From eef9ab72b5305578a3ad7a7463bd284aa645e98b Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Thu, 26 Jan 2023 10:41:15 +0100
Subject: [PATCH] Avoid XSS issues while deleting account and looking at logs.

---
 modoboa/admin/static/admin/js/admin.js     | 2 +-
 modoboa/core/templates/core/logs_page.html | 2 +-
 modoboa/static/js/autocompleter.js         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modoboa/admin/static/admin/js/admin.js b/modoboa/admin/static/admin/js/admin.js
index f38025b3b..c18f78299 100644
--- a/modoboa/admin/static/admin/js/admin.js
+++ b/modoboa/admin/static/admin/js/admin.js
@@ -408,7 +408,7 @@ Identities.prototype = {
         }
 
         $("a[name=delaccount]").confirm({
-            question: function() { return this.$element.attr('title'); },
+            question: function() { return htmlEncode(this.$element.attr('title')); },
             method: "POST",
             checkboxes: deloptions,
             success_cb: $.proxy(this.reload_listing, this)
diff --git a/modoboa/core/templates/core/logs_page.html b/modoboa/core/templates/core/logs_page.html
index 37188a46b..3ad1f9abd 100644
--- a/modoboa/core/templates/core/logs_page.html
+++ b/modoboa/core/templates/core/logs_page.html
@@ -5,6 +5,6 @@
   <td>{{ l.date_created|date:"SHORT_DATETIME_FORMAT" }}</td>
   <td>{{ l.level|colorize_level|safe }}</td>
   <td>{{ l.logger }}</td>
-  <td>{{ l.message|tohtml|safe }}</td>
+  <td>{{ l.message }}</td>
 </tr>
 {% endfor %}
diff --git a/modoboa/static/js/autocompleter.js b/modoboa/static/js/autocompleter.js
index b28ba3b83..26f7afa43 100644
--- a/modoboa/static/js/autocompleter.js
+++ b/modoboa/static/js/autocompleter.js
@@ -56,7 +56,7 @@
             $.each(this.choices, $.proxy(function(index, value) {
                 if (exp.test(value)) {
                     this.$menu.append(
-                        $('<li><a href="#" name="' + value + '">' + value + '</a></li>')
+                        $('<li><a href="#" name="' + htmlEncode(value) + '">' + htmlEncode(value) + '</a></li>')
                     );
                 }
             }, this));