nil) if (params == nil)
{ {
ex = [NSException exceptionWithName: @"JSONParsingException" ex = [NSException exceptionWithName: @"JSONParsingException"

2
UI/Scheduler/UIxTaskEditor.m
View File

@@ -335,7 +335,7 @@
ex = nil; ex = nil;
request = [context request]; request = [context request];
params = [[request contentAsString] objectFromJSONString]; params = [[[request contentAsString] stringWithoutHTMLInjection: NO] objectFromJSONString];
if (params == nil) if (params == nil)
{ {
ex = [NSException exceptionWithName: @"JSONParsingException" ex = [NSException exceptionWithName: @"JSONParsingException"