Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333)

author: Aleksander Machniak <alec@alec.pl> 2013-09-14 09:44:58 +0200
committer: Aleksander Machniak <alec@alec.pl> 2013-09-14 09:44:58 +0200
commit: 2e30b24dbf3aebf4d201bc922eb7b7bc8ab8f4fd (patch)
tree: bf44474729b229e55a44d9977756a4b54878e90a
parent: 9ba0fb9631bf17a4e48249194114a0252ca18006 (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 85963d84f..6a93d40ce 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333)
 - Fix attachment icon issue when rare font/language is used (#1489326)
 - After message is sent refresh messages list of replied message folder (#1489249)
 - Add option force specified domain in user login - username_domain_forced (#1489264)
diff --git a/program/js/app.js b/program/js/app.js
index 42c661144..1d1c65172 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -4345,7 +4345,7 @@ function rcube_webmail()
         boxtitle.append('&nbsp;&raquo;&nbsp;');
       }
 
-      boxtitle.append($('<span>'+prop.name+'</span>'));
+      boxtitle.append($('<span>').text(prop.name));
     }
 
     this.triggerEvent('groupupdate', prop);
author	Aleksander Machniak <alec@alec.pl>	2013-09-14 09:44:58 +0200
committer	Aleksander Machniak <alec@alec.pl>	2013-09-14 09:44:58 +0200
commit	2e30b24dbf3aebf4d201bc922eb7b7bc8ab8f4fd (patch)
tree	bf44474729b229e55a44d9977756a4b54878e90a
parent	9ba0fb9631bf17a4e48249194114a0252ca18006 (diff)