From 8f4e51bec35b4ec43e6d0b1b8e918ddd792d4b4c Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Thu, 16 Feb 2023 14:55:40 +0100
Subject: [PATCH] Fixed XSS issue in To field

---
 modoboa_webmail/static/modoboa_webmail/js/webmail.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modoboa_webmail/static/modoboa_webmail/js/webmail.js b/modoboa_webmail/static/modoboa_webmail/js/webmail.js
index 6303879..955c80f 100644
--- a/modoboa_webmail/static/modoboa_webmail/js/webmail.js
+++ b/modoboa_webmail/static/modoboa_webmail/js/webmail.js
@@ -1138,7 +1138,7 @@ Webmail.prototype = {
         var renderFunc = function (item, escape) {
             if (item.display_name) {
                 return '<div>{0} {1}</div>'.format(
-                    item.display_name,
+                    htmlEncode(item.display_name),
                     escape('<{0}>'.format(item.address)));
             }
             return '<div>{0}</div>'.format(htmlEncode(item.address));