Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

src/Model/Event.php

@@ -925,9 +925,6 @@ class Event
 			$end_short   = '';
 		}
 
-		// Format the event location.
-		$location = self::locationToArray($item['event-location']);
-
 		// Construct the profile link (magic-auth).
 		$author       = [
 			'uid'     => 0,
@@ -964,7 +961,7 @@ class Event
 			'$show_map_label' => DI::l10n()->t('Show map'),
 			'$hide_map_label' => DI::l10n()->t('Hide map'),
 			'$map_btn_label'  => DI::l10n()->t('Show map'),
-			'$location'       => $location
+			'$location'       => self::locationToTemplateVars($item['event-location']),
 		]);
 
 		return $return;
@@ -984,7 +981,7 @@ class Event
 	 * 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').<br>
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 */
-	private static function locationToArray(string $s = ''): array
+	private static function locationToTemplateVars(string $s = ''): array
 	{
 		if ($s == '') {
 			return [];

view/theme/frio/templates/event_stream_item.tpl

@@ -23,7 +23,7 @@
 						</span>
 						{{if $location.name}}
 						<span role="presentation" aria-hidden="true"> · </span>
-						<span class="event-location event-card-location">{{$location.name nofilter}}</span>
+						<span class="event-location event-card-location">{{$location.name}}</span>
 						{{/if}}
 					</div>
 					<div class="event-card-profile-name profile-entry-name">