Skip to content
Permalink
Browse files

Escape HTML in JSON of contacts module

  • Loading branch information...
cgx committed Feb 7, 2014
1 parent 7118bbe commit 80a09407652ec04e8c9fb6cb48e1029e69a15765
Showing with 30 additions and 8 deletions.
  1. +1 −1 NEWS
  2. +2 −1 UI/Contacts/UIxContactView.m
  3. +22 −1 UI/Contacts/UIxContactsListActions.m
  4. +5 −5 UI/WebServerResources/ContactsUI.js
2 NEWS
@@ -40,7 +40,7 @@ Bug fixes
- warn user when dnd failed because of a resource conflict (#1613)
- respect the maximum number of bookings when viewing the freebusy information of a resource (#2560)
- encode HTML entities when forwarding an HTML message inline in plain text composition mode (#2411)
- encode HTML entities in JSON data returned by Calendar module (#2598)
- encode HTML entities in JSON data (#2598)
- fixed handling of ACLs on shared calendars with multiple groups (#1854)
- fixed HTML formatting of appointment notifications for Outlook (#2233)
- replace slashes by dashes in filenames of attachments to avoid a 404 return code (#2537)
@@ -29,6 +29,7 @@
#import <NGCards/CardElement.h>
#import <NGCards/NSArray+NGCards.h>
#import <NGExtensions/NSString+Ext.h>
#import <NGExtensions/NSString+misc.h>

#import <SOGo/NSCalendarDate+SOGo.h>
#import <SOGo/SOGoDateFormatter.h>
@@ -71,7 +72,7 @@ - (NSString *) _cardStringWithLabel: (NSString *) label
NSMutableString *cardString;

cardString = [NSMutableString stringWithCapacity: 80];
value = [value stringByReplacingString: @"\r" withString: @""];
value = [[value stringByReplacingString: @"\r" withString: @""] stringByEscapingHTMLString];
if ([value length] > 0)
{
if ([url length] > 0)
@@ -127,11 +127,32 @@ - (NSArray *) contactInfos
- (id <WOActionResults>) contactsListAction
{
id <WOActionResults> result;
id currentInfo;
NSArray *contactsList;
NSEnumerator *contactsListEnumerator, *keysEnumerator;
NSMutableArray *newContactsList;
NSMutableDictionary *currentContactDictionary;
NSString *key;

contactsList = [self contactInfos];
contactsListEnumerator = [contactsList objectEnumerator];
newContactsList = [NSMutableArray arrayWithCapacity: [contactsList count]];

// Escape HTML
while ((currentContactDictionary = [contactsListEnumerator nextObject]))
{
keysEnumerator = [currentContactDictionary keyEnumerator];
while ((key = [keysEnumerator nextObject]))
{
currentInfo = [currentContactDictionary objectForKey: key];
if ([currentInfo respondsToSelector: @selector (stringByEscapingHTMLString)])
[currentContactDictionary setObject: [currentInfo stringByEscapingHTMLString] forKey: key];
}
[newContactsList addObject: currentContactDictionary];
}

result = [self responseWithStatus: 200
andString: [contactsList jsonRepresentation]];
andString: [newContactsList jsonRepresentation]];

return result;
}
@@ -103,31 +103,31 @@ function contactsListCallback(http) {
null,
null,
row);
cell.appendChild(document.createTextNode(contact["c_cn"]));
cell.update(contact["c_cn"]);
cell.title = contact["c_cn"];

cell = document.createElement("td");
row.appendChild(cell);
if (contact["c_mail"]) {
cell.appendChild(document.createTextNode(contact["c_mail"]));
cell.update(contact["c_mail"]);
cell.title = contact["c_mail"];
}

if (fullView) {
cell = document.createElement("td");
row.appendChild(cell);
if (contact["c_screenname"])
cell.appendChild(document.createTextNode(contact["c_screenname"]));
cell.update(contact["c_screenname"]);

cell = document.createElement("td");
row.appendChild(cell);
if (contact["c_o"])
cell.appendChild(document.createTextNode(contact["c_o"]));
cell.update(contact["c_o"]);

cell = document.createElement("td");
row.appendChild(cell);
if (contact["c_telephonenumber"])
cell.appendChild(document.createTextNode(contact["c_telephonenumber"]));
cell.update(contact["c_telephonenumber"]);
}
}
}

0 comments on commit 80a0940

Please sign in to comment.
You can’t perform that action at this time.