holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do NOT allow / correctly quote html in title, description and location of events

Browse Source
This commit is contained in:
Ralf Becker 2014-11-19 20:10:07 +00:00
parent a885057213
commit c738952af8
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
calendar/inc/class.calendar_bo.inc.php
View File

@ -1585,7 +1585,7 @@ class calendar_bo
{ {
$status = '('.$lang_status.')'; $status = '('.$lang_status.')';
} }
$names[$id] = $this->participant_name($id).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status; $names[$id] = html::htmlspecialchars($this->participant_name($id)).($quantity > 1 ? ' ('.$quantity.')' : '').' '.$status;
// add role, if not a regular participant // add role, if not a regular participant
if ($role != 'REQ-PARTICIPANT') if ($role != 'REQ-PARTICIPANT')
@ -1827,7 +1827,7 @@ class calendar_bo
} }
return $this->cached_holidays[$year]; return $this->cached_holidays[$year];
} }
/** /**
* Get translated calendar event fields, presenting as link title options * Get translated calendar event fields, presenting as link title options
* *
@ -1847,7 +1847,7 @@ class calendar_bo
); );
return $options; return $options;
} }
/** /**
* get title for an event identified by $event * get title for an event identified by $event
* *
@ -1886,7 +1886,7 @@ class calendar_bo
foreach ($event[$val] as $key => $value) foreach ($event[$val] as $key => $value)
{ {
$extra_fields [$val] = accounts::id2name($key, 'account_fullname'); $extra_fields [$val] = accounts::id2name($key, 'account_fullname');
} }
break; break;
case 'modifier': case 'modifier':
case 'creator': case 'creator':

14
calendar/inc/class.calendar_uiviews.inc.php
View File

@ -569,7 +569,7 @@ class calendar_uiviews extends calendar_ui
$width = $this->time2pos($event['end_m'] - $event['start_m']); $width = $this->time2pos($event['end_m'] - $event['start_m']);
$color = $data['color'] ? $data['color'] : 'gray'; $color = $data['color'] ? $data['color'] : 'gray';
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'"'),$data['tooltip'])); $tooltip = html::htmlspecialchars($data['tooltip'], true); // true=need double-encoding, as it is transported as attribute!
$content .= $indent.'<div class="calendar_plannerEvent'.($data['private'] ? 'Private' : ''). $content .= $indent.'<div class="calendar_plannerEvent'.($data['private'] ? 'Private' : '').
'" data-tooltip ="'.$tooltip . '" data-tooltip ="'.$tooltip .
'" style="position: absolute; left: '.$left.'%; width: '.$width.'%; height: '. '" style="position: absolute; left: '.$left.'%; width: '.$width.'%; height: '.
@ -1749,7 +1749,7 @@ class calendar_uiviews extends calendar_ui
} }
foreach($part_array as $part_group => $participant) foreach($part_array as $part_group => $participant)
{ {
$participants .= $this->add_nonempty($participant,$part_group,True,False); $participants .= $this->add_nonempty($participant,$part_group,True,False,false);
} }
} }
// as we only deal with percentual widht, we consider only the full dayview (1 colum) as NOT small // as we only deal with percentual widht, we consider only the full dayview (1 colum) as NOT small
@ -1818,7 +1818,7 @@ class calendar_uiviews extends calendar_ui
{ {
$tpl->set_var('bodydescription', !$is_private ? nl2br(html::htmlspecialchars($event['description'])) : ''); $tpl->set_var('bodydescription', !$is_private ? nl2br(html::htmlspecialchars($event['description'])) : '');
} }
$tooltip = $tpl->fp('tooltip','event_tooltip'); $tooltip = $tpl->fp('tooltip','event_tooltip');
$html = $tpl->fp('out',$block); $html = $tpl->fp('out',$block);
@ -1841,6 +1841,7 @@ class calendar_uiviews extends calendar_ui
$popup = $event['id']."|n"; $popup = $event['id']."|n";
} }
} }
$tooltip = html::htmlspecialchars($tooltip, true); // true=need double-encoding, as it is transported as attribute!
//_debug_array($event); //_debug_array($event);
if ($return_array) if ($return_array)
@ -1893,7 +1894,6 @@ class calendar_uiviews extends calendar_ui
} }
} }
$tooltip = html::htmlspecialchars(str_replace(array("\n","\r","'",'"'),array('','',"\\'",'&quot;'),$tooltip));
if (!$event['whole_day_on_top'] && if (!$event['whole_day_on_top'] &&
!$event['whole_day']) !$event['whole_day'])
{ {
@ -2003,7 +2003,7 @@ class calendar_uiviews extends calendar_ui
return $icons; return $icons;
} }
function add_nonempty($content,$label,$one_per_line=False,$space = True) function add_nonempty($content,$label,$one_per_line=False,$space = True,$htmlspecialchars=true)
{ {
if (is_array($content)) if (is_array($content))
{ {
@ -2020,7 +2020,7 @@ class calendar_uiviews extends calendar_ui
{ {
return '<span class="calendar_calEventLabel">'.$label.'</span>:'. return '<span class="calendar_calEventLabel">'.$label.'</span>:'.
($one_per_line ? '<br>' : ' '). ($one_per_line ? '<br>' : ' ').
nl2br(html::htmlspecialchars($content)).'<br>'; nl2br($htmlspecialchars?html::htmlspecialchars($content):$content).'<br>';
} }
return ''; return '';
} }
@ -2290,7 +2290,7 @@ class calendar_uiviews extends calendar_ui
asort($users); asort($users);
asort($resources); asort($resources);
} }
return $users+$resources; return $users+$resources;
} }