From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Sat, 3 Dec 2022 00:41:46 +0000 (-0500)
Subject: Escape HTML in event mapping callback
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=a0752b1161ca75b23612a3304caf03c355cfd187;p=friendica.git

Escape HTML in event mapping callback

- This prevents arbitrary Javascript from being executed from the calendar view
---

diff --git a/src/Module/Calendar/Event/Get.php b/src/Module/Calendar/Event/Get.php
index 9bb86a7232..9ed2045f50 100644
--- a/src/Module/Calendar/Event/Get.php
+++ b/src/Module/Calendar/Event/Get.php
@@ -34,6 +34,7 @@ use Friendica\Module\Response;
 use Friendica\Network\HTTPException;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Friendica\Util\Strings;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
 
 			return [
 				'id'       => $event['id'],
-				'title'    => $event['summary'],
+				'title'    => Strings::escapeHtml($event['summary']),
 				'start'    => DateTimeFormat::local($event['start']),
 				'end'      => DateTimeFormat::local($event['finish']),
 				'nofinish' => $event['nofinish'],
-				'desc'     => $event['desc'],
-				'location' => $event['location'],
+				'desc'     => Strings::escapeHtml($event['desc']),
+				'location' => Strings::escapeHtml($event['location']),
 				'item'     => $item,
 			];
 		}, $events);