Fix several XSS in delete forms.

horde · Oct 29, 2013 · 30bc1d0 · 30bc1d0
1 parent dbb0c9c
commit 30bc1d0
Show file tree

Hide file tree

Showing 19 changed files with 28 additions and 12 deletions.
diff --git a/horde/docs/CHANGES b/horde/docs/CHANGES
@@ -2,6 +2,7 @@
 v5.1.5-git
 ----------
 
+[jan] SECURITY: Fix XSS vulnerabilities in top and left menu.
 [jan] Don't show admin alarm form if alarms are disabled.
 [mms] Add horde-remove-user-data command-line script.
 [mms] Add additional syntax checking for the configuration files in the test

diff --git a/horde/js/topbar.js b/horde/js/topbar.js
@@ -58,7 +58,7 @@ var HordeTopbar = {
                 }
                 item.insert(this._renderBranch(nodes, nodes[root_node].children));
             }
-            elm.insert(nodes[root_node].label);
+            elm.insert(nodes[root_node].label.escapeHTML());
             $('horde-navigation')
                 .insert(new Element('DIV', { className: 'horde-navipoint' })
                         .insert(new Element('DIV', { className: 'horde-point-left' + active }))
@@ -86,7 +86,7 @@ var HordeTopbar = {
             } else {
                 elm = container;
             }
-            elm.insert(nodes[child].label);
+            elm.insert(nodes[child].label.escapeHTML());
             item = new Element('LI', attr).insert(container);
             if (nodes[child].children) {
                 item.insert(this._renderBranch(nodes, nodes[child].children));

diff --git a/horde/lib/View/Sidebar.php b/horde/lib/View/Sidebar.php
@@ -167,9 +167,10 @@ public function addRow(array $row, $container = '')
 
         $boxrow = isset($row['type']) &&
             ($row['type'] == 'checkbox' || $row['type'] == 'radiobox');
+        $label = htmlspecialchars($row['label']);
 
         if (isset($row['url'])) {
-            $ak = Horde::getAccessKey($row['label']);
+            $ak = Horde::getAccessKey($label);
             $url = empty($row['url']) ? new Horde_Url() : $row['url'];
             $attributes = $ak
                 ? array('accesskey' => $ak)
@@ -192,11 +193,11 @@ public function addRow(array $row, $container = '')
                 }
             }
             $row['link'] = $url->link($attributes)
-                . Horde::highlightAccessKey($row['label'], $ak)
+                . Horde::highlightAccessKey($label, $ak)
                 . '</a>';
         } else {
             $row['link'] = '<span class="horde-resource-none">'
-                . $row['label'] . '</span>';
+                . $label . '</span>';
         }
 
         if ($boxrow) {

diff --git a/horde/package.xml b/horde/package.xml
@@ -39,6 +39,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/lgpl">LGPL-2</license>
  <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities in top and left menu.
 * [jan] Don&apos;t show admin alarm form if alarms are disabled.
 * [mms] Add horde-remove-user-data command-line script.
 * [mms] Add additional syntax checking for the configuration files in the test script.
@@ -3777,6 +3778,7 @@
    <date>2013-10-19</date>
    <license uri="http://www.horde.org/licenses/lgpl">LGPL-2</license>
    <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities in top and left menu.
 * [jan] Don&apos;t show admin alarm form if alarms are disabled.
 * [mms] Add horde-remove-user-data command-line script.
 * [mms] Add additional syntax checking for the configuration files in the test script.

diff --git a/kronolith/docs/CHANGES b/kronolith/docs/CHANGES
@@ -2,6 +2,7 @@
 v4.1.4-git
 ----------
 
+[jan] SECURITY: Fix XSS vulnerabilities when deleting calendars and resources.
 [jan] Fix edge case that allowed to enter start time after end time (Bug
       #12752).
 [mjr] Expire fb cache when fb_cals preference changes (Bug #12714).

diff --git a/kronolith/lib/Form/DeleteCalendar.php b/kronolith/lib/Form/DeleteCalendar.php
@@ -28,7 +28,7 @@ public function __construct($vars, $calendar)
         parent::__construct($vars, sprintf(_("Delete %s"), $calendar->get('name')));
 
         $this->addHidden('', 'c', 'text', true);
-        $this->addVariable(sprintf(_("Really delete the calendar \"%s\"? This cannot be undone and all data on this calendar will be permanently removed."), $this->_calendar->get('name')), 'desc', 'description', false);
+        $this->addVariable(sprintf(_("Really delete the calendar \"%s\"? This cannot be undone and all data on this calendar will be permanently removed."), htmlspecialchars($this->_calendar->get('name'))), 'desc', 'description', false);
 
