What browser do you use?

We were able to reproduce the issue in Chrome/Chromium, Safari and Firefox, most current releases each.

I can't reproduce the problem.

If I have the rights to modify the event, I'll have an input field with the value properly encoded with HTML entities. If I can only view the event, the title will also be properly encoded and the JavaScript won't be executed.

I couldn't verify it against a newer nightly build containing the equal-sign-fix we reported in another bug, maybe the behavior changed. In a newer nightly build (updated today) I had to remove the semicolon, which got escaped and broke the javascript:

<script> window.alert('bar') </script>

It still gets executed, both when looking at the calendar overview and the appointment details.

Fixed.

See https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9

I can confirm the bug being fixed for appointments, but a similar problem seems to exist with contacts and the bugfix introduced some encoding problems.

Example of the encoding issues (string seems to be HTML-encoded twice):

http://images.jenserat.de/2014-02-07_1746.png

How to reproduce the code injection with contacts:

• Create contact, save
• Reopen contact
• Add injection code, for example in the "Display" name field (<script> window.alert('1') </script>)
• Save
• Alert box pops up

Encoding problems also apply to reminder alerts.

More fixes :

https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501

Added HTML escaping in CSS dialogs.

See https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625