From bb737adf517ca3f506efd87ff7f1ed588786c96e Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Feb 2024 21:56:11 -0500 Subject: [PATCH] Escape HTML in the location field of a calendar event post - This allowed script tags to be interpreted in the post display of an event. --- src/Model/Event.php | 7 ++----- view/theme/frio/templates/event_stream_item.tpl | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/Model/Event.php b/src/Model/Event.php index 3709af06c1..1866303783 100644 --- a/src/Model/Event.php +++ b/src/Model/Event.php @@ -925,9 +925,6 @@ class Event $end_short = ''; } - // Format the event location. - $location = self::locationToArray($item['event-location']); - // Construct the profile link (magic-auth). $author = [ 'uid' => 0, @@ -964,7 +961,7 @@ class Event '$show_map_label' => DI::l10n()->t('Show map'), '$hide_map_label' => DI::l10n()->t('Hide map'), '$map_btn_label' => DI::l10n()->t('Show map'), - '$location' => $location + '$location' => self::locationToTemplateVars($item['event-location']), ]); return $return; @@ -984,7 +981,7 @@ class Event * 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').
* @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - private static function locationToArray(string $s = ''): array + private static function locationToTemplateVars(string $s = ''): array { if ($s == '') { return []; diff --git a/view/theme/frio/templates/event_stream_item.tpl b/view/theme/frio/templates/event_stream_item.tpl index 2f2af2732e..74a9734907 100644 --- a/view/theme/frio/templates/event_stream_item.tpl +++ b/view/theme/frio/templates/event_stream_item.tpl @@ -23,7 +23,7 @@ {{if $location.name}} - {{$location.name nofilter}} + {{$location.name}} {{/if}}