some work towards fixing JS injection issues

source/Ox.UI/js/Calendar/Ox.ListCalendar.js

@@ -565,7 +565,7 @@ Ox.ListCalendar = function(options, self) {
         event.start = Ox.formatDate(startTime, '%Y-%m-%d %H:%M:%S', true);
         event.end = Ox.formatDate(endTime, '%Y-%m-%d %H:%M:%S', true);
         Ox.Log('Calendar', event);
-        self.options.addEvent(event, function(result) {
+        self.options.addEvent(encodeValues(event), function(result) {
             if (result.status.code == '200') {
                 event.id = result.data.id;
                 self.options.events.push(event);
@@ -590,7 +590,7 @@ Ox.ListCalendar = function(options, self) {
                 start: '', end: ''
             };
         self.$defineEventButton.options({disabled: true, title: 'Clear Event'});
-        self.options.editEvent(values, function() {
+        self.options.editEvent(encodeValues(values), function() {
             Ox.forEach(values, function(value, key) {
                 self.$list.value(self.options.selected, key, value);
             });
@@ -601,6 +601,16 @@ Ox.ListCalendar = function(options, self) {
         });
     }
 
+    function decodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.decodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.decodeHTML(value);
+                })
+                : value;
+        });
+    }
+
     function defineEvent() {
         var bounds = self.$calendar.getBounds(),
             middle = +self.$calendar.options('date'),
@@ -617,12 +627,22 @@ Ox.ListCalendar = function(options, self) {
         self.$defineEventButton.options({title: 'Clear Event'});
     }
 
+    function encodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.encodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.encodeHTML(value);
+                })
+                : value;
+        });
+    }
+
     function editEvent(key, value) {
         var id = self.selectedEvent,
             index = Ox.getIndexById(self.options.events, id),
             data = {id: id};
         data[key] = value;
-        self.options.editEvent(data, function(result) {
+        self.options.editEvent(encodeValues(data), function(result) {
             if (result.status.code == 200) {
                 self.options.events[index][key] = value;
                 self.$list.value(id, key, value);
@@ -728,9 +748,11 @@ Ox.ListCalendar = function(options, self) {
             self.$eventName.options({title: event.name || ''});
             self.$eventTitle.show();
             if (!isUndefined) {
-                self.$eventForm.values(Ox.extend({}, event, {
+                self.$eventForm.values(
-                    end: event.current ? '' : event.end
+                    decodeValues(Ox.extend({}, event, {
-                })).show();
+                        end: event.current ? '' : event.end
+                    }))
+                ).show();
             } else {
                 self.$eventForm.hide();
             }

source/Ox.UI/js/Map/Ox.ListMap.js

@@ -786,7 +786,7 @@ Ox.ListMap = function(options, self) {
             //setStatus();
         } else {
             self.$addPlaceButton.options({disabled: true, title: 'Adding...'});
-            self.options.addPlace(place, function(result) {
+            self.options.addPlace(encodeValues(place), function(result) {
                 if (result.status.code == 200) {
                     place.id = result.data.id;
                     self.selectedPlace = place.id;
@@ -832,18 +832,38 @@ Ox.ListMap = function(options, self) {
         });
     }
 
+    function decodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.decodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.decodeHTML(value);
+                })
+                : value;
+        });
+    }
+
     function definePlace() {
         self.$map.newPlace(); // this will call selectPlace, then editPlace
         self.$definePlaceButton.options({title: 'Clear Place'});
     }
 
+    function encodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.encodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.encodeHTML(value);
+                })
+                : value;
+        });
+    }
+
     function editPlace(keys) {
         Ox.Log('Map', 'EDIT PLACE', keys, self.$placeForm.values())
         var values = Ox.filter(self.$placeForm.values(), function(values, key) {
             return keys.indexOf(key) > -1;
         });
         values.id = self.selectedPlace;
-        self.options.editPlace(values, function(result) {
+        self.options.editPlace(encodeValues(values), function(result) {
             Ox.Log('Map', 'EDIT PLACE::', result)
             if (result.status.code == 200) {
                 if (
@@ -1055,7 +1075,7 @@ Ox.ListMap = function(options, self) {
     function showForm(place) {
         self.$nameInput.removeClass('OxError');
         self.$alternativeNamesInput.setErrors([]);
-        self.$placeForm.values(place).show();
+        self.$placeForm.values(decodeValues(place)).show();
         self.$areaKmInput.value(Ox.formatArea(place.area)).show();
     }