From 357dc9722869e77323d2e02773da1b54bd1737c9 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 26 Jun 2013 18:32:28 +0200
Subject: Fix handling of &, <, > characters in scripts/filter names (#1489208)

---
 plugins/managesieve/Changelog       | 2 ++
 plugins/managesieve/managesieve.js  | 8 ++++----
 plugins/managesieve/managesieve.php | 6 +++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog
index 5f31d311c..159cc3ef9 100644
--- a/plugins/managesieve/Changelog
+++ b/plugins/managesieve/Changelog
@@ -1,3 +1,5 @@
+- Fix handling of &, <, > characters in scripts/filter names (#1489208)
+
 * version 6.2 [2013-02-17]
 -----------------------------------------------------------
 - Support tls:// prefix in managesieve_host option
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index 04b9a76af..035ed7bec 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -258,7 +258,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
       var i, row = $('#rcmrow'+this.managesieve_rowid(o.id));
 
       if (o.name)
-        $('td', row).html(o.name);
+        $('td', row).text(o.name);
       if (o.disabled)
         row.addClass('disabled');
       else
@@ -273,7 +273,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
       var list = this.filters_list,
         row = $('<tr><td class="name"></td></tr>');
 
-      $('td', row).html(o.name);
+      $('td', row).text(o.name);
       row.attr('id', 'rcmrow'+o.id);
       if (o.disabled)
         row.addClass('disabled');
@@ -297,7 +297,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
         tr = document.createElement('TR');
         td = document.createElement('TD');
 
-        td.innerHTML = el.name;
+        $(td).text(el.name);
         td.className = 'name';
         tr.id = 'rcmrow' + el.id;
         if (el['class'])
@@ -346,7 +346,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
         list = this.filtersets_list,
         row = $('<tr class="disabled"><td class="name"></td></tr>');
 
-      $('td', row).html(o.name);
+      $('td', row).text(o.name);
       row.attr('id', 'rcmrow'+id);
 
       this.env.filtersets[id] = o.name;
diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php
index 2f558faa7..80face70a 100644
--- a/plugins/managesieve/managesieve.php
+++ b/plugins/managesieve/managesieve.php
@@ -967,7 +967,7 @@ class managesieve extends rcube_plugin
                         $this->rc->output->command('parent.managesieve_updatelist',
                             isset($new) ? 'add' : 'update',
                             array(
-                                'name' => Q($this->form['name']),
+                                'name' => $this->form['name'],
                                 'id' => $fid,
                                 'disabled' => $this->form['disabled']
                         ));
@@ -1049,7 +1049,7 @@ class managesieve extends rcube_plugin
                 foreach ($list as $idx => $set) {
                     $scripts['S'.$idx] = $set;
                     $result[] = array(
-                        'name' => Q($set),
+                        'name' => $set,
                         'id' => 'S'.$idx,
                         'class' => !in_array($set, $this->active) ? 'disabled' : '',
                     );
@@ -2039,7 +2039,7 @@ class managesieve extends rcube_plugin
             $fname = $filter['name'] ? $filter['name'] : "#$i";
             $result[] = array(
                 'id'    => $idx,
-                'name'  => Q($fname),
+                'name'  => $fname,
                 'class' => $filter['disabled'] ? 'disabled' : '',
             );
             $i++;
-- 
cgit v1.2.3