From a0752b1161ca75b23612a3304caf03c355cfd187 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 2 Dec 2022 19:41:46 -0500 Subject: [PATCH] Escape HTML in event mapping callback - This prevents arbitrary Javascript from being executed from the calendar view --- src/Module/Calendar/Event/Get.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/Module/Calendar/Event/Get.php b/src/Module/Calendar/Event/Get.php index 9bb86a7232..9ed2045f50 100644 --- a/src/Module/Calendar/Event/Get.php +++ b/src/Module/Calendar/Event/Get.php @@ -34,6 +34,7 @@ use Friendica\Module\Response; use Friendica\Network\HTTPException; use Friendica\Util\DateTimeFormat; use Friendica\Util\Profiler; +use Friendica\Util\Strings; use Psr\Log\LoggerInterface; /** @@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule return [ 'id' => $event['id'], - 'title' => $event['summary'], + 'title' => Strings::escapeHtml($event['summary']), 'start' => DateTimeFormat::local($event['start']), 'end' => DateTimeFormat::local($event['finish']), 'nofinish' => $event['nofinish'], - 'desc' => $event['desc'], - 'location' => $event['location'], + 'desc' => Strings::escapeHtml($event['desc']), + 'location' => Strings::escapeHtml($event['location']), 'item' => $item, ]; }, $events);