// and we'll waste a bunch of time responding to it. Time that
// could've been spent doing something else.
- $summary = Strings::escapeHtml(trim(defaults($_POST, 'summary', '')));
- $desc = Strings::escapeHtml(trim(defaults($_POST, 'desc', '')));
- $location = Strings::escapeHtml(trim(defaults($_POST, 'location', '')));
+ $summary = trim(defaults($_POST, 'summary' , ''));
+ $desc = trim(defaults($_POST, 'desc' , ''));
+ $location = trim(defaults($_POST, 'location', ''));
$type = 'event';
- $action = ($event_id == '') ? 'new' : "event/" . $event_id;
- $onerror_path = "events/" . $action . "?summary=$summary&description=$desc&location=$location&start=$start_text&finish=$finish_text&adjust=$adjust&nofinish=$nofinish";
+ $params = [
+ 'summary' => $summary,
+ 'description' => $desc,
+ 'location' => $location,
+ 'start' => $start_text,
+ 'finish' => $finish_text,
+ 'adjust' => $adjust,
+ 'nofinish' => $nofinish,
+ ];
+
+ $action = ($event_id == '') ? 'new' : 'event/' . $event_id;
+ $onerror_path = 'events/' . $action . '?' . http_build_query($params, null, null, PHP_QUERY_RFC3986);
if (strcmp($finish, $start) < 0 && !$nofinish) {
notice(L10n::t('Event can not end before it has started.') . EOL);
if ($share) {
- $str_group_allow = !empty($_POST['group_allow']) ? perms2str($_POST['group_allow']) : '';
- $str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : '';
- $str_group_deny = !empty($_POST['group_deny']) ? perms2str($_POST['group_deny']) : '';
- $str_contact_deny = !empty($_POST['contact_deny']) ? perms2str($_POST['contact_deny']) : '';
+ $str_group_allow = perms2str(defaults($_POST, 'group_allow' , ''));
+ $str_contact_allow = perms2str(defaults($_POST, 'contact_allow', ''));
+ $str_group_deny = perms2str(defaults($_POST, 'group_deny' , ''));
+ $str_contact_deny = perms2str(defaults($_POST, 'contact_deny' , ''));
// Undo the pseudo-contact of self, since there are real contacts now
if (strpos($str_contact_allow, '<' . $self . '>') !== false) {
if (intval($_REQUEST['preview'])) {
$html = Event::getHTML($datarray);
echo $html;
- killme();
+ exit();
}
$item_id = Event::store($datarray);
}
if ($a->argc > 1 && $a->argv[1] === 'json') {
+ header('Content-Type: application/json');
echo json_encode($events);
- killme();
+ exit();
}
if (!empty($_GET['id'])) {
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Database\DBA;
-use Friendica\Model\Contact;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Map;
+use Friendica\Util\Strings;
use Friendica\Util\XML;
require_once 'boot.php';
if ($simple) {
if (!empty($event['summary'])) {
- $o = "<h3>" . BBCode::convert($event['summary'], false, $simple) . "</h3>";
+ $o = "<h3>" . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . "</h3>";
}
if (!empty($event['desc'])) {
- $o .= "<div>" . BBCode::convert($event['desc'], false, $simple) . "</div>";
+ $o .= "<div>" . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . "</div>";
}
$o .= "<h4>" . L10n::t('Starts:') . "</h4><p>" . $event_start . "</p>";
}
if (!empty($event['location'])) {
- $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert($event['location'], false, $simple) . "</p>";
+ $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . "</p>";
}
return $o;
$o = '<div class="vevent">' . "\r\n";
- $o .= '<div class="summary event-summary">' . BBCode::convert($event['summary'], false, $simple) . '</div>' . "\r\n";
+ $o .= '<div class="summary event-summary">' . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . '</div>' . "\r\n";
$o .= '<div class="event-start"><span class="event-label">' . L10n::t('Starts:') . '</span> <span class="dtstart" title="'
. DateTimeFormat::utc($event['start'], (!empty($event['adjust']) ? DateTimeFormat::ATOM : 'Y-m-d\TH:i:s'))
}
if (!empty($event['desc'])) {
- $o .= '<div class="description event-description">' . BBCode::convert($event['desc'], false, $simple) . '</div>' . "\r\n";
+ $o .= '<div class="description event-description">' . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . '</div>' . "\r\n";
}
if (!empty($event['location'])) {
$o .= '<div class="event-location"><span class="event-label">' . L10n::t('Location:') . '</span> <span class="location">'
- . BBCode::convert($event['location'], false, $simple)
+ . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple)
. '</span></div>' . "\r\n";
// Include a map of the location if the [map] BBCode is used.
