bitPickups/friendica_2020-09-1_sharedHosting
1
0
Fork 0
Code Pull requests Activity

Merge pull request #6321 from MrPetovan/bug/6316-escape-event-output

Browse source 
Escape event output
This commit is contained in:
Tobias Diekershoff 2018-12-25 08:33:43 +01:00 committed by GitHub
commit 6488738790
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 48 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

33
mod/events.php
View file

@ -97,13 +97,23 @@ function events_post(App $a)
// and we'll waste a bunch of time responding to it. Time that
// could've been spent doing something else.
$summary = Strings::escapeHtml(trim(defaults($_POST, 'summary', '')));
$desc = Strings::escapeHtml(trim(defaults($_POST, 'desc', '')));
$location = Strings::escapeHtml(trim(defaults($_POST, 'location', '')));
$summary = trim(defaults($_POST, 'summary' , ''));
$desc = trim(defaults($_POST, 'desc' , ''));
$location = trim(defaults($_POST, 'location', ''));
$type = 'event';
$action = ($event_id == '') ? 'new' : "event/" . $event_id;
$onerror_path = "events/" . $action . "?summary=$summary&description=$desc&location=$location&start=$start_text&finish=$finish_text&adjust=$adjust&nofinish=$nofinish";
$params = [
'summary' => $summary,
'description' => $desc,
'location' => $location,
'start' => $start_text,
'finish' => $finish_text,
'adjust' => $adjust,
'nofinish' => $nofinish,
];
$action = ($event_id == '') ? 'new' : 'event/' . $event_id;
$onerror_path = 'events/' . $action . '?' . http_build_query($params, null, null, PHP_QUERY_RFC3986);
if (strcmp($finish, $start) < 0 && !$nofinish) {
notice(L10n::t('Event can not end before it has started.') . EOL);
@ -137,10 +147,10 @@ function events_post(App $a)
if ($share) {
$str_group_allow = !empty($_POST['group_allow']) ? perms2str($_POST['group_allow']) : '';
$str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : '';
$str_group_deny = !empty($_POST['group_deny']) ? perms2str($_POST['group_deny']) : '';
$str_contact_deny = !empty($_POST['contact_deny']) ? perms2str($_POST['contact_deny']) : '';
$str_group_allow = perms2str(defaults($_POST, 'group_allow' , ''));
$str_contact_allow = perms2str(defaults($_POST, 'contact_allow', ''));
$str_group_deny = perms2str(defaults($_POST, 'group_deny' , ''));
$str_contact_deny = perms2str(defaults($_POST, 'contact_deny' , ''));
// Undo the pseudo-contact of self, since there are real contacts now
if (strpos($str_contact_allow, '<' . $self . '>') !== false) {
@ -181,7 +191,7 @@ function events_post(App $a)
if (intval($_REQUEST['preview'])) {
$html = Event::getHTML($datarray);
echo $html;
killme();
exit();
}
$item_id = Event::store($datarray);
@ -364,8 +374,9 @@ function events_content(App $a)
}
if ($a->argc > 1 && $a->argv[1] === 'json') {
header('Content-Type: application/json');
echo json_encode($events);
killme();
exit();
}
if (!empty($_GET['id'])) {