mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-04-24 14:15:18 +00:00
Task titles, UIDs, descriptions, categories, organizer usernames, alarm descriptions, relation UIDs, and the calendar name were concatenated raw into the VCALENDAR text. A task title containing CR/LF could plant new iCalendar properties (ATTACH, X-INJECTED, VALARM, etc.) that CalDAV clients would parse as legitimate calendar data. Introduce escapeICalText, which escapes backslash, CR/LF, semicolon, and comma per RFC 5545 §3.3.11, and apply it at every sink in ParseTodos, ParseAlarms, and ParseRelations. Each Category is escaped individually; the comma that joins categories is the literal list delimiter and stays unescaped. The now-redundant regexp-based LF handling in the DESCRIPTION branch is removed. getCaldavColor is hardened at the same output boundary: non-hex characters are stripped before interpolation so CR/LF in a crafted color string cannot inject new iCal property lines, closing a gap where upstream HexColor validation only bounds length and does not reject control characters. Fixes GHSA-2g7h-7rqr-9p4r.