Escape HTML in event mapping callback

- This prevents arbitrary Javascript from being executed from the calendar view
This commit is contained in:
Hypolite Petovan 2022-12-02 19:41:46 -05:00
parent 2f42606c43
commit a0752b1161

View File

@ -34,6 +34,7 @@ use Friendica\Module\Response;
use Friendica\Network\HTTPException;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Profiler;
use Friendica\Util\Strings;
use Psr\Log\LoggerInterface;
/**
@ -82,12 +83,12 @@ class Get extends \Friendica\BaseModule
return [
'id' => $event['id'],
'title' => $event['summary'],
'title' => Strings::escapeHtml($event['summary']),
'start' => DateTimeFormat::local($event['start']),
'end' => DateTimeFormat::local($event['finish']),
'nofinish' => $event['nofinish'],
'desc' => $event['desc'],
'location' => $event['location'],
'desc' => Strings::escapeHtml($event['desc']),
'location' => Strings::escapeHtml($event['location']),
'item' => $item,
];
}, $events);