Calendar: Bugfix: better input validation
This commit is contained in:
parent
f198296576
commit
92b8f32386
|
@ -25,7 +25,7 @@ foreach($calendars as $cal){
|
|||
}
|
||||
|
||||
$userid = OC_User::getUser();
|
||||
$calendarid = OC_Calendar_Calendar::addCalendar($userid, $_POST['name'], 'VEVENT,VTODO,VJOURNAL', null, 0, $_POST['color']);
|
||||
$calendarid = OC_Calendar_Calendar::addCalendar($userid, htmlspecialchars($_POST['name']), 'VEVENT,VTODO,VJOURNAL', null, 0, $_POST['color']);
|
||||
OC_Calendar_Calendar::setCalendarActive($calendarid, 1);
|
||||
|
||||
$calendar = OC_Calendar_Calendar::find($calendarid);
|
||||
|
|
|
@ -11,8 +11,8 @@ require_once('../../../3rdparty/when/When.php');
|
|||
|
||||
function addoutput($event, $vevent, $return_event){
|
||||
$return_event['id'] = (int)$event['id'];
|
||||
$return_event['title'] = $event['summary'];
|
||||
$return_event['description'] = isset($vevent->DESCRIPTION)?$vevent->DESCRIPTION->value:'';
|
||||
$return_event['title'] = htmlspecialchars($event['summary']);
|
||||
$return_event['description'] = isset($vevent->DESCRIPTION)?htmlspecialchars($vevent->DESCRIPTION->value):'';
|
||||
$last_modified = $vevent->__get('LAST-MODIFIED');
|
||||
if ($last_modified){
|
||||
$lastmodified = $last_modified->getDateTime()->format('U');
|
||||
|
|
|
@ -26,7 +26,7 @@ foreach($calendars as $cal){
|
|||
|
||||
$calendarid = $_POST['id'];
|
||||
$calendar = OC_Calendar_App::getCalendar($calendarid);//access check
|
||||
OC_Calendar_Calendar::editCalendar($calendarid, $_POST['name'], null, null, null, $_POST['color']);
|
||||
OC_Calendar_Calendar::editCalendar($calendarid, htmlspecialchars($_POST['name']), null, null, null, $_POST['color']);
|
||||
OC_Calendar_Calendar::setCalendarActive($calendarid, $_POST['active']);
|
||||
|
||||
$calendar = OC_Calendar_App::getCalendar($calendarid);
|
||||
|
|
|
@ -698,6 +698,7 @@ $(document).ready(function(){
|
|||
eventDrop: Calendar.UI.moveEvent,
|
||||
eventResize: Calendar.UI.resizeEvent,
|
||||
eventRender: function(event, element) {
|
||||
element.find('span.fc-event-title').html(element.find('span.fc-event-title').text());
|
||||
element.tipsy({
|
||||
className: 'tipsy-event',
|
||||
opacity: 0.9,
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
<tr>
|
||||
<th width="75px"><?php echo $l->t("Title");?>:</th>
|
||||
<td>
|
||||
<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Title of the Event");?>" value="<?php echo isset($_['title']) ? $_['title'] : '' ?>" maxlength="100" name="title"/>
|
||||
<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Title of the Event");?>" value="<?php echo isset($_['title']) ? htmlspecialchars($_['title']) : '' ?>" maxlength="100" name="title"/>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
@ -207,7 +207,7 @@
|
|||
<tr>
|
||||
<th width="85px"><?php echo $l->t("Location");?>:</th>
|
||||
<td>
|
||||
<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Location of the Event");?>" value="<?php echo isset($_['location']) ? $_['location'] : '' ?>" maxlength="100" name="location" />
|
||||
<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Location of the Event");?>" value="<?php echo isset($_['location']) ? htmlspecialchars($_['location']) : '' ?>" maxlength="100" name="location" />
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
@ -215,7 +215,7 @@
|
|||
<tr>
|
||||
<th width="85px" style="vertical-align: top;"><?php echo $l->t("Description");?>:</th>
|
||||
<td>
|
||||
<textarea style="width:350px;height: 150px;" placeholder="<?php echo $l->t("Description of the Event");?>" name="description"><?php echo isset($_['description']) ? $_['description'] : '' ?></textarea>
|
||||
<textarea style="width:350px;height: 150px;" placeholder="<?php echo $l->t("Description of the Event");?>" name="description"><?php echo isset($_['description']) ? htmlspecialchars($_['description']) : '' ?></textarea>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
|
Loading…
Reference in New Issue