Contacts: Avoid double escape in contact list. Fix #970

owncloud-archive · Apr 8, 2013 · 90db320 · 90db320
1 parent 9e927fa
commit 90db320
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 32 deletions.
diff --git a/contacts/js/app.js b/contacts/js/app.js
@@ -782,7 +782,7 @@ OC.Contacts = OC.Contacts || {
 			var $li = self.$addressbookTmpl.octemplate({
 				id: book.id,
 				permissions: book.permissions,
-				displayname: escapeHTML(book.displayname)
+				displayname: book.displayname
 			});
 
 			$li.find('a.action').tipsy({gravity: 'w'});
@@ -1727,55 +1727,60 @@ OC.Contacts = OC.Contacts || {
 };
 
 (function( $ ) {
-	// Support older browsers. From http://www.yelotofu.com/2008/08/jquery-outerhtml/
-	jQuery.fn.outerHTML = function(s) {
-		return s
-			? this.before(s).remove()
-			: jQuery('<p>').append(this.eq(0).clone()).html();
-	};
 	/**
 	* Object Template
 	* Inspired by micro templating done by e.g. underscore.js
 	*/
 	var Template = {
-		init: function(options, elem) {
+		init: function(vars, options, elem) {
 			// Mix in the passed in options with the default options
+			this.vars = vars;
 			this.options = $.extend({},this.options,options);
 
-			// Save the element reference, both as a jQuery
-			// reference and a normal reference
-			this.elem  = elem;
-			this.$elem = $(elem);
+			this.elem = elem;
+			var self = this;
+
+			if(typeof this.options.escapeFunction === 'function') {
+				$.each(this.vars, function(key, val) {
+					if(typeof val === 'string') {
+						self.vars[key] = self.options.escapeFunction(val);
+					}
+				});
+			}
 
-			var _html = this._build(this.options);
-			//console.log('html', this.$elem.html());
+			var _html = this._build(this.vars);
 			return $(_html);
 		},
 		// From stackoverflow.com/questions/1408289/best-way-to-do-variable-interpolation-in-javascript
 		_build: function(o){
-			var data = this.$elem.html();
-				//this.$elem.attr('type') === 'text/template'
-				//? this.$elem.html() : this.$elem.outerHTML();
-			return data.replace(/{([^{}]*)}/g,
-				function (a, b) {
-					var r = o[b];
-					return typeof r === 'string' || typeof r === 'number' ? r : a;
-				}
-			);
+			var data = this.elem.attr('type') === 'text/template' ? this.elem.html() : this.elem.get(0).outerHTML;
+			try {
+				return data.replace(/{([^{}]*)}/g,
+					function (a, b) {
+						var r = o[b];
+						return typeof r === 'string' || typeof r === 'number' ? r : a;
+					}
+				);
+			} catch(e) {
+				console.error(e, 'data:', data)
+			}
 		},
 		options: {
+			escapeFunction: function(str) {return $('<i></i>').text(str).html();}
 		}
 	};
 
-	$.fn.octemplate = function(options) {
-		if ( this.length ) {
+	$.fn.octemplate = function(vars, options) {
+		var vars = vars ? vars : {};
+		if(this.length) {
 			var _template = Object.create(Template);
-			return _template.init(options, this);
+			return _template.init(vars, options, this);
 		}
 	};
 
 })( jQuery );
 
+
 $(document).ready(function() {
 
 	OC.Contacts.init();

diff --git a/contacts/js/contacts.js b/contacts/js/contacts.js
@@ -683,10 +683,10 @@ OC.Contacts = OC.Contacts || {};
 	Contact.prototype.renderListItem = function(isnew) {
 		this.$listelem = this.$listTemplate.octemplate({
 			id: this.id,
-			name: isnew ? escapeHTML(this.getPreferredValue('FN', '')) : this.getPreferredValue('FN', ''),
-			email: isnew ? escapeHTML(this.getPreferredValue('EMAIL', '')) : this.getPreferredValue('EMAIL', ''),
-			tel: isnew ? escapeHTML(this.getPreferredValue('TEL', '')) : this.getPreferredValue('TEL', ''),
-			adr: isnew ? escapeHTML(this.getPreferredValue('ADR', []).clean('').join(', ')) : this.getPreferredValue('ADR', []).clean('').join(', '),
+			name: isnew ? this.getPreferredValue('FN', '') : this.getPreferredValue('FN', ''),
+			email: isnew ? this.getPreferredValue('EMAIL', '') : this.getPreferredValue('EMAIL', ''),
+			tel: isnew ? this.getPreferredValue('TEL', '') : this.getPreferredValue('TEL', ''),
+			adr: isnew ? this.getPreferredValue('ADR', []).clean('').join(', ') : this.getPreferredValue('ADR', []).clean('').join(', '),
 			categories: this.getPreferredValue('CATEGORIES', [])
 				.clean('').join(' / ')
 		});
@@ -1399,7 +1399,7 @@ OC.Contacts = OC.Contacts || {};
 		$(document).bind('status.contact.updated', function(e, data) {
 			if(['FN', 'EMAIL', 'TEL', 'ADR', 'CATEGORIES'].indexOf(data.property) !== -1) {
 				data.contact.getListItemElement().remove();
-				self.insertContact(self.contacts[parseInt(data.contact.id)].renderListItem(true));
+				self.insertContact(data.contact.renderListItem(true));
 			}
 		});
 	};

diff --git a/contacts/lib/vcard.php b/contacts/lib/vcard.php
@@ -763,7 +763,7 @@ public static function structureProperty($property) {
 		}
 		$temp = array(
 			//'name' => $property->name,
-			'value' => \OCP\Util::sanitizeHTML($value),
+			'value' => $value,
 			'parameters' => array()
 		);