Fix escaping of object identifiers in javascript command (#3675)

2 files changed, 18 insertions, 1 deletions

diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 1fe3761..5713a5b 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -1682,7 +1682,7 @@ class kolab_client_task
                     $i++;
                     $cells = array();
                     $cells[] = array('class' => 'name', 'body' => kolab_html::escape($item),
-                        'onclick' => "kadm.command('$task.info', '$idx')");
+                        'onclick' => "kadm.command('$task.info', '" . kolab_utils::js_escape($idx) . "')");
                     $rows[] = array('id' => $i, 'class' => implode(' ', $class), 'cells' => $cells);
                 }
             }
diff --git a/lib/kolab_utils.php b/lib/kolab_utils.php
index e2602af..91dad55 100644
--- a/lib/kolab_utils.php
+++ b/lib/kolab_utils.php
@@ -206,4 +206,21 @@ class kolab_utils
 
         return $str;
     }
+
+    /**
+     * Escape string for use in javascript code
+     *
+     * @param string $str String
+     *
+     * @return string Escaped string
+     */
+    public static function js_escape($str)
+    {
+        return strtr($str, array(
+                '"'  => '\\"',
+                "'"  => "\\'",
+                "\\" => "\\\\",
+                "\n" => '\n',
+        ));
+    }
 }