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Delete")),

diff --git a/kronolith/lib/Form/DeleteResource.php b/kronolith/lib/Form/DeleteResource.php
@@ -31,7 +31,7 @@ public function __construct($vars, $resource)
         parent::__construct($vars, sprintf(_("Delete %s"), $resource->get('name')));
 
         $this->addHidden('', 'c', 'text', true);
-        $this->addVariable(sprintf(_("Really delete the resource \"%s\"? This cannot be undone and all data on this resource will be permanently removed."), $this->_resource->get('name')), 'desc', 'description', false);
+        $this->addVariable(sprintf(_("Really delete the resource \"%s\"? This cannot be undone and all data on this resource will be permanently removed."), htmlspecialchars($this->_resource->get('name'))), 'desc', 'description', false);
 
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Delete")),

diff --git a/kronolith/lib/Form/DeleteResourceGroup.php b/kronolith/lib/Form/DeleteResourceGroup.php
@@ -32,7 +32,7 @@ public function __construct($vars, $resource)
 
         $this->addHidden('', 'c', 'text', true);
         $this->addVariable(
-            sprintf(_("Really delete the resource \"%s\"? This cannot be undone and all data on this resource will be permanently removed."), $this->_resource->get('name')),
+            sprintf(_("Really delete the resource \"%s\"? This cannot be undone and all data on this resource will be permanently removed."), htmlspecialchars($this->_resource->get('name'))),
             'desc', 'description', false);
 
         $this->setButtons(array(

diff --git a/kronolith/lib/Form/UnsubscribeRemoteCalendar.php b/kronolith/lib/Form/UnsubscribeRemoteCalendar.php
@@ -22,7 +22,7 @@ public function __construct($vars, $calendar)
         parent::__construct($vars, sprintf(_("Unsubscribe from %s"), $calendar['name']));
 
         $this->addHidden('', 'url', 'text', true);
-        $this->addVariable(sprintf(_("Really unsubscribe from the calendar \"%s\" (%s)?"), $calendar['name'], $calendar['url']), 'desc', 'description', false);
+        $this->addVariable(sprintf(_("Really unsubscribe from the calendar \"%s\" (%s)?"), htmlspecialchars($calendar['name']), htmlspecialchars($calendar['url'])), 'desc', 'description', false);
 
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Unsubscribe")),

diff --git a/kronolith/package.xml b/kronolith/package.xml
@@ -34,6 +34,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
  <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting calendars and resources.
 * [jan] Fix edge case that allowed to enter start time after end time (Bug #12752).
 * [mjr] Expire fb cache when fb_cals preference changes (Bug #12714).
 * [jan] Fix setting DTEND in iCalendar data if event has a timezone (Bug #12693).
@@ -2224,6 +2225,7 @@
    <date>2013-08-28</date>
    <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
    <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting calendars and resources.
 * [jan] Fix edge case that allowed to enter start time after end time (Bug #12752).
 * [mjr] Expire fb cache when fb_cals preference changes (Bug #12714).
 * [jan] Fix setting DTEND in iCalendar data if event has a timezone (Bug #12693).

diff --git a/mnemo/docs/CHANGES b/mnemo/docs/CHANGES
@@ -2,6 +2,7 @@
 v4.1.2-git
 ----------
 
+[jan] SECURITY: Fix XSS vulnerabilities when deleting notepads.
 [mjr] Fix removing a list of UIDs via the API (Bug #12790,
       thomas.jarosch@intra2net.com)
 [mjr] Fix exporting memos as v-note (horde@albasoft.com, Bug #12622).

diff --git a/mnemo/lib/Form/DeleteNotepad.php b/mnemo/lib/Form/DeleteNotepad.php
@@ -29,7 +29,7 @@ public function __construct(&$vars, $notepad)
         parent::__construct($vars, sprintf(_("Delete %s"), $notepad->get('name')));
 
         $this->addHidden('', 'n', 'text', true);
-        $this->addVariable(sprintf(_("Really delete the notepad \"%s\"? This cannot be undone and all data on this notepad will be permanently removed."), $this->_notepad->get('name')), 'desc', 'description', false);
+        $this->addVariable(sprintf(_("Really delete the notepad \"%s\"? This cannot be undone and all data on this notepad will be permanently removed."), htmlspecialchars($this->_notepad->get('name'))), 'desc', 'description', false);
 
