From 105718a4cabbb45f925dc2dd7a5f163a7549f546 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Mon, 7 Jul 2025 21:18:16 +0200
Subject: [PATCH] frontend: Add xml escaping to collection creation forms

---
 .../lib/create-addressbook-form.ts            | 15 +++++------
 .../js-components/lib/create-calendar-form.ts | 25 ++++++++++---------
 crates/frontend/js-components/lib/index.ts    |  7 ++++++
 .../assets/js/create-addressbook-form.mjs     |  6 ++---
 .../public/assets/js/create-calendar-form.mjs | 12 ++++-----
 .../{ref-CPp9J0V5.mjs => index-b86iLJlP.mjs}  |  4 +++
 6 files changed, 41 insertions(+), 28 deletions(-)
 rename crates/frontend/public/assets/js/{ref-CPp9J0V5.mjs => index-b86iLJlP.mjs} (95%)

diff --git a/crates/frontend/js-components/lib/create-addressbook-form.ts b/crates/frontend/js-components/lib/create-addressbook-form.ts
index 172b3ef..6798e86 100644
--- a/crates/frontend/js-components/lib/create-addressbook-form.ts
+++ b/crates/frontend/js-components/lib/create-addressbook-form.ts
@@ -2,6 +2,7 @@ import { html, LitElement } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { Ref, createRef, ref } from 'lit/directives/ref.js';
 import { createClient } from "webdav";
+import { escapeXml } from ".";
 
 @customElement("create-addressbook-form")
 export class CreateAddressbookForm extends LitElement {
@@ -17,15 +18,15 @@ export class CreateAddressbookForm extends LitElement {
   client = createClient("/carddav")
 
   @property()
-  user: String = ''
+  user: string = ''
   @property()
-  principal: String = ''
+  principal: string = ''
   @property()
-  addr_id: String = ''
+  addr_id: string = ''
   @property()
-  displayname: String = ''
+  displayname: string = ''
   @property()
-  description: String = ''
+  description: string = ''
 
   dialog: Ref<HTMLDialogElement> = createRef()
   form: Ref<HTMLFormElement> = createRef()
@@ -85,8 +86,8 @@ export class CreateAddressbookForm extends LitElement {
       <mkcol xmlns="DAV:" xmlns:CARD="urn:ietf:params:xml:ns:carddav">
         <set>
           <prop>
-            <displayname>${this.displayname}</displayname>
-            ${this.description ? `<CARD:addressbook-description>${this.description}</CARD:addressbook-description>` : ''}
+            <displayname>${escapeXml(this.displayname)}</displayname>
+            ${this.description ? `<CARD:addressbook-description>${escapeXml(this.description)}</CARD:addressbook-description>` : ''}
           </prop>
         </set>
       </mkcol>
diff --git a/crates/frontend/js-components/lib/create-calendar-form.ts b/crates/frontend/js-components/lib/create-calendar-form.ts
index 2584726..3817f44 100644
--- a/crates/frontend/js-components/lib/create-calendar-form.ts
+++ b/crates/frontend/js-components/lib/create-calendar-form.ts
@@ -2,6 +2,7 @@ import { html, LitElement } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { Ref, createRef, ref } from 'lit/directives/ref.js';
 import { createClient } from "webdav";
+import { escapeXml } from ".";
 
 @customElement("create-calendar-form")
 export class CreateCalendarForm extends LitElement {
@@ -16,21 +17,21 @@ export class CreateCalendarForm extends LitElement {
   client = createClient("/caldav")
 
   @property()
-  user: String = ''
+  user: string = ''
   @property()
-  principal: String = ''
+  principal: string = ''
   @property()
-  cal_id: String = ''
+  cal_id: string = ''
   @property()
-  displayname: String = ''
+  displayname: string = ''
   @property()
-  description: String = ''
+  description: string = ''
   @property()
-  color: String = ''
+  color: string = ''
   @property()
   isSubscription: boolean = false
   @property()
-  subscriptionUrl: String = ''
+  subscriptionUrl: string = ''
   @property()
   components: Set<"VEVENT" | "VTODO" | "VJOURNAL"> = new Set()
 
