Escape HTML in event mapping callback
- This prevents arbitrary Javascript from being executed from the calendar view
This commit is contained in:
parent
2f42606c43
commit
a0752b1161
1 changed files with 4 additions and 3 deletions
|
@ -34,6 +34,7 @@ use Friendica\Module\Response;
|
|||
use Friendica\Network\HTTPException;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Profiler;
|
||||
use Friendica\Util\Strings;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
/**
|
||||
|
@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
|
|||
|
||||
return [
|
||||
'id' => $event['id'],
|
||||
'title' => $event['summary'],
|
||||
'title' => Strings::escapeHtml($event['summary']),
|
||||
'start' => DateTimeFormat::local($event['start']),
|
||||
'end' => DateTimeFormat::local($event['finish']),
|
||||
'nofinish' => $event['nofinish'],
|
||||
'desc' => $event['desc'],
|
||||
'location' => $event['location'],
|
||||
'desc' => Strings::escapeHtml($event['desc']),
|
||||
'location' => Strings::escapeHtml($event['location']),
|
||||
'item' => $item,
|
||||
];
|
||||
}, $events);
|
||||
|
|
Loading…
Reference in a new issue