Skip to content

Commit 1228a68

Browse files
committed
Escape content (Bug #11189).
1 parent ddb5b4a commit 1228a68

File tree

3 files changed

+9
-5
lines changed

3 files changed

+9
-5
lines changed

Diff for: kronolith/docs/CHANGES

+2
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22
v3.0.17-git
33
-----------
44

5+
[jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug
6+
#11189).
57
[jan] Update Italian translation (Massimo Malabotta <mmalabotta@units.it>).
68
[jan] Improve print styles.
79
[jan] Catch if external client doesn't send LAST-MODIFIED attributes (Bug

Diff for: kronolith/js/kronolith.js

+5-5
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,7 @@ KronolithCore = {
194194
.insert(message);
195195
if (alarm.params && alarm.params.notify &&
196196
alarm.params.notify.subtitle) {
197-
message.insert(new Element('br')).insert(alarm.params.notify.subtitle);
197+
message.insert(new Element('br')).insert(alarm.params.notify.subtitle.escapeHTML());
198198
}
199199
if (alarm.user) {
200200
var select = '<select>';
@@ -811,7 +811,7 @@ KronolithCore = {
811811
return this.setTitle(Kronolith.text.agenda + ' ' + dates[0].toString(Kronolith.conf.date_format) + ' - ' + dates[1].toString(Kronolith.conf.date_format));
812812

813813
case 'search':
814-
return this.setTitle(Kronolith.text.searching.interpolate({ term: data }));
814+
return this.setTitle(Kronolith.text.searching.interpolate({ term: data })).escapeHTML();
815815
}
816816
},
817817

@@ -2494,7 +2494,7 @@ KronolithCore = {
24942494

24952495
if (!Object.isUndefined(task.value.sd)) {
24962496
col.insert(new Element('span', { className: 'kronolithSeparator' }).update(' &middot; '));
2497-
col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd));
2497+
col.insert(new Element('span', { className: 'kronolithInfo' }).update(task.value.sd.escapeHTML()));
24982498
}
24992499

25002500
row.insert(col.show());
@@ -2988,7 +2988,7 @@ KronolithCore = {
29882988
$('kronolithCalendarholidayDriver').insert(
29892989
new Element('option', { value: calendar.name })
29902990
.setStyle({ color: calendar.fg, backgroundColor: calendar.bg })
2991-
.insert(calendar.name)
2991+
.insert(calendar.name.escapeHTML())
29922992
);
29932993
});
29942994
break;
@@ -5329,7 +5329,7 @@ KronolithCore = {
53295329
$('kronolithEventId').setValue(ev.id);
53305330
$('kronolithEventCalendar').setValue(ev.ty + '|' + ev.c);
53315331
$('kronolithEventTarget').setValue(ev.ty + '|' + ev.c);
5332-
$('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name);
5332+
$('kronolithEventTargetRO').update(Kronolith.conf.calendars[ev.ty][ev.c].name.escapeHTML());
53335333
$('kronolithEventTitle').setValue(ev.t);
53345334
$('kronolithEventLocation').setValue(ev.l);
53355335
if (ev.l && Kronolith.conf.maps.driver) {

Diff for: kronolith/package.xml

+2
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
</stability>
3535
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
3636
<notes>
37+
* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
3738
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
3839
* [jan] Improve print styles.
3940
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).
@@ -2082,6 +2083,7 @@
20822083
<date>2012-03-20</date>
20832084
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
20842085
<notes>
2086+
* [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
20852087
* [jan] Update Italian translation (Massimo Malabotta &lt;mmalabotta@units.it&gt;).
20862088
* [jan] Improve print styles.
20872089
* [jan] Catch if external client doesn&apos;t send LAST-MODIFIED attributes (Bug #11130).

0 commit comments

Comments
 (0)