diff --git a/modoboa/admin/static/admin/js/admin.js b/modoboa/admin/static/admin/js/admin.js
index 0ef78734c..f38025b3b 100644
--- a/modoboa/admin/static/admin/js/admin.js
+++ b/modoboa/admin/static/admin/js/admin.js
@@ -152,7 +152,7 @@ Domains.prototype = {
: gettext("This operation will remove all data associated to this domain, excepting accounts.");
$("a[name=deldomain]").confirm({
- question: function() { return this.$element.attr('title'); },
+ question: function() { return htmlEncode(this.$element.attr('title')); },
method: "POST",
warning: warnmsg,
checkboxes: deloptions,
@@ -295,7 +295,7 @@ Domains.prototype = {
optionsform_prefill: function() {
var $span = $("#id_dom_admin_username").next("span");
- $span.html("@" + $("#id_name").val());
+ $span.html("@" + htmlEncode($("#id_name").val()));
},
domadminsform_init: function() {
diff --git a/modoboa/admin/templates/admin/domains.html b/modoboa/admin/templates/admin/domains.html
index 5d354d6bd..d011876f0 100644
--- a/modoboa/admin/templates/admin/domains.html
+++ b/modoboa/admin/templates/admin/domains.html
@@ -13,11 +13,11 @@
{{ block.super }}
{% extra_static_content "domains" "js" user %}
{% endblock %}
diff --git a/modoboa/static/js/global.js b/modoboa/static/js/global.js
index e2062efd2..6d1d1d722 100644
--- a/modoboa/static/js/global.js
+++ b/modoboa/static/js/global.js
@@ -361,6 +361,15 @@ String.prototype.format = function() {
});
};
+/**
+ * Simple HTML escape function
+ */
+function htmlEncode(str) {
+ return String(str).replace(/[^\w. ]/gi, function(c) {
+ return ''+c.charCodeAt(0)+';';
+ });
+}
+
$(document).ready(function() {
$(document).ajaxSuccess(function(e, xhr, settings) { ajax_login_redirect(xhr); });
$(document).ajaxError(defaultAjaxErrorHandler);