@@ -123,12 +124,12 @@ export class CreateCalendarForm extends LitElement {
       <mkcol xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/" xmlns:ICAL="http://apple.com/ns/ical/">
         <set>
           <prop>
-            <displayname>${this.displayname}</displayname>
-            ${this.description ? `<CAL:calendar-description>${this.description}</CAL:calendar-description>` : ''}
-            ${this.color ? `<ICAL:calendar-color>${this.color}</ICAL:calendar-color>` : ''}
-            ${(this.isSubscription && this.subscriptionUrl) ? `<CS:source><href>${this.subscriptionUrl}</href></CS:source>` : ''}
+            <displayname>${escapeXml(this.displayname)}</displayname>
+            ${this.description ? `<CAL:calendar-description>${escapeXml(this.description)}</CAL:calendar-description>` : ''}
+            ${this.color ? `<ICAL:calendar-color>${escapeXml(this.color)}</ICAL:calendar-color>` : ''}
+            ${(this.isSubscription && this.subscriptionUrl) ? `<CS:source><href>${escapeXml(this.subscriptionUrl)}</href></CS:source>` : ''}
             <CAL:supported-calendar-component-set>
-              ${Array.from(this.components.keys()).map(comp => `<CAL:comp name="${comp}" />`).join('\n')}
+              ${Array.from(this.components.keys()).map(comp => `<CAL:comp name="${escapeXml(comp)}" />`).join('\n')}
             </CAL:supported-calendar-component-set>
           </prop>
         </set>
diff --git a/crates/frontend/js-components/lib/index.ts b/crates/frontend/js-components/lib/index.ts
index e69de29..6e39c16 100644
--- a/crates/frontend/js-components/lib/index.ts
+++ b/crates/frontend/js-components/lib/index.ts
@@ -0,0 +1,7 @@
+export function escapeXml(unsafe: string): string {
+  return unsafe.replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;')
+}
diff --git a/crates/frontend/public/assets/js/create-addressbook-form.mjs b/crates/frontend/public/assets/js/create-addressbook-form.mjs
index aae9eb0..333a5e3 100644
--- a/crates/frontend/public/assets/js/create-addressbook-form.mjs
+++ b/crates/frontend/public/assets/js/create-addressbook-form.mjs
@@ -1,6 +1,6 @@
 import { i, x } from "./lit-z6_uA4GX.mjs";
 import { n as n$1, t } from "./property-D0NJdseG.mjs";
-import { e, n } from "./ref-CPp9J0V5.mjs";
+import { e, n, a as escapeXml } from "./index-b86iLJlP.mjs";
 import { a as an } from "./webdav-D0R7xCzX.mjs";
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -84,8 +84,8 @@ let CreateAddressbookForm = class extends i {
       <mkcol xmlns="DAV:" xmlns:CARD="urn:ietf:params:xml:ns:carddav">
         <set>
           <prop>
-            <displayname>${this.displayname}</displayname>
-            ${this.description ? `<CARD:addressbook-description>${this.description}</CARD:addressbook-description>` : ""}
+            <displayname>${escapeXml(this.displayname)}</displayname>
+            ${this.description ? `<CARD:addressbook-description>${escapeXml(this.description)}</CARD:addressbook-description>` : ""}
           </prop>
         </set>
       </mkcol>
diff --git a/crates/frontend/public/assets/js/create-calendar-form.mjs b/crates/frontend/public/assets/js/create-calendar-form.mjs
index 47a2332..c99a116 100644
--- a/crates/frontend/public/assets/js/create-calendar-form.mjs
+++ b/crates/frontend/public/assets/js/create-calendar-form.mjs
@@ -1,6 +1,6 @@
 import { i, x } from "./lit-z6_uA4GX.mjs";
 import { n as n$1, t } from "./property-D0NJdseG.mjs";
-import { e, n } from "./ref-CPp9J0V5.mjs";
+import { e, n, a as escapeXml } from "./index-b86iLJlP.mjs";
 import { a as an } from "./webdav-D0R7xCzX.mjs";
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -119,12 +119,12 @@ let CreateCalendarForm = class extends i {
       <mkcol xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/" xmlns:ICAL="http://apple.com/ns/ical/">
         <set>
           <prop>
-            <displayname>${this.displayname}</displayname>
-            ${this.description ? `<CAL:calendar-description>${this.description}</CAL:calendar-description>` : ""}
-            ${this.color ? `<ICAL:calendar-color>${this.color}</ICAL:calendar-color>` : ""}
-            ${this.isSubscription && this.subscriptionUrl ? `<CS:source><href>${this.subscriptionUrl}</href></CS:source>` : ""}
+            <displayname>${escapeXml(this.displayname)}</displayname>
+            ${this.description ? `<CAL:calendar-description>${escapeXml(this.description)}</CAL:calendar-description>` : ""}
+            ${this.color ? `<ICAL:calendar-color>${escapeXml(this.color)}</ICAL:calendar-color>` : ""}
+            ${this.isSubscription && this.subscriptionUrl ? `<CS:source><href>${escapeXml(this.subscriptionUrl)}</href></CS:source>` : ""}
             <CAL:supported-calendar-component-set>
-              ${Array.from(this.components.keys()).map((comp) => `<CAL:comp name="${comp}" />`).join("\n")}
+              ${Array.from(this.components.keys()).map((comp) => `<CAL:comp name="${escapeXml(comp)}" />`).join("\n")}
             </CAL:supported-calendar-component-set>
           </prop>
         </set>
diff --git a/crates/frontend/public/assets/js/ref-CPp9J0V5.mjs b/crates/frontend/public/assets/js/index-b86iLJlP.mjs
similarity index 95%
rename from crates/frontend/public/assets/js/ref-CPp9J0V5.mjs
rename to crates/frontend/public/assets/js/index-b86iLJlP.mjs
index a8f257d..e2c7967 100644
--- a/crates/frontend/public/assets/js/ref-CPp9J0V5.mjs
+++ b/crates/frontend/public/assets/js/index-b86iLJlP.mjs
@@ -122,7 +122,11 @@ const o = /* @__PURE__ */ new WeakMap(), n = e$1(class extends f {
     this.rt(this.ct);
   }
 });
+function escapeXml(unsafe) {
+  return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
 export {
+  escapeXml as a,
   e,
   n
 };