forked from extern/egroupware
do NOT allow / correctly quote html in title, description and location of events
This commit is contained in:
parent
558076686f
commit
3b8a7f9e9c
@ -1585,7 +1585,7 @@ class calendar_bo
|
||||
{
|
||||
$status = '('.$lang_status.')';
|
||||
}
|
||||
$names[$id] = $this->participant_name($id).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
|
||||
$names[$id] = html::htmlspecialchars($this->participant_name($id)).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
|
||||
|
||||
// add role, if not a regular participant
|
||||
if ($role != 'REQ-PARTICIPANT')
|
||||
@ -1827,7 +1827,7 @@ class calendar_bo
|
||||
}
|
||||
return $this->cached_holidays[$year];
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get translated calendar event fields, presenting as link title options
|
||||
*
|
||||
@ -1847,7 +1847,7 @@ class calendar_bo
|
||||
);
|
||||
return $options;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* get title for an event identified by $event
|
||||
*
|
||||
@ -1886,7 +1886,7 @@ class calendar_bo
|
||||
foreach ($event[$val] as $key => $value)
|
||||
{
|
||||
$extra_fields [$val] = accounts::id2name($key, 'account_fullname');
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 'modifier':
|
||||
case 'creator':
|
||||
|
@ -569,7 +569,7 @@ class calendar_uiviews extends calendar_ui
|
||||
$width = $this->time2pos($event['end_m'] - $event['start_m']);
|
||||
$color = $data['color'] ? $data['color'] : 'gray';
|
||||
|
||||
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'"'),$data['tooltip']));
|
||||
$tooltip = html::htmlspecialchars($data['tooltip'], true); // true=need double-encoding, as it is transported as attribute!
|
||||
$content .= $indent.'<div class="calendar_plannerEvent'.($data['private'] ? 'Private' : '').
|
||||
'" data-tooltip ="'.$tooltip .
|
||||
'" style="position: absolute; left: '.$left.'%; width: '.$width.'%; height: '.
|
||||
@ -1746,7 +1746,7 @@ class calendar_uiviews extends calendar_ui
|
||||
}
|
||||
foreach($part_array as $part_group => $participant)
|
||||
{
|
||||
$participants .= $this->add_nonempty($participant,$part_group,True,False);
|
||||
$participants .= $this->add_nonempty($participant,$part_group,True,False,false);
|
||||
}
|
||||
}
|
||||
// as we only deal with percentual widht, we consider only the full dayview (1 colum) as NOT small
|
||||
@ -1815,7 +1815,7 @@ class calendar_uiviews extends calendar_ui
|
||||
{
|
||||
$tpl->set_var('bodydescription', !$is_private ? nl2br(html::htmlspecialchars($event['description'])) : '');
|
||||
}
|
||||
|
||||
|
||||
$tooltip = $tpl->fp('tooltip','event_tooltip');
|
||||
$html = $tpl->fp('out',$block);
|
||||
|
||||
@ -1838,6 +1838,7 @@ class calendar_uiviews extends calendar_ui
|
||||
$popup = $event['id']."|n";
|
||||
}
|
||||
}
|
||||
$tooltip = html::htmlspecialchars($tooltip, true); // true=need double-encoding, as it is transported as attribute!
|
||||
//_debug_array($event);
|
||||
|
||||
if ($return_array)
|
||||
@ -1890,7 +1891,6 @@ class calendar_uiviews extends calendar_ui
|
||||
|
||||
}
|
||||
}
|
||||
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'"'),$tooltip));
|
||||
if (!$event['whole_day_on_top'] &&
|
||||
!$event['whole_day'])
|
||||
{
|
||||
@ -2000,7 +2000,7 @@ class calendar_uiviews extends calendar_ui
|
||||
return $icons;
|
||||
}
|
||||
|
||||
function add_nonempty($content,$label,$one_per_line=False,$space = True)
|
||||
function add_nonempty($content,$label,$one_per_line=False,$space = True,$htmlspecialchars=true)
|
||||
{
|
||||
if (is_array($content))
|
||||
{
|
||||
@ -2017,7 +2017,7 @@ class calendar_uiviews extends calendar_ui
|
||||
{
|
||||
return '<span class="calendar_calEventLabel">'.$label.'</span>:'.
|
||||
($one_per_line ? '<br>' : ' ').
|
||||
nl2br(html::htmlspecialchars($content)).'<br>';
|
||||
nl2br($htmlspecialchars?html::htmlspecialchars($content):$content).'<br>';
|
||||
}
|
||||
return '';
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user