Merge pull request #6321 from MrPetovan/bug/6316-escape-event-output

Escape event output

diff --git a/mod/events.php b/mod/events.php
index f147e005459ab85f1b7c21710007c368a833254e..cb91fae35147ad36480722ae8756b3940e0fe6ee 100644 (file)
--- a/mod/events.php
+++ b/mod/events.php
@@ -97,13 +97,23 @@ function events_post(App $a)
        // and we'll waste a bunch of time responding to it. Time that
        // could've been spent doing something else.
 
-       $summary  = Strings::escapeHtml(trim(defaults($_POST, 'summary', '')));
-       $desc     = Strings::escapeHtml(trim(defaults($_POST, 'desc', '')));
-       $location = Strings::escapeHtml(trim(defaults($_POST, 'location', '')));
+       $summary  = trim(defaults($_POST, 'summary' , ''));
+       $desc     = trim(defaults($_POST, 'desc'    , ''));
+       $location = trim(defaults($_POST, 'location', ''));
        $type     = 'event';
 
-       $action = ($event_id == '') ? 'new' : "event/" . $event_id;
-       $onerror_path = "events/" . $action . "?summary=$summary&description=$desc&location=$location&start=$start_text&finish=$finish_text&adjust=$adjust&nofinish=$nofinish";
+       $params = [
+               'summary'     => $summary,
+               'description' => $desc,
+               'location'    => $location,
+               'start'       => $start_text,
+               'finish'      => $finish_text,
+               'adjust'      => $adjust,
+               'nofinish'    => $nofinish,
+       ];
+
+       $action = ($event_id == '') ? 'new' : 'event/' . $event_id;
+       $onerror_path = 'events/' . $action . '?' . http_build_query($params, null, null, PHP_QUERY_RFC3986);
 
        if (strcmp($finish, $start) < 0 && !$nofinish) {
                notice(L10n::t('Event can not end before it has started.') . EOL);
@@ -137,10 +147,10 @@ function events_post(App $a)
 
 
        if ($share) {
-               $str_group_allow   = !empty($_POST['group_allow'])   ? perms2str($_POST['group_allow'])   : '';
-               $str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : '';
-               $str_group_deny    = !empty($_POST['group_deny'])    ? perms2str($_POST['group_deny'])    : '';
-               $str_contact_deny  = !empty($_POST['contact_deny'])  ? perms2str($_POST['contact_deny'])  : '';
+               $str_group_allow   = perms2str(defaults($_POST, 'group_allow'  , ''));
+               $str_contact_allow = perms2str(defaults($_POST, 'contact_allow', ''));
+               $str_group_deny    = perms2str(defaults($_POST, 'group_deny'   , ''));
+               $str_contact_deny  = perms2str(defaults($_POST, 'contact_deny' , ''));
 
                // Undo the pseudo-contact of self, since there are real contacts now
                if (strpos($str_contact_allow, '<' . $self . '>') !== false) {
@@ -181,7 +191,7 @@ function events_post(App $a)
        if (intval($_REQUEST['preview'])) {
                $html = Event::getHTML($datarray);
                echo $html;
-               killme();
+               exit();
        }
 
        $item_id = Event::store($datarray);
@@ -364,8 +374,9 @@ function events_content(App $a)
                }
 
                if ($a->argc > 1 && $a->argv[1] === 'json') {
+                       header('Content-Type: application/json');
                        echo json_encode($events);
-                       killme();
+                       exit();
                }
 
                if (!empty($_GET['id'])) {

diff --git a/src/Model/Event.php b/src/Model/Event.php
index 886f124153ac0a41bbbd1e7f58f6f4907aeba085..d25f2a151ab8f90af1d17846808ea021635868bc 100644 (file)
--- a/src/Model/Event.php
+++ b/src/Model/Event.php
@@ -14,9 +14,9 @@ use Friendica\Core\PConfig;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Database\DBA;
-use Friendica\Model\Contact;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Map;
+use Friendica\Util\Strings;
 use Friendica\Util\XML;
 
 require_once 'boot.php';
@@ -53,11 +53,11 @@ class Event extends BaseObject
 
                if ($simple) {
                        if (!empty($event['summary'])) {
-                               $o = "<h3>" . BBCode::convert($event['summary'], false, $simple) . "</h3>";
+                               $o = "<h3>" . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . "</h3>";
                        }
 
                        if (!empty($event['desc'])) {
-                               $o .= "<div>" . BBCode::convert($event['desc'], false, $simple) . "</div>";
+                               $o .= "<div>" . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . "</div>";
                        }
 
                        $o .= "<h4>" . L10n::t('Starts:') . "</h4><p>" . $event_start . "</p>";
@@ -67,7 +67,7 @@ class Event extends BaseObject
                        }
 
                        if (!empty($event['location'])) {
-                               $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert($event['location'], false, $simple) . "</p>";
+                               $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . "</p>";
                        }
 
                        return $o;
@@ -75,7 +75,7 @@ class Event extends BaseObject
 
                $o = '<div class="vevent">' . "\r\n";
 
-               $o .= '<div class="summary event-summary">' . BBCode::convert($event['summary'], false, $simple) . '</div>' . "\r\n";
+               $o .= '<div class="summary event-summary">' . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . '</div>' . "\r\n";
 
