MDL-81412 calendar: Sanitise calendar event names

2025-01-17 13:38:32 +01:00 · 2024-05-01 20:07:33 +08:00 · 2024-05-01 20:07:33 +08:00 · 28b8fc9896
commit 28b8fc9896
parent 836b2c23a2
1 changed files with 12 additions and 0 deletions
--- a/calendar/lib.php
+++ b/calendar/lib.php
@ -3555,6 +3555,18 @@ function calendar_get_view(\calendar_information $calendar, $view, $includenavig
        }
    }

+    // Check if $data has events.
+    if (isset($data->events)) {
+        // Let's check and sanitize all "name" in $data->events before it's sent to front end.
+        foreach ($data->events as $d) {
+            $name = $d->name ?? null;
+            // Encode special characters if our decoded name does not match the original name.
+            if ($name && (html_entity_decode($name) !== $name)) {
+                $d->name = htmlspecialchars(html_entity_decode($name), ENT_QUOTES, 'utf-8');
+            }
+        }
+    }
+
    return [$data, $template];
 }