[communication] [fix] escape script and style in a communication

core/doctype/communication/communication.js

@@ -29,6 +29,8 @@ cur_frm.cscript.refresh = function(doc, dt, dn) {
 		});
 		
 		if(hide_list.length < field_list.length) hide_field(hide_list);
+		
+		doc.content = wn.utils.escape_script_and_style(doc.content);
 	}
 }
 

public/js/wn/misc/utils.js

@@ -16,6 +16,10 @@ wn.utils = {
 		return txt.toLowerCase().substr(0,7)=='http://'
 			|| txt.toLowerCase().substr(0,8)=='https://'
 	},
+	escape_script_and_style: function(txt) {
+		return (!txt || (txt.indexOf("<script>")===-1 && txt.indexOf("<style>")===-1)) ? txt :
+			"<pre>" + $("<div>").text(txt).html() + "</pre>";
+	},
 	filter_dict: function(dict, filters) {
 		var ret = [];
 		if(typeof filters=='string') {

public/js/wn/views/communication.js

@@ -77,6 +77,8 @@ wn.views.CommunicationList = Class.extend({
 		if(!wn.utils.is_html(doc.content)) {
 			doc.content = doc.content.replace(/\n/g, "<br>");
 		}
+		doc.content = wn.utils.escape_script_and_style(doc.content);
+
 		if(!doc.sender) doc.sender = "[unknown sender]";
 		doc._sender = doc.sender.replace(/</, "&lt;").replace(/>/, "&gt;");
 		doc.content = doc.content.split("-----"+wn._("In response to")+"-----")[0];