From efac49ae91a4a325df9931e78e543f707a0f8e5e Mon Sep 17 00:00:00 2001
From: smizrahi <seb.mizrahi@gmail.com>
Date: Tue, 22 Nov 2022 10:54:06 +0100
Subject: [PATCH] fix(security): Security fix for WSTG-INPV-02. Add XSS
 protection on identity fullName. Fixes #5642.

---
 SoObjects/SOGo/SOGoUserDefaults.m | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/SoObjects/SOGo/SOGoUserDefaults.m b/SoObjects/SOGo/SOGoUserDefaults.m
index 7eac80fae7..99dc81b458 100644
--- a/SoObjects/SOGo/SOGoUserDefaults.m
+++ b/SoObjects/SOGo/SOGoUserDefaults.m
@@ -147,7 +147,7 @@ - (BOOL) _migrateMailIdentities
       rc = NO;
 
       if ([fullName length])
-        [identity setObject: fullName forKey: @"fullName"];
+        [identity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
       if ([email length])
         [identity setObject: email forKey: @"email"];
       if ([replyTo length])
@@ -797,7 +797,21 @@ - (void) setMailIdentities: (NSArray *) newIdentites
 
 - (NSArray *) mailIdentities
 {
-  return [self arrayForKey: @"SOGoMailIdentities"];
+  NSMutableArray *mailIdentities;
+  NSMutableDictionary *mailIdentity;
+  NSUInteger i;
+
+  // Remove possible XSS injection
+  mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
+  for (i = 0 ; i < [mailIdentities length] ; i++) {
+    mailIdentity = [mailIdentities objectAtIndex: i];
+    if ([mailIdentity objectForKey: @"fullName"]) {
+      [mailIdentity setObject: [[mailIdentity objectForKey: @"fullName"] stringWithoutHTMLInjection: YES] forKey: @"fullName"];
+      [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+    }
+  }
+
+  return mailIdentities;
 }
 
 - (void) setMailForceDefaultIdentity: (BOOL) newValue