From d6b592941da7017c86ecb8fb81f9ffc515995b4f Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 26 Jun 2013 18:26:39 +0200
Subject: Fix handling of &, <, > characters in scripts/filter names (#1489208)

---
 plugins/managesieve/Changelog                            | 1 +
 plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 4 ++--
 plugins/managesieve/managesieve.js                       | 8 ++++----
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog
index 2b28f61d5..daee91a70 100644
--- a/plugins/managesieve/Changelog
+++ b/plugins/managesieve/Changelog
@@ -3,6 +3,7 @@
 - Support string list arguments in filter form (#1489018)
 - Support date, currendate and index tests - RFC5260 (#1488120)
 - Split plugin file into two files
+- Fix handling of &, <, > characters in scripts/filter names (#1489208)
 
 * version 6.2 [2013-02-17]
 -----------------------------------------------------------
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
index ac942d292..f29c9fb40 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
@@ -1014,7 +1014,7 @@ class rcube_sieve_engine
                 foreach ($list as $idx => $set) {
                     $scripts['S'.$idx] = $set;
                     $result[] = array(
-                        'name' => rcube::Q($set),
+                        'name' => $set,
                         'id' => 'S'.$idx,
                         'class' => !in_array($set, $this->active) ? 'disabled' : '',
                     );
@@ -2111,7 +2111,7 @@ class rcube_sieve_engine
             $fname = $filter['name'] ? $filter['name'] : "#$i";
             $result[] = array(
                 'id'    => $idx,
-                'name'  => rcube::Q($fname),
+                'name'  => $fname,
                 'class' => $filter['disabled'] ? 'disabled' : '',
             );
             $i++;
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index f6bf4b47c..5a75ef1fd 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -263,7 +263,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
       var i, row = $('#rcmrow'+this.managesieve_rowid(o.id));
 
       if (o.name)
-        $('td', row).html(o.name);
+        $('td', row).text(o.name);
       if (o.disabled)
         row.addClass('disabled');
       else
@@ -278,7 +278,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
       var list = this.filters_list,
         row = $('<tr><td class="name"></td></tr>');
 
-      $('td', row).html(o.name);
+      $('td', row).text(o.name);
       row.attr('id', 'rcmrow'+o.id);
       if (o.disabled)
         row.addClass('disabled');
@@ -302,7 +302,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
         tr = document.createElement('TR');
         td = document.createElement('TD');
 
-        td.innerHTML = el.name;
+        $(td).text(el.name);
         td.className = 'name';
         tr.id = 'rcmrow' + el.id;
         if (el['class'])
@@ -351,7 +351,7 @@ rcube_webmail.prototype.managesieve_updatelist = function(action, o)
         list = this.filtersets_list,
         row = $('<tr class="disabled"><td class="name"></td></tr>');
 
-      $('td', row).html(o.name);
+      $('td', row).text(o.name);
       row.attr('id', 'rcmrow'+id);
 
       this.env.filtersets[id] = o.name;
-- 
cgit v1.2.3