properly escape JS in HTML

git-svn-id: http://svn.opengroupware.org/SOPE/trunk@1341 e4a50df8-12e2-0310-a44c-efbce7f8a7e3

diff --git a/sope-appserver/WEExtensions/ChangeLog b/sope-appserver/WEExtensions/ChangeLog
index 04bed36ab4243d8123aaa1fccf3325093624cc41..6096ac77d1fec13978e7ef32945dd61af058dbec 100644 (file)
--- a/sope-appserver/WEExtensions/ChangeLog
+++ b/sope-appserver/WEExtensions/ChangeLog
@@ -1,3 +1,8 @@
+2006-08-17  Wolfgang Sourdeau  <WSourdeau@Inverse.CA>
+
+       * JSStringTable.m: properly HTML escape JavaScript inside <script>
+         sections (v4.5.89)
+
 2006-07-24  Helge Hess  <helge.hess@opengroupware.org>
 
        * WEWeekOverview.m: use -warnWithFormat:, minor code cleanups (v4.5.88)

diff --git a/sope-appserver/WEExtensions/JSStringTable.m b/sope-appserver/WEExtensions/JSStringTable.m
index db9aaa6e4c047d9649d21e6033fbb4a53ea1b1e8..053f6211492a700757b66d82d08e153c20040a8a 100644 (file)
--- a/sope-appserver/WEExtensions/JSStringTable.m
+++ b/sope-appserver/WEExtensions/JSStringTable.m
@@ -81,6 +81,7 @@
 /* generate response */
 
 + (void)appendTable:(id)_table withIdentifier:(NSString *)_identifier
+  doEscape:(BOOL)_htmlEscape
   toResponse:(WOResponse *)_response
 {
   NSEnumerator *keys;
@@ -111,9 +112,9 @@
     value = [value stringByReplacingString:@"\"" withString:@"\\\""];
     
     [_response appendContentString:@"  \""];
-    [_response appendContentString:key];
+    [_response appendContentHTMLString:key];
     [_response appendContentString:@"\": \""];
-    [_response appendContentString:value];
+    [_response appendContentHTMLString:value];
     [_response appendContentString:@"\""];
   }
   [_response appendContentString:@"\n};\n"];
@@ -155,6 +156,7 @@
     if (table != nil) {
       [_response appendContentString:@"<script type=\"text/javascript\">\n"];
       [[self class] appendTable:table withIdentifier:lidentifier
+                   doEscape:YES /* HTML escape */
                    toResponse:_response];
       [_response appendContentString:@"</script>"];
     }
@@ -256,7 +258,9 @@ static NSString *etag = nil;
     return r;
   }
   
-  [r setHeader:@"application/x-javascript" forKey:@"content-type"];
+  [r setContentEncoding:NSUTF8StringEncoding];
+  [r setHeader:@"application/x-javascript; charset=utf-8"
+     forKey:@"content-type"];
   [r setHeader:etag                        forKey:@"etag"];
   
   /* check preconditions */
@@ -272,6 +276,7 @@ static NSString *etag = nil;
   
   [[JSStringTable class] 
     appendTable:table withIdentifier:[rq formValueForKey:@"id"]
+    doEscape:NO
     toResponse:r];
   return r;
 }

diff --git a/sope-appserver/WEExtensions/Version b/sope-appserver/WEExtensions/Version
index b015e49bed52a9385c919252ba2b71212283d7a7..deecfadacfd229e9f1a9a919e4407ee45d8e867a 100644 (file)
--- a/sope-appserver/WEExtensions/Version
+++ b/sope-appserver/WEExtensions/Version
@@ -1,6 +1,6 @@
 # version file
 
-SUBMINOR_VERSION:=88
+SUBMINOR_VERSION:=89
 
 # v4.5.76 requires libNGObjWeb v4.5.176
 # v4.5.75 requires libNGObjWeb v4.5.174