Merge pull request #6321 from MrPetovan/bug/6316-escape-event-output

Escape event output

mod/events.php

@@ -97,13 +97,23 @@ function events_post(App $a)
 	// and we'll waste a bunch of time responding to it. Time that
 	// could've been spent doing something else.
 
-	$summary  = Strings::escapeHtml(trim(defaults($_POST, 'summary', '')));
+	$summary  = trim(defaults($_POST, 'summary' , ''));
-	$desc     = Strings::escapeHtml(trim(defaults($_POST, 'desc', '')));
+	$desc     = trim(defaults($_POST, 'desc'    , ''));
-	$location = Strings::escapeHtml(trim(defaults($_POST, 'location', '')));
+	$location = trim(defaults($_POST, 'location', ''));
 	$type     = 'event';
 
-	$action = ($event_id == '') ? 'new' : "event/" . $event_id;
+	$params = [
-	$onerror_path = "events/" . $action . "?summary=$summary&description=$desc&location=$location&start=$start_text&finish=$finish_text&adjust=$adjust&nofinish=$nofinish";
+		'summary'     => $summary,
+		'description' => $desc,
+		'location'    => $location,
+		'start'       => $start_text,
+		'finish'      => $finish_text,
+		'adjust'      => $adjust,
+		'nofinish'    => $nofinish,
+	];
+
+	$action = ($event_id == '') ? 'new' : 'event/' . $event_id;
+	$onerror_path = 'events/' . $action . '?' . http_build_query($params, null, null, PHP_QUERY_RFC3986);
 
 	if (strcmp($finish, $start) < 0 && !$nofinish) {
 		notice(L10n::t('Event can not end before it has started.') . EOL);
@@ -137,10 +147,10 @@ function events_post(App $a)
 
 
 	if ($share) {
-		$str_group_allow   = !empty($_POST['group_allow'])   ? perms2str($_POST['group_allow'])   : '';
+		$str_group_allow   = perms2str(defaults($_POST, 'group_allow'  , ''));
-		$str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : '';
+		$str_contact_allow = perms2str(defaults($_POST, 'contact_allow', ''));
-		$str_group_deny    = !empty($_POST['group_deny'])    ? perms2str($_POST['group_deny'])    : '';
+		$str_group_deny    = perms2str(defaults($_POST, 'group_deny'   , ''));
-		$str_contact_deny  = !empty($_POST['contact_deny'])  ? perms2str($_POST['contact_deny'])  : '';
+		$str_contact_deny  = perms2str(defaults($_POST, 'contact_deny' , ''));
 
 		// Undo the pseudo-contact of self, since there are real contacts now
 		if (strpos($str_contact_allow, '<' . $self . '>') !== false) {
@@ -181,7 +191,7 @@ function events_post(App $a)
 	if (intval($_REQUEST['preview'])) {
 		$html = Event::getHTML($datarray);
 		echo $html;
-		killme();
+		exit();
 	}
 
 	$item_id = Event::store($datarray);
@@ -364,8 +374,9 @@ function events_content(App $a)
 		}
 
 		if ($a->argc > 1 && $a->argv[1] === 'json') {
+			header('Content-Type: application/json');
 			echo json_encode($events);
-			killme();
+			exit();
 		}
 
 		if (!empty($_GET['id'])) {

src/Model/Event.php

@@ -14,9 +14,9 @@ use Friendica\Core\PConfig;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Database\DBA;
-use Friendica\Model\Contact;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Map;
+use Friendica\Util\Strings;
 use Friendica\Util\XML;
 
 require_once 'boot.php';
@@ -53,11 +53,11 @@ class Event extends BaseObject
 
 		if ($simple) {
 			if (!empty($event['summary'])) {
-				$o = "<h3>" . BBCode::convert($event['summary'], false, $simple) . "</h3>";
+				$o = "<h3>" . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . "</h3>";
 			}
 
 			if (!empty($event['desc'])) {
-				$o .= "<div>" . BBCode::convert($event['desc'], false, $simple) . "</div>";
+				$o .= "<div>" . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . "</div>";
 			}
 
 			$o .= "<h4>" . L10n::t('Starts:') . "</h4><p>" . $event_start . "</p>";
@@ -67,7 +67,7 @@ class Event extends BaseObject
 			}
 
 			if (!empty($event['location'])) {
-				$o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert($event['location'], false, $simple) . "</p>";
+				$o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . "</p>";
 			}
 
 			return $o;
@@ -75,7 +75,7 @@ class Event extends BaseObject
 
 		$o = '<div class="vevent">' . "\r\n";
 
-		$o .= '<div class="summary event-summary">' . BBCode::convert($event['summary'], false, $simple) . '</div>' . "\r\n";
+		$o .= '<div class="summary event-summary">' . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . '</div>' . "\r\n";
 
