Commit Graph

11 Commits

Author SHA1 Message Date
Hypolite Petovan 5c5d7eb04f
Fix several vulnerabilities (#13927)
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
2024-02-22 06:53:52 +01:00
Hypolite Petovan e67833a784 [frio] Add click card on contact avatars 2019-11-02 12:48:04 -04:00
Hypolite Petovan 787428f68c Remove template escaping for event title 2018-12-24 23:00:35 -05:00
Hypolite Petovan 698d12af79 Unescape variables in events and descriptions 2018-12-16 22:38:32 -05:00
Hypolite Petovan c407fb7963 Avoid escaping relevant template variables 2018-12-16 22:38:32 -05:00
Hypolite Petovan 2241ba4540 Remove uses of HTML escaping in Smarty templates 2018-12-16 22:38:30 -05:00
Michael 6682114069 Fix: The event name mustn't be escaped, since it can contain converted BBCode 2018-12-02 22:35:39 +00:00
Michael 4f9f86e310 We are now escaping many template fields 2018-11-25 18:56:26 +00:00
rabuzarus 184bfc722d fix #3812 - some brocken parts in the display of events (default template) 2017-10-19 14:16:39 +02:00
rabuzarus 7ddc5339fd frio: fix event seperator 2017-10-18 20:44:29 +02:00
rabuzarus 553428d1b1 event items are now more themeable in the networkstream.
The event description stays the same - but the theme developer can provide an template how the other event data should be organized and look
2017-10-13 19:42:27 +02:00