summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorAleksander Machniak <machniak@kolabsys.com>2014-10-10 20:02:16 +0200
committerAleksander Machniak <machniak@kolabsys.com>2014-10-10 20:02:16 +0200
commit3b4e4a7d263df3a864e542970dc27c21bd92bf97 (patch)
tree2cbd76bc1c48f604ab14650b337544169ea5ac36 /lib
parent0066895d146564b3aae8db643b5dd0c1af72d4ce (diff)
downloadwebadmin-3b4e4a7d263df3a864e542970dc27c21bd92bf97.tar.gz
Fix escaping of object identifiers in javascript command (#3675)
Diffstat (limited to 'lib')
-rw-r--r--lib/kolab_client_task.php2
-rw-r--r--lib/kolab_utils.php17
2 files changed, 18 insertions, 1 deletions
diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 1fe3761..5713a5b 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -1682,7 +1682,7 @@ class kolab_client_task
$i++;
$cells = array();
$cells[] = array('class' => 'name', 'body' => kolab_html::escape($item),
- 'onclick' => "kadm.command('$task.info', '$idx')");
+ 'onclick' => "kadm.command('$task.info', '" . kolab_utils::js_escape($idx) . "')");
$rows[] = array('id' => $i, 'class' => implode(' ', $class), 'cells' => $cells);
}
}
diff --git a/lib/kolab_utils.php b/lib/kolab_utils.php
index e2602af..91dad55 100644
--- a/lib/kolab_utils.php
+++ b/lib/kolab_utils.php
@@ -206,4 +206,21 @@ class kolab_utils
return $str;
}
+
+ /**
+ * Escape string for use in javascript code
+ *
+ * @param string $str String
+ *
+ * @return string Escaped string
+ */
+ public static function js_escape($str)
+ {
+ return strtr($str, array(
+ '"' => '\\"',
+ "'" => "\\'",
+ "\\" => "\\\\",
+ "\n" => '\n',
+ ));
+ }
}