extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-10-06 02:02:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

do NOT allow / correctly quote html in title, description and location of events

Browse Source
This commit is contained in:
Ralf Becker 2014-11-19 20:10:07 +00:00
parent a885057213
commit c738952af8
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
calendar/inc/class.calendar_bo.inc.php
View File

@ -1585,7 +1585,7 @@ class calendar_bo
{
$status = '('.$lang_status.')';
}
$names[$id] = $this->participant_name($id).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
$names[$id] = html::htmlspecialchars($this->participant_name($id)).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
// add role, if not a regular participant
if ($role != 'REQ-PARTICIPANT')
@ -1827,7 +1827,7 @@ class calendar_bo
}
return $this->cached_holidays[$year];
}
/**
* Get translated calendar event fields, presenting as link title options
*
@ -1847,7 +1847,7 @@ class calendar_bo
);
return $options;
}
/**
* get title for an event identified by $event
*
@ -1886,7 +1886,7 @@ class calendar_bo
foreach ($event[$val] as $key => $value)
{
$extra_fields [$val] = accounts::id2name($key, 'account_fullname');
}
}
break;
case 'modifier':
case 'creator':

14
calendar/inc/class.calendar_uiviews.inc.php
View File

@ -569,7 +569,7 @@ class calendar_uiviews extends calendar_ui
$width = $this->time2pos($event['end_m'] - $event['start_m']);
$color = $data['color'] ? $data['color'] : 'gray';
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'"'),$data['tooltip']));
$tooltip = html::htmlspecialchars($data['tooltip'], true); // true=need double-encoding, as it is transported as attribute!
$content .= $indent.'<div class="calendar_plannerEvent'.($data['private'] ? 'Private' : '').
'" data-tooltip ="'.$tooltip .
'" style="position: absolute; left: '.$left.'%; width: '.$width.'%; height: '.
@ -1749,7 +1749,7 @@ class calendar_uiviews extends calendar_ui
}
foreach($part_array as $part_group => $participant)
{
$participants .= $this->add_nonempty($participant,$part_group,True,False);
$participants .= $this->add_nonempty($participant,$part_group,True,False,false);
}
}
// as we only deal with percentual widht, we consider only the full dayview (1 colum) as NOT small
@ -1818,7 +1818,7 @@ class calendar_uiviews extends calendar_ui
{
$tpl->set_var('bodydescription', !$is_private ? nl2br(html::htmlspecialchars($event['description'])) : '');
}
$tooltip = $tpl->fp('tooltip','event_tooltip');
$html = $tpl->fp('out',$block);
@ -1841,6 +1841,7 @@ class calendar_uiviews extends calendar_ui
$popup = $event['id']."|n";
}
}
$tooltip = html::htmlspecialchars($tooltip, true); // true=need double-encoding, as it is transported as attribute!
//_debug_array($event);
if ($return_array)
@ -1893,7 +1894,6 @@ class calendar_uiviews extends calendar_ui
}
}
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'&quot;'),$tooltip));
if (!$event['whole_day_on_top'] &&
!$event['whole_day'])
{
@ -2003,7 +2003,7 @@ class calendar_uiviews extends calendar_ui
return $icons;
}
function add_nonempty($content,$label,$one_per_line=False,$space = True)
function add_nonempty($content,$label,$one_per_line=False,$space = True,$htmlspecialchars=true)
{
if (is_array($content))
{
@ -2020,7 +2020,7 @@ class calendar_uiviews extends calendar_ui
{
return '<span class="calendar_calEventLabel">'.$label.'</span>:'.
($one_per_line ? '<br>' : ' ').
nl2br(html::htmlspecialchars($content)).'<br>';
nl2br($htmlspecialchars?html::htmlspecialchars($content):$content).'<br>';
}
return '';
}
@ -2290,7 +2290,7 @@ class calendar_uiviews extends calendar_ui
asort($users);
asort($resources);
}
return $users+$resources;
}