Escape HTML in event mapping callback

- This prevents arbitrary Javascript from being executed from the calendar view

diff --git a/src/Module/Calendar/Event/Get.php b/src/Module/Calendar/Event/Get.php
index 9bb86a723241f5b079f7c318cd5ab602eb22a815..9ed2045f506118bbca492269218e519a2dabbddd 100644 (file)
--- a/src/Module/Calendar/Event/Get.php
+++ b/src/Module/Calendar/Event/Get.php
@@ -34,6 +34,7 @@ use Friendica\Module\Response;
 use Friendica\Network\HTTPException;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Friendica\Util\Strings;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
 
                        return [
                                'id'       => $event['id'],
-                               'title'    => $event['summary'],
+                               'title'    => Strings::escapeHtml($event['summary']),
                                'start'    => DateTimeFormat::local($event['start']),
                                'end'      => DateTimeFormat::local($event['finish']),
                                'nofinish' => $event['nofinish'],
-                               'desc'     => $event['desc'],
-                               'location' => $event['location'],
+                               'desc'     => Strings::escapeHtml($event['desc']),
+                               'location' => Strings::escapeHtml($event['location']),
                                'item'     => $item,
                        ];
                }, $events);