                $o .= '<div class="event-start"><span class="event-label">' . L10n::t('Starts:') . '</span>&nbsp;<span class="dtstart" title="'
                        . DateTimeFormat::utc($event['start'], (!empty($event['adjust']) ? DateTimeFormat::ATOM : 'Y-m-d\TH:i:s'))
@@ -90,12 +90,12 @@ class Event extends BaseObject
                }
 
                if (!empty($event['desc'])) {
-                       $o .= '<div class="description event-description">' . BBCode::convert($event['desc'], false, $simple) . '</div>' . "\r\n";
+                       $o .= '<div class="description event-description">' . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . '</div>' . "\r\n";
                }
 
                if (!empty($event['location'])) {
                        $o .= '<div class="event-location"><span class="event-label">' . L10n::t('Location:') . '</span>&nbsp;<span class="location">'
-                               . BBCode::convert($event['location'], false, $simple)
+                               . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple)
                                . '</span></div>' . "\r\n";
 
                        // Include a map of the location if the [map] BBCode is used.
@@ -592,10 +592,9 @@ class Event extends BaseObject
                                $drop =                  [System::baseUrl() . '/events/drop/' . $event['id'] , L10n::t('Delete event')   , '', ''];
                        }
 
-                       $title = strip_tags(html_entity_decode(BBCode::convert($event['summary']), ENT_QUOTES, 'UTF-8'));
+                       $title = BBCode::convert(Strings::escapeHtml($event['summary']));
                        if (!$title) {
-                               list($title, $_trash) = explode("<br", BBCode::convert($event['desc']), 2);
-                               $title = strip_tags(html_entity_decode($title, ENT_QUOTES, 'UTF-8'));
+                               list($title, $_trash) = explode("<br", BBCode::convert(Strings::escapeHtml($event['desc'])), 2);
                        }
 
                        $author_link = $event['author-link'];
@@ -605,8 +604,9 @@ class Event extends BaseObject
                        $event['plink']       = Contact::magicLink($author_link, $plink);
 
                        $html = self::getHTML($event);
-                       $event['desc']     = BBCode::convert($event['desc']);
-                       $event['location'] = BBCode::convert($event['location']);
+                       $event['summary']  = BBCode::convert(Strings::escapeHtml($event['summary']));
+                       $event['desc']     = BBCode::convert(Strings::escapeHtml($event['desc']));
+                       $event['location'] = BBCode::convert(Strings::escapeHtml($event['location']));
                        $event_list[] = [
                                'id'       => $event['id'],
                                'start'    => $start,

diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php
index bff8767f380a4a76a9ff43c6892b623f2110e1d7..d2f5b3b2d5bc44b2cd08c29eb3232158caabf16f 100644 (file)
--- a/src/Protocol/ActivityPub/Processor.php
+++ b/src/Protocol/ActivityPub/Processor.php
@@ -209,20 +209,20 @@ class Processor
         */
        public static function createEvent($activity, $item)
        {
-               $event['summary'] = $activity['name'];
-               $event['desc'] = $activity['content'];
-               $event['start'] = $activity['start-time'];
-               $event['finish'] = $activity['end-time'];
+               $event['summary']  = HTML::toBBCode($activity['name']);
+               $event['desc']     = HTML::toBBCode($activity['content']);
+               $event['start']    = $activity['start-time'];
+               $event['finish']   = $activity['end-time'];
                $event['nofinish'] = empty($event['finish']);
                $event['location'] = $activity['location'];
-               $event['adjust'] = true;
-               $event['cid'] = $item['contact-id'];
-               $event['uid'] = $item['uid'];
-               $event['uri'] = $item['uri'];
-               $event['edited'] = $item['edited'];
-               $event['private'] = $item['private'];
-               $event['guid'] = $item['guid'];
-               $event['plink'] = $item['plink'];
+               $event['adjust']   = true;
+               $event['cid']      = $item['contact-id'];
+               $event['uid']      = $item['uid'];
+               $event['uri']      = $item['uri'];
+               $event['edited']   = $item['edited'];
+               $event['private']  = $item['private'];
+               $event['guid']     = $item['guid'];
+               $event['plink']    = $item['plink'];
 
                $condition = ['uri' => $item['uri'], 'uid' => $item['uid']];
                $ev = DBA::selectFirst('event', ['id'], $condition);

diff --git a/view/theme/frio/templates/event_stream_item.tpl b/view/theme/frio/templates/event_stream_item.tpl
index 330f88cbbbe95b00d6941ae52f33a7d81e3eb197..9264e9d2e3e92861606755ccb185b826475ff3d9 100644 (file)
--- a/view/theme/frio/templates/event_stream_item.tpl
+++ b/view/theme/frio/templates/event_stream_item.tpl
@@ -12,7 +12,8 @@
                                        </span>
                                </div>
                                <div class="event-card-content media-body">
-                                       <div class="event-title event-card-title summary event-summary">{{$title}}</div>
+                                       <div class="event-title event-card-title summary event-summary">{{$title nofilter}}</div>
+
                                        {{* If there is a map, we insert a button for showing/hiding the map *}}
                                        {{if $location.map}}<button id="event-map-btn-{{$id}}" class="event-map-btn btn-link fakelink nav nav-pills preferences" data-map-id="event-location-map-{{$id}}" data-show-label="{{$show_map_label}}" data-hide-label="{{$hide_map_label}}">{{$map_btn_label}}</button>{{/if}}
                                        <div class="event-property">