Merge pull request #245 from modoboa/fix/xss_in_folder_name

Fixed XSS vulnerability in folder name

modoboa_webmail/static/modoboa_webmail/js/webmail.js

@@ -481,7 +481,7 @@ Webmail.prototype = {
         });
         var parts = mailbox.name.split(this.options.hdelimiter);
         var linkcontent = "<span class='fa fa-folder'></span> ";
-        var displayname = linkcontent + parts[parts.length - 1];
+        var displayname = linkcontent + htmlEncode(parts[parts.length - 1]);
 
         if (mailbox.removed) {
             $li.addClass('disabled');
@@ -769,7 +769,7 @@ Webmail.prototype = {
             mailbox = $parent.attr("name") + this.options.hdelimiter + mailbox;
         } else {
             $parent = $("#folders > ul");
-            }
+        }
         var $li = this.inject_mailbox($parent, "loadfolder", { name: mailbox });
         this.init_droppables($li);
     },
@@ -786,7 +786,7 @@ Webmail.prototype = {
         if (oldname != newname) {
             var $span = $link.children("span");
 
-            $link.html(" " + newname);
+            $link.html(" " + htmlEncode(newname));
             $link.parent("li").attr("name", newpattern);
             $link.prepend($span);
             $link.attr("href", newpattern);

modoboa_webmail/templatetags/webmail_tags.py

@@ -7,6 +7,7 @@
 from django.urls import reverse
 from django.template.loader import render_to_string
 from django.utils.encoding import smart_str
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.utils.translation import ugettext as _
 
@@ -236,7 +237,7 @@ def print_mailboxes(
 
         iclass = mbox["class"] if "class" in mbox \
             else "fa fa-folder"
-        result += "<span class='%s'></span> %s</a>" % (iclass, label)
+        result += "<span class='%s'></span> %s</a>" % (iclass, escape(label))
 
         if "sub" in mbox and mbox["sub"]:
             result += "<ul name='%s' class='nav nav-pills nav-stacked %s'>" % (