caldav-adapter 8.2.8 → 8.2.10

package/common/parse-body.js

@@ -17,6 +17,10 @@ module.exports = async function (ctx) {
   if (ctx.request.type.includes('xml')) {
     try {
       ctx.request.xml = new DOMParser().parseFromString(ctx.request.body);
+      // Ensure we have a valid document, otherwise set to null
+      if (!ctx.request.xml || typeof ctx.request.xml !== 'object') {
+        ctx.request.xml = null;
+      }
     } catch (err) {
       if (ctx.logger) ctx.logger.warn(err);
       else if (ctx?.app?.emit) ctx.app.emit('error', err, ctx);

package/common/xml.js

@@ -21,6 +21,11 @@ module.exports.nsLookup = nsLookup;
 const select = xpath.useNamespaces(namespaces);
 
 function get(path, doc) {
+  // Validate that doc is a proper XML document
+  if (!doc || typeof doc !== 'object') {
+    throw new Error('Invalid XML document: document is null or not an object');
+  }
+
   return select(path, doc);
 }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "caldav-adapter",
   "description": "CalDAV server for Node.js and Koa. Modernized and maintained for Forward Email.",
-  "version": "8.2.8",
+  "version": "8.2.10",
   "author": "Sanders DeNardi and Forward Email LLC",
   "contributors": [
     "Sanders DeNardi <sedenardi@gmail.com> (http://www.sandersdenardi.com/)",

package/routes/calendar/calendar/get.js

@@ -1,5 +1,29 @@
 const { setMissingMethod } = require('../../../common/response');
 const winston = require('../../../common/winston');
+const {
+  response,
+  status,
+  build,
+  multistatus
+} = require('../../../common/x-build');
+
+/**
+ * Encode special characters for XML content to prevent parsing errors
+ * @param {string} str - String to encode
+ * @returns {string} - XML-safe encoded string
+ */
+function encodeXMLEntities(str) {
+  if (typeof str !== 'string') {
+    return str;
+  }
+
+  return str
+    .replaceAll('&', '&') // Must be first to avoid double-encoding
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;');
+}
 
 module.exports = function (options) {
   const log = winston({ ...options, label: 'calendar/get' });
@@ -15,11 +39,29 @@ module.exports = function (options) {
 
       const ics = await options.data.buildICS(ctx, events, calendar);
 
-      ctx.status = 200;
-      ctx.remove('DAV');
-      ctx.set('Content-Type', 'text/calendar; charset=utf-8');
-      ctx.set('ETag', options.data.getETag(ctx, calendar));
-      return ics;
+      if (
+        ctx.accepts('text/calendar') ||
+        ctx.accepts('application/ics') ||
+        ctx.accepts('text/x-vcalendar') ||
+        ctx.accepts('application/octet-stream')
+      ) {
+        ctx.status = 200;
+        ctx.remove('DAV');
+        ctx.set('Content-Type', 'text/calendar; charset=utf-8');
+        ctx.set('ETag', options.data.getETag(ctx, calendar));
+        return ics;
+      }
+
+      // xml
+      const responseObj = response(ctx.url, status[200], [
+        {
+          'D:getetag': options.data.getETag(ctx, calendar)
+        },
+        {
+          'CAL:calendar-data': encodeXMLEntities(ics)
+        }
+      ]);
+      return build(multistatus([responseObj]));
     }
 
     const event = await options.data.getEvent(ctx, {
@@ -37,11 +79,28 @@ module.exports = function (options) {
 
     const ics = await options.data.buildICS(ctx, event, calendar);
 
-    ctx.status = 200;
-    ctx.remove('DAV');
-    ctx.set('Content-Type', 'text/calendar; charset=utf-8');
-    ctx.set('ETag', options.data.getETag(ctx, calendar));
-    return ics;
+    if (
+      ctx.accepts('text/calendar') ||
+      ctx.accepts('application/ics') ||
+      ctx.accepts('text/x-vcalendar') ||
+      ctx.accepts('application/octet-stream')
+    ) {
+      ctx.status = 200;
+      ctx.remove('DAV');
+      ctx.set('Content-Type', 'text/calendar; charset=utf-8');
+      ctx.set('ETag', options.data.getETag(ctx, calendar));
+      return ics;
+    }
+
+    const responseObj = response(ctx.url, status[200], [
+      {
+        'D:getetag': options.data.getETag(ctx, calendar)
+      },
+      {
+        'CAL:calendar-data': encodeXMLEntities(ics)
+      }
+    ]);
+    return build(multistatus([responseObj]));
   };
 
   return {

package/routes/principal/principal.js

@@ -13,6 +13,7 @@ module.exports = function (options) {
   const log = winston({ ...options, label: 'principal' });
   const methods = {
     propfind: routePropfind(options),
+    get: routePropfind(options), // Handle GET same as PROPFIND for redirected requests
     // report: reportReport(opts)
     //
     // TODO: proppatch
@@ -26,7 +27,7 @@ module.exports = function (options) {
     const method = ctx.method.toLowerCase();
 
     if (method === 'options') {
-      setOptions(ctx, ['OPTIONS', 'PROPFIND']);
+      setOptions(ctx, ['OPTIONS', 'PROPFIND', 'GET']);
       return;
     }
 

package/routes/principal/propfind.js

@@ -11,6 +11,11 @@ const commonTags = require('../../common/tags');
 module.exports = function (options) {
   const tags = commonTags(options);
   return async function (ctx) {
+    // Validate XML document before processing
+    if (!ctx.request.xml) {
+      ctx.throw(400, 'Invalid or missing XML in PROPFIND request');
+    }
+
     const { children } = xml.getWithChildren(
       '/D:propfind/D:prop',
       ctx.request.xml