From c1db80fa696c7b91fbd49aaaa09f9b8d5147bc1b Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Mon, 23 Jan 2023 11:14:21 +0100
Subject: [PATCH 1/2] Fixed XSS issue in domain creation form.

---
 modoboa/admin/static/admin/js/admin.js     |  2 +-
 modoboa/admin/templates/admin/domains.html | 10 +++++-----
 modoboa/static/js/global.js                |  9 +++++++++
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/modoboa/admin/static/admin/js/admin.js b/modoboa/admin/static/admin/js/admin.js
index 0ef78734c..fec5ece1e 100644
--- a/modoboa/admin/static/admin/js/admin.js
+++ b/modoboa/admin/static/admin/js/admin.js
@@ -295,7 +295,7 @@ Domains.prototype = {
 
     optionsform_prefill: function() {
         var $span = $("#id_dom_admin_username").next("span");
-        $span.html("@" + $("#id_name").val());
+        $span.html("@" + htmlEncode($("#id_name").val()));
     },
 
     domadminsform_init: function() {
diff --git a/modoboa/admin/templates/admin/domains.html b/modoboa/admin/templates/admin/domains.html
index 5d354d6bd..d011876f0 100644
--- a/modoboa/admin/templates/admin/domains.html
+++ b/modoboa/admin/templates/admin/domains.html
@@ -13,11 +13,11 @@
   {{ block.super }}
   <script src="{% static 'transport/js/transport.js' %}" type="text/javascript"></script>
   <script type="text/javascript">
-   $(document).ready(function() {
-       admin = new Domains({
-           load_page_url: "{% url 'admin:domain_page' %}"
-       });
-   });
+  $(document).ready(function() {
+      admin = new Domains({
+          load_page_url: "{% url 'admin:domain_page' %}"
+      });
+  });
   </script>
 {% extra_static_content "domains" "js" user %}
 {% endblock %}
diff --git a/modoboa/static/js/global.js b/modoboa/static/js/global.js
index e2062efd2..6d1d1d722 100644
--- a/modoboa/static/js/global.js
+++ b/modoboa/static/js/global.js
@@ -361,6 +361,15 @@ String.prototype.format = function() {
     });
 };
 
+/**
+ * Simple HTML escape function
+ */
+function htmlEncode(str) {
+    return String(str).replace(/[^\w. ]/gi, function(c) {
+        return '&#'+c.charCodeAt(0)+';';
+    });
+}
+
 $(document).ready(function() {
     $(document).ajaxSuccess(function(e, xhr, settings) { ajax_login_redirect(xhr); });
     $(document).ajaxError(defaultAjaxErrorHandler);

From 7b7b6bac27556fcec32c18e0d7541a8b5a5ebb99 Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Mon, 23 Jan 2023 11:22:03 +0100
Subject: [PATCH 2/2] Fixed issue while displaying confirm message before
 deletion.

---
 modoboa/admin/static/admin/js/admin.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modoboa/admin/static/admin/js/admin.js b/modoboa/admin/static/admin/js/admin.js
index fec5ece1e..f38025b3b 100644
--- a/modoboa/admin/static/admin/js/admin.js
+++ b/modoboa/admin/static/admin/js/admin.js
@@ -152,7 +152,7 @@ Domains.prototype = {
             : gettext("This operation will remove all data associated to this domain, excepting accounts.");
 
         $("a[name=deldomain]").confirm({
-            question: function() { return this.$element.attr('title'); },
+            question: function() { return htmlEncode(this.$element.attr('title')); },
             method: "POST",
             warning: warnmsg,
             checkboxes: deloptions,