Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Escape content (Bug #11189).

  • Loading branch information...
commit 1228a6825a8dab3333d0a8c8986fc10d1f3d11b2 1 parent ddb5b4a
@yunosh yunosh authored
View
2  kronolith/docs/CHANGES
@@ -2,6 +2,8 @@
v3.0.17-git
-----------
+[jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug
+ #11189).
[jan] Update Italian translation (Massimo Malabotta <mmalabotta@units.it>).
[jan] Improve print styles.
[jan] Catch if external client doesn't send LAST-MODIFIED attributes (Bug
View
10 kronolith/js/kronolith.js
@@ -194,7 +194,7 @@ KronolithCore = {
.insert(message);
if (alarm.params && alarm.params.notify &&
alarm.params.notify.subtitle) {
- message.insert(new Element('br')).insert(alarm.params.notify.subtitle);
+ message.insert(new Element('br')).insert(alarm.params.notify.subtitle.escapeHTML());
}
if (alarm.user) {
var select = '<select>';
@@ -811,7 +811,7 @@ KronolithCore = {
return this.setTitle(Kronolith.text.agenda + ' ' + dates[0].toString(Kronolith.conf.date_format) + ' - ' + dates[1].toString(Kronolith.conf.date_format));
case 'search':
- return this.setTitle(Kronolith.text.searching.interpolate({ term: data }));
+ return this.setTitle(Kronolith.text.searching.interpolate({ term: data })).escapeHTML();
}
},
@@ -2494,7 +2494,7 @@ KronolithCore = {
if (!Object.isUndefined(task.value.sd)) {
col.insert(new Element('span', { className: 'kronolithSeparator' }).update(' &middot; '));
- col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd));
+ col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd.escapeHTML()));
}
row.insert(col.show());
@@ -2988,7 +2988,7 @@ KronolithCore = {
$('kronolithCalendarholidayDriver').insert(
new Element('option', { value: calendar.name })
.setStyle({ color: calendar.fg, backgroundColor: calendar.bg })
- .insert(calendar.name)
+ .insert(calendar.name.escapeHTML())
);
});
break;
@@ -5329,7 +5329,7 @@ KronolithCore = {
$('kronolithEventId').setValue(ev.id);
$('kronolithEventCalendar').setValue(ev.ty + '|' + ev.c);
$('kronolithEventTarget').setValue(ev.ty + '|' + ev.c);
- $('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name);
+ $('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name.escapeHTML());
$('kronolithEventTitle').setValue(ev.t);
$('kronolithEventLocation').setValue(ev.l);
if (ev.l && Kronolith.conf.maps.driver) {
View
2  kronolith/package.xml
@@ -34,6 +34,7 @@
</stability>
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
<notes>
+* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
* [jan] Improve print styles.
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).
@@ -2082,6 +2083,7 @@
<date>2012-03-20</date>
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
<notes>
+* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
* [jan] Improve print styles.
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).
Please sign in to comment.
Something went wrong with that request. Please try again.