extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-10-08 19:24:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

do NOT allow / correctly quote html in title, description and location of events

Browse Source
This commit is contained in:
Ralf Becker 2014-11-19 20:11:16 +00:00
parent 558076686f
commit 3b8a7f9e9c
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
calendar/inc/class.calendar_bo.inc.php
View File

@ -1585,7 +1585,7 @@ class calendar_bo
{
$status = '('.$lang_status.')';
}
$names[$id] = $this->participant_name($id).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
$names[$id] = html::htmlspecialchars($this->participant_name($id)).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
// add role, if not a regular participant
if ($role != 'REQ-PARTICIPANT')

10
calendar/inc/class.calendar_uiviews.inc.php
View File

@ -569,7 +569,7 @@ class calendar_uiviews extends calendar_ui
$width = $this->time2pos($event['end_m'] - $event['start_m']);
$color = $data['color'] ? $data['color'] : 'gray';
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'"'),$data['tooltip']));
$tooltip = html::htmlspecialchars($data['tooltip'], true); // true=need double-encoding, as it is transported as attribute!
$content .= $indent.'<div class="calendar_plannerEvent'.($data['private'] ? 'Private' : '').
'" data-tooltip ="'.$tooltip .
'" style="position: absolute; left: '.$left.'%; width: '.$width.'%; height: '.
@ -1746,7 +1746,7 @@ class calendar_uiviews extends calendar_ui
}
foreach($part_array as $part_group => $participant)
{
$participants .= $this->add_nonempty($participant,$part_group,True,False);
$participants .= $this->add_nonempty($participant,$part_group,True,False,false);
}
}
// as we only deal with percentual widht, we consider only the full dayview (1 colum) as NOT small
@ -1838,6 +1838,7 @@ class calendar_uiviews extends calendar_ui
$popup = $event['id']."|n";
}
}
$tooltip = html::htmlspecialchars($tooltip, true); // true=need double-encoding, as it is transported as attribute!
//_debug_array($event);
if ($return_array)
@ -1890,7 +1891,6 @@ class calendar_uiviews extends calendar_ui
}
}
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'&quot;'),$tooltip));
if (!$event['whole_day_on_top'] &&
!$event['whole_day'])
{
@ -2000,7 +2000,7 @@ class calendar_uiviews extends calendar_ui
return $icons;
}
function add_nonempty($content,$label,$one_per_line=False,$space = True)
function add_nonempty($content,$label,$one_per_line=False,$space = True,$htmlspecialchars=true)
{
if (is_array($content))
{
@ -2017,7 +2017,7 @@ class calendar_uiviews extends calendar_ui
{
return '<span class="calendar_calEventLabel">'.$label.'</span>:'.
($one_per_line ? '<br>' : ' ').
nl2br(html::htmlspecialchars($content)).'<br>';
nl2br($htmlspecialchars?html::htmlspecialchars($content):$content).'<br>';
}
return '';
}