From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001
From: Michael J Rubinsky <mrubinsk@horde.org>
Date: Sat, 20 Apr 2019 17:34:41 -0400
Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block.

---
 horde-5.2.20/lib/Block/Cloud.php              | 6 +++++-
 horde-5.2.20/services/portal/cloud_search.php | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/horde-5.2.20/lib/Block/Cloud.php b/horde-5.2.20/lib/Block/Cloud.php
index 92a44255..9df5bf3c 100644
--- a/horde-5.2.20/lib/Block/Cloud.php
+++ b/horde-5.2.20/lib/Block/Cloud.php
@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block
         $this->_name = _("Tag Cloud");
     }
 
+    protected function _escapeJs($string)
+    {
+        return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\")));
+    }
     /**
      */
     protected function _content()
@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block
         foreach ($this->_getTags() as $tag) {
             $cloud->addElement(
                 $tag['tag_name'], '#', $tag['count'], null,
-                'doSearch(\'' . $tag['tag_name'] . '\'); return false;');
+                'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;');
         }
 
         Horde::startBuffer();
diff --git a/horde-5.2.20/services/portal/cloud_search.php b/horde-5.2.20/services/portal/cloud_search.php
index d72da96e..0d44b5a5 100644
--- a/horde-5.2.20/services/portal/cloud_search.php
+++ b/horde-5.2.20/services/portal/cloud_search.php
@@ -43,7 +43,7 @@ foreach ($results as $result) {
     echo '<li class="linedRow"><span style="width:50%"> ' .
          (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') .
          Horde::link($result['view_url'], '', '', '', '', '', '', array('style' => 'margin:4px')) .
-         (empty($result['icon']) ? $result['title'] : '<img src="' . $result['icon'] . '" />') .
+         (empty($result['icon']) ? htmlspecialchars($result['title']) : '<img src="' . $result['icon'] . '" />') .
          '</a></span><span style="width:50%;font-style:italic;">' . $result['desc'] . '</span></li>';
 }
 echo '</ul>';
-- 
2.20.1