Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escape content (Bug #11189).
  • Loading branch information
yunosh committed May 12, 2012
1 parent ddb5b4a commit 1228a68
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 5 deletions.
2 changes: 2 additions & 0 deletions kronolith/docs/CHANGES
Expand Up @@ -2,6 +2,8 @@
v3.0.17-git
-----------

[jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug
#11189).
[jan] Update Italian translation (Massimo Malabotta <mmalabotta@units.it>).
[jan] Improve print styles.
[jan] Catch if external client doesn't send LAST-MODIFIED attributes (Bug
Expand Down
10 changes: 5 additions & 5 deletions kronolith/js/kronolith.js
Expand Up @@ -194,7 +194,7 @@ KronolithCore = {
.insert(message);
if (alarm.params && alarm.params.notify &&
alarm.params.notify.subtitle) {
message.insert(new Element('br')).insert(alarm.params.notify.subtitle);
message.insert(new Element('br')).insert(alarm.params.notify.subtitle.escapeHTML());
}
if (alarm.user) {
var select = '<select>';
Expand Down Expand Up @@ -811,7 +811,7 @@ KronolithCore = {
return this.setTitle(Kronolith.text.agenda + ' ' + dates[0].toString(Kronolith.conf.date_format) + ' - ' + dates[1].toString(Kronolith.conf.date_format));

case 'search':
return this.setTitle(Kronolith.text.searching.interpolate({ term: data }));
return this.setTitle(Kronolith.text.searching.interpolate({ term: data })).escapeHTML();
}
},

Expand Down Expand Up @@ -2494,7 +2494,7 @@ KronolithCore = {

if (!Object.isUndefined(task.value.sd)) {
col.insert(new Element('span', { className: 'kronolithSeparator' }).update(' &middot; '));
col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd));
col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd.escapeHTML()));
}

row.insert(col.show());
Expand Down Expand Up @@ -2988,7 +2988,7 @@ KronolithCore = {
$('kronolithCalendarholidayDriver').insert(
new Element('option', { value: calendar.name })
.setStyle({ color: calendar.fg, backgroundColor: calendar.bg })
.insert(calendar.name)
.insert(calendar.name.escapeHTML())
);
});
break;
Expand Down Expand Up @@ -5329,7 +5329,7 @@ KronolithCore = {
$('kronolithEventId').setValue(ev.id);
$('kronolithEventCalendar').setValue(ev.ty + '|' + ev.c);
$('kronolithEventTarget').setValue(ev.ty + '|' + ev.c);
$('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name);
$('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name.escapeHTML());
$('kronolithEventTitle').setValue(ev.t);
$('kronolithEventLocation').setValue(ev.l);
if (ev.l && Kronolith.conf.maps.driver) {
Expand Down
2 changes: 2 additions & 0 deletions kronolith/package.xml
Expand Up @@ -34,6 +34,7 @@
</stability>
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
<notes>
* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
* [jan] Improve print styles.
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).
Expand Down Expand Up @@ -2082,6 +2083,7 @@
<date>2012-03-20</date>
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
<notes>
* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
* [jan] Improve print styles.
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).
Expand Down

0 comments on commit 1228a68

Please sign in to comment.