修复日程安排，附件中的xss漏洞

o2web/source/x_component_Calendar/Common.js

@@ -279,6 +279,10 @@ MWFCalendar.EventForm = new Class({
 
         var data = this.data;
 
+        if( data.comment ){
+            data.comment = this.replaceHrefJavascriptStr(data.comment);
+        }
+
         if( this.options.isWholeday && this.isNew ){
             data.isAllDayEvent = true;
         }

o2web/source/x_component_cms_Xform/Attachment.js

@@ -332,7 +332,7 @@ MWF.xApplication.cms.Xform.Attachment = MWF.CMSAttachment = new Class({
         }.bind(this));
 
         var _self = this;
-        this.form.confirm("warn", e, MWF.xApplication.cms.Xform.LP.deleteAttachmentTitle, MWF.xApplication.cms.Xform.LP.deleteAttachment + "( " + names.join(", ") + " )", 300, 120, function () {
+        this.form.confirm("warn", e, MWF.xApplication.cms.Xform.LP.deleteAttachmentTitle, MWF.xApplication.cms.Xform.LP.deleteAttachment + "( " + o2.txt(names.join(", ")) + " )", 300, 120, function () {
             while (attachments.length) {
                 var attachment = attachments.shift();
                 _self.deleteAttachment(attachment);

o2web/source/x_component_process_Xform/Attachment.js

@@ -1685,7 +1685,7 @@ MWF.xApplication.process.Xform.Attachment = MWF.APPAttachment = new Class(
         // }).inject(this.form.app.content);
 
         var _self = this;
-        this.form.confirm("warn", e, MWF.xApplication.process.Xform.LP.deleteAttachmentTitle, MWF.xApplication.process.Xform.LP.deleteAttachment + "( " + names.join(", ") + " )", 300, 120, function () {
+        this.form.confirm("warn", e, MWF.xApplication.process.Xform.LP.deleteAttachmentTitle, MWF.xApplication.process.Xform.LP.deleteAttachment + "( " + o2.txt(names.join(", ")) + " )", 300, 120, function () {
             while (attachments.length) {
                 var attachment = attachments.shift();
                 _self.deleteAttachment(attachment);