From a0752b1161ca75b23612a3304caf03c355cfd187 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Fri, 2 Dec 2022 19:41:46 -0500
Subject: [PATCH] Escape HTML in event mapping callback

- This prevents arbitrary Javascript from being executed from the calendar view
---
 src/Module/Calendar/Event/Get.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Module/Calendar/Event/Get.php b/src/Module/Calendar/Event/Get.php
index 9bb86a723..9ed2045f5 100644
--- a/src/Module/Calendar/Event/Get.php
+++ b/src/Module/Calendar/Event/Get.php
@@ -34,6 +34,7 @@ use Friendica\Module\Response;
 use Friendica\Network\HTTPException;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Friendica\Util\Strings;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
 
 			return [
 				'id'       => $event['id'],
-				'title'    => $event['summary'],
+				'title'    => Strings::escapeHtml($event['summary']),
 				'start'    => DateTimeFormat::local($event['start']),
 				'end'      => DateTimeFormat::local($event['finish']),
 				'nofinish' => $event['nofinish'],
-				'desc'     => $event['desc'],
-				'location' => $event['location'],
+				'desc'     => Strings::escapeHtml($event['desc']),
+				'location' => Strings::escapeHtml($event['location']),
 				'item'     => $item,
 			];
 		}, $events);