$drop = [System::baseUrl() . '/events/drop/' . $event['id'] , L10n::t('Delete event') , '', ''];
}
- $title = strip_tags(html_entity_decode(BBCode::convert($event['summary']), ENT_QUOTES, 'UTF-8'));
+ $title = BBCode::convert(Strings::escapeHtml($event['summary']));
if (!$title) {
- list($title, $_trash) = explode("<br", BBCode::convert($event['desc']), 2);
- $title = strip_tags(html_entity_decode($title, ENT_QUOTES, 'UTF-8'));
+ list($title, $_trash) = explode("<br", BBCode::convert(Strings::escapeHtml($event['desc'])), 2);
}
$author_link = $event['author-link'];
$event['plink'] = Contact::magicLink($author_link, $plink);
$html = self::getHTML($event);
- $event['desc'] = BBCode::convert($event['desc']);
- $event['location'] = BBCode::convert($event['location']);
+ $event['summary'] = BBCode::convert(Strings::escapeHtml($event['summary']));
+ $event['desc'] = BBCode::convert(Strings::escapeHtml($event['desc']));
+ $event['location'] = BBCode::convert(Strings::escapeHtml($event['location']));
$event_list[] = [
'id' => $event['id'],
'start' => $start,
*/
public static function createEvent($activity, $item)
{
- $event['summary'] = $activity['name'];
- $event['desc'] = $activity['content'];
- $event['start'] = $activity['start-time'];
- $event['finish'] = $activity['end-time'];
+ $event['summary'] = HTML::toBBCode($activity['name']);
+ $event['desc'] = HTML::toBBCode($activity['content']);
+ $event['start'] = $activity['start-time'];
+ $event['finish'] = $activity['end-time'];
$event['nofinish'] = empty($event['finish']);
$event['location'] = $activity['location'];
- $event['adjust'] = true;
- $event['cid'] = $item['contact-id'];
- $event['uid'] = $item['uid'];
- $event['uri'] = $item['uri'];
- $event['edited'] = $item['edited'];
- $event['private'] = $item['private'];
- $event['guid'] = $item['guid'];
- $event['plink'] = $item['plink'];
+ $event['adjust'] = true;
+ $event['cid'] = $item['contact-id'];
+ $event['uid'] = $item['uid'];
+ $event['uri'] = $item['uri'];
+ $event['edited'] = $item['edited'];
+ $event['private'] = $item['private'];
+ $event['guid'] = $item['guid'];
+ $event['plink'] = $item['plink'];
$condition = ['uri' => $item['uri'], 'uid' => $item['uid']];
$ev = DBA::selectFirst('event', ['id'], $condition);
</span>
</div>
<div class="event-card-content media-body">
- <div class="event-title event-card-title summary event-summary">{{$title}}</div>
+ <div class="event-title event-card-title summary event-summary">{{$title nofilter}}</div>
+
{{* If there is a map, we insert a button for showing/hiding the map *}}
{{if $location.map}}<button id="event-map-btn-{{$id}}" class="event-map-btn btn-link fakelink nav nav-pills preferences" data-map-id="event-location-map-{{$id}}" data-show-label="{{$show_map_label}}" data-hide-label="{{$hide_map_label}}">{{$map_btn_label}}</button>{{/if}}
<div class="event-property">