 		$o .= '<div class="event-start"><span class="event-label">' . L10n::t('Starts:') . '</span>&nbsp;<span class="dtstart" title="'
 			. DateTimeFormat::utc($event['start'], (!empty($event['adjust']) ? DateTimeFormat::ATOM : 'Y-m-d\TH:i:s'))
@@ -90,12 +90,12 @@ class Event extends BaseObject
 		}
 
 		if (!empty($event['desc'])) {
-			$o .= '<div class="description event-description">' . BBCode::convert($event['desc'], false, $simple) . '</div>' . "\r\n";
+			$o .= '<div class="description event-description">' . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . '</div>' . "\r\n";
 		}
 
 		if (!empty($event['location'])) {
 			$o .= '<div class="event-location"><span class="event-label">' . L10n::t('Location:') . '</span>&nbsp;<span class="location">'
-				. BBCode::convert($event['location'], false, $simple)
+				. BBCode::convert(Strings::escapeHtml($event['location']), false, $simple)
 				. '</span></div>' . "\r\n";
 
 			// Include a map of the location if the [map] BBCode is used.
@@ -592,10 +592,9 @@ class Event extends BaseObject
 				$drop =                  [System::baseUrl() . '/events/drop/' . $event['id'] , L10n::t('Delete event')   , '', ''];
 			}
 
-			$title = strip_tags(html_entity_decode(BBCode::convert($event['summary']), ENT_QUOTES, 'UTF-8'));
+			$title = BBCode::convert(Strings::escapeHtml($event['summary']));
 			if (!$title) {
-				list($title, $_trash) = explode("<br", BBCode::convert($event['desc']), 2);
+				list($title, $_trash) = explode("<br", BBCode::convert(Strings::escapeHtml($event['desc'])), 2);
-				$title = strip_tags(html_entity_decode($title, ENT_QUOTES, 'UTF-8'));
 			}
 
 			$author_link = $event['author-link'];
@@ -605,8 +604,9 @@ class Event extends BaseObject
 			$event['plink']       = Contact::magicLink($author_link, $plink);
 
 			$html = self::getHTML($event);
-			$event['desc']     = BBCode::convert($event['desc']);
+			$event['summary']  = BBCode::convert(Strings::escapeHtml($event['summary']));
-			$event['location'] = BBCode::convert($event['location']);
+			$event['desc']     = BBCode::convert(Strings::escapeHtml($event['desc']));
+			$event['location'] = BBCode::convert(Strings::escapeHtml($event['location']));
 			$event_list[] = [
 				'id'       => $event['id'],
 				'start'    => $start,

src/Protocol/ActivityPub/Processor.php

@@ -209,20 +209,20 @@ class Processor
 	 */
 	public static function createEvent($activity, $item)
 	{
-		$event['summary'] = $activity['name'];
+		$event['summary']  = HTML::toBBCode($activity['name']);
-		$event['desc'] = $activity['content'];
+		$event['desc']     = HTML::toBBCode($activity['content']);
-		$event['start'] = $activity['start-time'];
+		$event['start']    = $activity['start-time'];
-		$event['finish'] = $activity['end-time'];
+		$event['finish']   = $activity['end-time'];
 		$event['nofinish'] = empty($event['finish']);
 		$event['location'] = $activity['location'];
-		$event['adjust'] = true;
+		$event['adjust']   = true;
-		$event['cid'] = $item['contact-id'];
+		$event['cid']      = $item['contact-id'];
-		$event['uid'] = $item['uid'];
+		$event['uid']      = $item['uid'];
-		$event['uri'] = $item['uri'];
+		$event['uri']      = $item['uri'];
-		$event['edited'] = $item['edited'];
+		$event['edited']   = $item['edited'];
-		$event['private'] = $item['private'];
+		$event['private']  = $item['private'];
-		$event['guid'] = $item['guid'];
+		$event['guid']     = $item['guid'];
-		$event['plink'] = $item['plink'];
+		$event['plink']    = $item['plink'];
 
 		$condition = ['uri' => $item['uri'], 'uid' => $item['uid']];
 		$ev = DBA::selectFirst('event', ['id'], $condition);

view/theme/frio/templates/event_stream_item.tpl

@@ -12,7 +12,8 @@
 					</span>
 				</div>
 				<div class="event-card-content media-body">
-					<div class="event-title event-card-title summary event-summary">{{$title}}</div>
+					<div class="event-title event-card-title summary event-summary">{{$title nofilter}}</div>
+
 					{{* If there is a map, we insert a button for showing/hiding the map *}}
 					{{if $location.map}}<button id="event-map-btn-{{$id}}" class="event-map-btn btn-link fakelink nav nav-pills preferences" data-map-id="event-location-map-{{$id}}" data-show-label="{{$show_map_label}}" data-hide-label="{{$hide_map_label}}">{{$map_btn_label}}</button>{{/if}}
 					<div class="event-property">