File 0001-Fix-escaping-of-object-identifiers-in-java... of Package kolab-webadmin

File 0001-Fix-escaping-of-object-identifiers-in-javascript-com.patch of Package kolab-webadmin (Revision 48)

Currently displaying revision 48 , Show latest

From 3b4e4a7d263df3a864e542970dc27c21bd92bf97 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <machniak@kolabsys.com>
Date: Fri, 10 Oct 2014 20:02:16 +0200
Subject: [PATCH 1/3] Fix escaping of object identifiers in javascript command
 (#3675)

---
 lib/kolab_client_task.php |  2 +-
 lib/kolab_utils.php       | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 1fe3761..5713a5b 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -1682,7 +1682,7 @@ class kolab_client_task
                     $i++;
                     $cells = array();
                     $cells[] = array('class' => 'name', 'body' => kolab_html::escape($item),
-                        'onclick' => "kadm.command('$task.info', '$idx')");
+                        'onclick' => "kadm.command('$task.info', '" . kolab_utils::js_escape($idx) . "')");
                     $rows[] = array('id' => $i, 'class' => implode(' ', $class), 'cells' => $cells);
                 }
             }
diff --git a/lib/kolab_utils.php b/lib/kolab_utils.php
index e2602af..91dad55 100644
--- a/lib/kolab_utils.php
+++ b/lib/kolab_utils.php
@@ -206,4 +206,21 @@ class kolab_utils
 
         return $str;
     }
+
+    /**
+     * Escape string for use in javascript code
+     *
+     * @param string $str String
+     *
+     * @return string Escaped string
+     */
+    public static function js_escape($str)
+    {
+        return strtr($str, array(
+                '"'  => '\\"',
+                "'"  => "\\'",
+                "\\" => "\\\\",
+                "\n" => '\n',
+        ));
+    }
 }
-- 
1.9.3