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Delete")),

diff --git a/mnemo/package.xml b/mnemo/package.xml
@@ -28,6 +28,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/apache">ASL</license>
  <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting notepads.
 * [mjr] Fix removing a list of UIDs via the API (Bug #12790, thomas.jarosch@intra2net.com)
 * [mjr] Fix exporting memos as v-note (horde@albasoft.com, Bug #12622).
  </notes>
@@ -1068,6 +1069,7 @@
    <date>2013-07-16</date>
    <license uri="http://www.horde.org/licenses/apache">ASL</license>
    <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting notepads.
 * [mjr] Fix removing a list of UIDs via the API (Bug #12790, thomas.jarosch@intra2net.com)
 * [mjr] Fix exporting memos as v-note (horde@albasoft.com, Bug #12622).
    </notes>

diff --git a/nag/docs/CHANGES b/nag/docs/CHANGES
@@ -2,6 +2,7 @@
 v4.1.3-git
 ----------
 
+[jan] SECURITY: Fix XSS vulnerabilities when deleting task lists.
 [jan] Fix updating alarm if completing a task recurrence.
 [jan] Fix editing tasks via CalDAV (Bug #12745).
 

diff --git a/nag/lib/Form/DeleteTaskList.php b/nag/lib/Form/DeleteTaskList.php
@@ -36,7 +36,7 @@ public function __construct($vars, Horde_Share_Object $tasklist)
         $this->addHidden('', 't', 'text', true);
         $this->addVariable(
             sprintf(_("Really delete the task list \"%s\"? This cannot be undone and all data on this task list will be permanently removed."),
-            $this->_tasklist->get('name')), 'desc', 'description', false
+                    htmlspecialchars($this->_tasklist->get('name'))), 'desc', 'description', false
         );
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Delete")),

diff --git a/nag/package.xml b/nag/package.xml
@@ -34,6 +34,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
  <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting task lists.
 * [jan] Fix updating alarm if completing a task recurrence.
 * [jan] Fix editing tasks via CalDAV (Bug #12745).
  </notes>
@@ -1421,6 +1422,7 @@
    <date>2013-08-27</date>
    <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
    <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting task lists.
 * [jan] Fix updating alarm if completing a task recurrence.
 * [jan] Fix editing tasks via CalDAV (Bug #12745).
    </notes>

diff --git a/turba/docs/CHANGES b/turba/docs/CHANGES
@@ -2,6 +2,7 @@
 v4.1.3-git
 ----------
 
+[jan] SECURITY: Fix XSS vulnerabilities when deleting address books.
 [jan] Fix exporting selected contacts (Bug #12759).
 [mms] Improved UI when viewing search results from Advanced Search.
 [mms] Remove features from UI when VFS is not available or disabled.

diff --git a/turba/lib/Form/DeleteAddressBook.php b/turba/lib/Form/DeleteAddressBook.php
@@ -28,7 +28,7 @@ public function __construct($vars, $addressbook)
         parent::__construct($vars, sprintf(_("Delete %s"), $addressbook->get('name')));
 
         $this->addHidden('', 'a', 'text', true);
-        $this->addVariable(sprintf(_("Really delete the address book \"%s\"? This cannot be undone and all contacts in this address book will be permanently removed."), $this->_addressbook->get('name')), 'desc', 'description', false);
+        $this->addVariable(sprintf(_("Really delete the address book \"%s\"? This cannot be undone and all contacts in this address book will be permanently removed."), htmlspecialchars($this->_addressbook->get('name'))), 'desc', 'description', false);
 
         $this->setButtons(array(
             array('class' => 'horde-delete', 'value' => _("Delete")),

diff --git a/turba/package.xml b/turba/package.xml
@@ -40,6 +40,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/asl">ASL</license>
  <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting address books.
 * [jan] Fix exporting selected contacts (Bug #12759).
 * [mms] Improved UI when viewing search results from Advanced Search.
 * [mms] Remove features from UI when VFS is not available or disabled.
@@ -1700,6 +1701,7 @@
    <date>2013-08-27</date>
    <license uri="http://www.horde.org/licenses/asl">ASL</license>
    <notes>
+* [jan] SECURITY: Fix XSS vulnerabilities when deleting address books.
 * [jan] Fix exporting selected contacts (Bug #12759).
 * [mms] Improved UI when viewing search results from Advanced Search.
 * [mms] Remove features from UI when VFS is not available or disabled.