fix(security): Security fix for WSTG-INPV-02. Add XSS protection on i…

…dentity fullName. Fixes #5642.
Alinto · Nov 22, 2022 · efac49a · efac49a
1 parent 1e0f5f0
commit efac49a
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/SoObjects/SOGo/SOGoUserDefaults.m b/SoObjects/SOGo/SOGoUserDefaults.m
@@ -147,7 +147,7 @@ - (BOOL) _migrateMailIdentities
       rc = NO;
 
       if ([fullName length])
-        [identity setObject: fullName forKey: @"fullName"];
+        [identity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
       if ([email length])
         [identity setObject: email forKey: @"email"];
       if ([replyTo length])
@@ -797,7 +797,21 @@ - (void) setMailIdentities: (NSArray *) newIdentites
 
 - (NSArray *) mailIdentities
 {
-  return [self arrayForKey: @"SOGoMailIdentities"];
+  NSMutableArray *mailIdentities;
+  NSMutableDictionary *mailIdentity;
+  NSUInteger i;
+
+  // Remove possible XSS injection
+  mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
+  for (i = 0 ; i < [mailIdentities length] ; i++) {
+    mailIdentity = [mailIdentities objectAtIndex: i];
+    if ([mailIdentity objectForKey: @"fullName"]) {
+      [mailIdentity setObject: [[mailIdentity objectForKey: @"fullName"] stringWithoutHTMLInjection: YES] forKey: @"fullName"];
+      [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+    }
+  }
+
+  return mailIdentities;
 }
 
 - (void) setMailForceDefaultIdentity: (BOOL) newValue