From 3385473a0aabba3943b4d63cf531c91f52a79ffa Mon Sep 17 00:00:00 2001
From: helge <helge@e4a50df8-12e2-0310-a44c-efbce7f8a7e3>
Date: Thu, 17 Aug 2006 17:31:04 +0000
Subject: [PATCH] properly escape JS in HTML

git-svn-id: http://svn.opengroupware.org/SOPE/trunk@1341 e4a50df8-12e2-0310-a44c-efbce7f8a7e3
---
 sope-appserver/WEExtensions/ChangeLog       |  5 +++++
 sope-appserver/WEExtensions/JSStringTable.m | 11 ++++++++---
 sope-appserver/WEExtensions/Version         |  2 +-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/sope-appserver/WEExtensions/ChangeLog b/sope-appserver/WEExtensions/ChangeLog
index 04bed36a..6096ac77 100644
--- a/sope-appserver/WEExtensions/ChangeLog
+++ b/sope-appserver/WEExtensions/ChangeLog
@@ -1,3 +1,8 @@
+2006-08-17  Wolfgang Sourdeau  <WSourdeau@Inverse.CA>
+
+	* JSStringTable.m: properly HTML escape JavaScript inside <script>
+	  sections (v4.5.89)
+
 2006-07-24  Helge Hess  <helge.hess@opengroupware.org>
 
 	* WEWeekOverview.m: use -warnWithFormat:, minor code cleanups (v4.5.88)
diff --git a/sope-appserver/WEExtensions/JSStringTable.m b/sope-appserver/WEExtensions/JSStringTable.m
index db9aaa6e..053f6211 100644
--- a/sope-appserver/WEExtensions/JSStringTable.m
+++ b/sope-appserver/WEExtensions/JSStringTable.m
@@ -81,6 +81,7 @@
 /* generate response */
 
 + (void)appendTable:(id)_table withIdentifier:(NSString *)_identifier
+  doEscape:(BOOL)_htmlEscape
   toResponse:(WOResponse *)_response
 {
   NSEnumerator *keys;
@@ -111,9 +112,9 @@
     value = [value stringByReplacingString:@"\"" withString:@"\\\""];
     
     [_response appendContentString:@"  \""];
-    [_response appendContentString:key];
+    [_response appendContentHTMLString:key];
     [_response appendContentString:@"\": \""];
-    [_response appendContentString:value];
+    [_response appendContentHTMLString:value];
     [_response appendContentString:@"\""];
   }
   [_response appendContentString:@"\n};\n"];
@@ -155,6 +156,7 @@
     if (table != nil) {
       [_response appendContentString:@"<script type=\"text/javascript\">\n"];
       [[self class] appendTable:table withIdentifier:lidentifier
+		    doEscape:YES /* HTML escape */
 		    toResponse:_response];
       [_response appendContentString:@"</script>"];
     }
@@ -256,7 +258,9 @@ static NSString *etag = nil;
     return r;
   }
   
-  [r setHeader:@"application/x-javascript" forKey:@"content-type"];
+  [r setContentEncoding:NSUTF8StringEncoding];
+  [r setHeader:@"application/x-javascript; charset=utf-8"
+     forKey:@"content-type"];
   [r setHeader:etag                        forKey:@"etag"];
   
   /* check preconditions */
@@ -272,6 +276,7 @@ static NSString *etag = nil;
   
   [[JSStringTable class] 
     appendTable:table withIdentifier:[rq formValueForKey:@"id"]
+    doEscape:NO
     toResponse:r];
   return r;
 }
diff --git a/sope-appserver/WEExtensions/Version b/sope-appserver/WEExtensions/Version
index b015e49b..deecfada 100644
--- a/sope-appserver/WEExtensions/Version
+++ b/sope-appserver/WEExtensions/Version
@@ -1,6 +1,6 @@
 # version file
 
-SUBMINOR_VERSION:=88
+SUBMINOR_VERSION:=89
 
 # v4.5.76 requires libNGObjWeb v4.5.176
 # v4.5.75 requires libNGObjWeb v4.5.174
-- 
2.39.5