some work towards fixing JS injection issues

2012-02-21 12:33:27 +00:00 · 2012-02-21 12:33:27 +00:00 · e282a3a9e9
commit e282a3a9e9
parent 01d975878b
2 changed files with 51 additions and 9 deletions
--- a/source/Ox.UI/js/Calendar/Ox.ListCalendar.js
+++ b/source/Ox.UI/js/Calendar/Ox.ListCalendar.js
@ -565,7 +565,7 @@ Ox.ListCalendar = function(options, self) {
        event.start = Ox.formatDate(startTime, '%Y-%m-%d %H:%M:%S', true);
        event.end = Ox.formatDate(endTime, '%Y-%m-%d %H:%M:%S', true);
        Ox.Log('Calendar', event);
-        self.options.addEvent(event, function(result) {
+        self.options.addEvent(encodeValues(event), function(result) {
            if (result.status.code == '200') {
                event.id = result.data.id;
                self.options.events.push(event);
@ -590,7 +590,7 @@ Ox.ListCalendar = function(options, self) {
                start: '', end: ''
            };
        self.$defineEventButton.options({disabled: true, title: 'Clear Event'});
-        self.options.editEvent(values, function() {
+        self.options.editEvent(encodeValues(values), function() {
            Ox.forEach(values, function(value, key) {
                self.$list.value(self.options.selected, key, value);
            });
@ -601,6 +601,16 @@ Ox.ListCalendar = function(options, self) {
        });
    }

+    function decodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.decodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.decodeHTML(value);
+                })
+                : value;
+        });
+    }
+
    function defineEvent() {
        var bounds = self.$calendar.getBounds(),
            middle = +self.$calendar.options('date'),
@ -617,12 +627,22 @@ Ox.ListCalendar = function(options, self) {
        self.$defineEventButton.options({title: 'Clear Event'});
    }

+    function encodeValues(place) {
+        return Ox.map(place, function(value) {
+            return Ox.isString(value) ? Ox.encodeHTML(value)
+                : Ox.isArray(value) ? Ox.map(value, function(value) {
+                    return Ox.encodeHTML(value);
+                })
+                : value;
+        });
+    }
+
    function editEvent(key, value) {
        var id = self.selectedEvent,
            index = Ox.getIndexById(self.options.events, id),
            data = {id: id};
        data[key] = value;
-        self.options.editEvent(data, function(result) {
+        self.options.editEvent(encodeValues(data), function(result) {
            if (result.status.code == 200) {
                self.options.events[index][key] = value;
                self.$list.value(id, key, value);
@ -728,9 +748,11 @@ Ox.ListCalendar = function(options, self) {
            self.$eventName.options({title: event.name || ''});
            self.$eventTitle.show();
            if (!isUndefined) {
-                self.$eventForm.values(Ox.extend({}, event, {
-                    end: event.current ? '' : event.end
-                })).show();
+                self.$eventForm.values(
+                    decodeValues(Ox.extend({}, event, {
+                        end: event.current ? '' : event.end
+                    }))
+                ).show();
            } else {
                self.$eventForm.hide();
            }