Normalize expected format for event fields summary, desc and location

- Remove unnecessary HTML escaping on event submit
- Add HTML escaping on event display
- Add HTML to BBCode conversion for received ActivityPub events

diff --git a/mod/events.php b/mod/events.php
index a788cc157cf9be977f73ae3ee02d5a742a019a3f..cb91fae35147ad36480722ae8756b3940e0fe6ee 100644 (file)
--- a/mod/events.php
+++ b/mod/events.php
@@ -97,9 +97,9 @@ function events_post(App $a)
        // and we'll waste a bunch of time responding to it. Time that
        // could've been spent doing something else.
 
-       $summary  = Strings::escapeHtml(trim(defaults($_POST, 'summary', '')));
-       $desc     = Strings::escapeHtml(trim(defaults($_POST, 'desc', '')));
-       $location = Strings::escapeHtml(trim(defaults($_POST, 'location', '')));
+       $summary  = trim(defaults($_POST, 'summary' , ''));
+       $desc     = trim(defaults($_POST, 'desc'    , ''));
+       $location = trim(defaults($_POST, 'location', ''));
        $type     = 'event';
 
        $params = [

diff --git a/src/Model/Event.php b/src/Model/Event.php
index 348ced5256ff99f68540065e652dfd56406e2402..d25f2a151ab8f90af1d17846808ea021635868bc 100644 (file)
--- a/src/Model/Event.php
+++ b/src/Model/Event.php
@@ -16,6 +16,7 @@ use Friendica\Core\System;
 use Friendica\Database\DBA;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Map;
+use Friendica\Util\Strings;
 use Friendica\Util\XML;
 
 require_once 'boot.php';
@@ -52,11 +53,11 @@ class Event extends BaseObject
 
                if ($simple) {
                        if (!empty($event['summary'])) {
-                               $o = "<h3>" . BBCode::convert($event['summary'], false, $simple) . "</h3>";
+                               $o = "<h3>" . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . "</h3>";
                        }
 
                        if (!empty($event['desc'])) {
-                               $o .= "<div>" . BBCode::convert($event['desc'], false, $simple) . "</div>";
+                               $o .= "<div>" . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . "</div>";
                        }
 
                        $o .= "<h4>" . L10n::t('Starts:') . "</h4><p>" . $event_start . "</p>";
@@ -66,7 +67,7 @@ class Event extends BaseObject
                        }
 
                        if (!empty($event['location'])) {
-                               $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert($event['location'], false, $simple) . "</p>";
+                               $o .= "<h4>" . L10n::t('Location:') . "</h4><p>" . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . "</p>";
                        }
 
                        return $o;
@@ -74,7 +75,7 @@ class Event extends BaseObject
 
                $o = '<div class="vevent">' . "\r\n";
 
-               $o .= '<div class="summary event-summary">' . BBCode::convert($event['summary'], false, $simple) . '</div>' . "\r\n";
+               $o .= '<div class="summary event-summary">' . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . '</div>' . "\r\n";
 
                $o .= '<div class="event-start"><span class="event-label">' . L10n::t('Starts:') . '</span>&nbsp;<span class="dtstart" title="'
                        . DateTimeFormat::utc($event['start'], (!empty($event['adjust']) ? DateTimeFormat::ATOM : 'Y-m-d\TH:i:s'))
@@ -89,12 +90,12 @@ class Event extends BaseObject
                }
 
                if (!empty($event['desc'])) {
-                       $o .= '<div class="description event-description">' . BBCode::convert($event['desc'], false, $simple) . '</div>' . "\r\n";
+                       $o .= '<div class="description event-description">' . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . '</div>' . "\r\n";
                }
 
                if (!empty($event['location'])) {
                        $o .= '<div class="event-location"><span class="event-label">' . L10n::t('Location:') . '</span>&nbsp;<span class="location">'
-                               . BBCode::convert($event['location'], false, $simple)
+                               . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple)
                                . '</span></div>' . "\r\n";
 
                        // Include a map of the location if the [map] BBCode is used.
@@ -591,10 +592,9 @@ class Event extends BaseObject
                                $drop =                  [System::baseUrl() . '/events/drop/' . $event['id'] , L10n::t('Delete event')   , '', ''];
                        }
 
-                       $title = strip_tags(html_entity_decode(BBCode::convert($event['summary']), ENT_QUOTES, 'UTF-8'));
+                       $title = BBCode::convert(Strings::escapeHtml($event['summary']));
                        if (!$title) {
-                               list($title, $_trash) = explode("<br", BBCode::convert($event['desc']), 2);
-                               $title = strip_tags(html_entity_decode($title, ENT_QUOTES, 'UTF-8'));
+                               list($title, $_trash) = explode("<br", BBCode::convert(Strings::escapeHtml($event['desc'])), 2);
                        }
 
                        $author_link = $event['author-link'];
@@ -604,8 +604,9 @@ class Event extends BaseObject
                        $event['plink']       = Contact::magicLink($author_link, $plink);
 
                        $html = self::getHTML($event);
-                       $event['desc']     = BBCode::convert($event['desc']);
-                       $event['location'] = BBCode::convert($event['location']);
+                       $event['summary']  = BBCode::convert(Strings::escapeHtml($event['summary']));
+                       $event['desc']     = BBCode::convert(Strings::escapeHtml($event['desc']));
+                       $event['location'] = BBCode::convert(Strings::escapeHtml($event['location']));
                        $event_list[] = [
                                'id'       => $event['id'],
                                'start'    => $start,

diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php
index bff8767f380a4a76a9ff43c6892b623f2110e1d7..d2f5b3b2d5bc44b2cd08c29eb3232158caabf16f 100644 (file)
--- a/src/Protocol/ActivityPub/Processor.php
+++ b/src/Protocol/ActivityPub/Processor.php
@@ -209,20 +209,20 @@ class Processor
         */
        public static function createEvent($activity, $item)
        {
-               $event['summary'] = $activity['name'];
-               $event['desc'] = $activity['content'];
-               $event['start'] = $activity['start-time'];
-               $event['finish'] = $activity['end-time'];
+               $event['summary']  = HTML::toBBCode($activity['name']);
+               $event['desc']     = HTML::toBBCode($activity['content']);
+               $event['start']    = $activity['start-time'];
+               $event['finish']   = $activity['end-time'];
                $event['nofinish'] = empty($event['finish']);
                $event['location'] = $activity['location'];
-               $event['adjust'] = true;
-               $event['cid'] = $item['contact-id'];
-               $event['uid'] = $item['uid'];
-               $event['uri'] = $item['uri'];
-               $event['edited'] = $item['edited'];
-               $event['private'] = $item['private'];
-               $event['guid'] = $item['guid'];
-               $event['plink'] = $item['plink'];
+               $event['adjust']   = true;
+               $event['cid']      = $item['contact-id'];
+               $event['uid']      = $item['uid'];
+               $event['uri']      = $item['uri'];
+               $event['edited']   = $item['edited'];
+               $event['private']  = $item['private'];
+               $event['guid']     = $item['guid'];
+               $event['plink']    = $item['plink'];
 
                $condition = ['uri' => $item['uri'], 'uid' => $item['uid']];
                $ev = DBA::selectFirst('event', ['id'], $condition);