Skip to content
Permalink
Browse files

Escape HTML in raw source of events and tasks

Fixes #3718
  • Loading branch information...
cgx committed Jun 8, 2016
1 parent 97e6385 commit 64ce3c9c22fd9a28caabf11e76216cd53d0245aa
Showing with 8 additions and 7 deletions.
  1. +1 −0 NEWS
  2. +1 −1 UI/Scheduler/UIxComponentEditor.m
  3. +6 −6 UI/WebServerResources/js/Scheduler/ComponentController.js
1 NEWS
@@ -4,6 +4,7 @@
Bug fixes
- [web] fixed generic avatar in lists (#3719)
- [web] fixed validation in Sieve filter editor
- [web] properly encode events and tasks rawsource to avoid XSS issues (#3718)

3.1.2 (2016-06-06)
------------------
@@ -875,7 +875,7 @@ - (WOResponse *) rawAction
[content appendFormat: @"%@", [[self clientObject] contentAsString]];
[response setHeader: @"text/plain; charset=utf-8"
forKey: @"content-type"];
[response appendContentString: content];
[response appendContentString: [content stringByEscapingHTMLString]];

return response;
}
@@ -167,23 +167,23 @@
template: [
'<md-dialog flex="40" flex-sm="80" flex-xs="100" aria-label="' + l('View Raw Source') + '">',
' <md-dialog-content class="md-dialog-content">',
' <pre>',
data,
' </pre>',
' <pre ng-bind-html="data"></pre>',
' </md-dialog-content>',
' <md-dialog-actions>',
' <md-button ng-click="close()">' + l('Close') + '</md-button>',
' </md-dialog-actions>',
'</md-dialog>'
].join(''),
controller: ComponentRawSourceDialogController
controller: ComponentRawSourceDialogController,
locals: { data: data }
});

/**
* @ngInject
*/
ComponentRawSourceDialogController.$inject = ['scope', '$mdDialog'];
function ComponentRawSourceDialogController(scope, $mdDialog) {
ComponentRawSourceDialogController.$inject = ['scope', '$mdDialog', 'data'];
function ComponentRawSourceDialogController(scope, $mdDialog, data) {
scope.data = data;
scope.close = function() {
$mdDialog.hide();
};

2 comments on commit 64ce3c9

@extrafu

This comment has been minimized.

Copy link
Member

replied Jun 8, 2016

I guess the same neat stuff should be done when viewing the raw source of a card, and perhaps even a mail.

@cgx

This comment has been minimized.

Copy link
Member Author

replied Jun 8, 2016

Fixed for Cards (1db09de). Mail is OK.

Please sign in to comment.
You can’t perform that action at this time.