friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Escape HTML in event mapping callback 

- This prevents arbitrary Javascript from being executed from the calendar view
This commit is contained in:
Hypolite Petovan 2022-12-02 19:41:46 -05:00
parent 2f42606c43
commit a0752b1161
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Module/Calendar/Event/Get.php
View File

@ -34,6 +34,7 @@ use Friendica\Module\Response;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Util\DateTimeFormat; use Friendica\Util\DateTimeFormat;
use Friendica\Util\Profiler; use Friendica\Util\Profiler;
use Friendica\Util\Strings;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
/** /**
@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
return [ return [
'id' => $event['id'], 'id' => $event['id'],
'title' => $event['summary'], 'title' => Strings::escapeHtml($event['summary']),
'start' => DateTimeFormat::local($event['start']), 'start' => DateTimeFormat::local($event['start']),
'end' => DateTimeFormat::local($event['finish']), 'end' => DateTimeFormat::local($event['finish']),
'nofinish' => $event['nofinish'], 'nofinish' => $event['nofinish'],
'desc' => $event['desc'], 'desc' => Strings::escapeHtml($event['desc']),
'location' => $event['location'], 'location' => Strings::escapeHtml($event['location']),
'item' => $item, 'item' => $item,
]; ];
}, $events); }, $events);