From 28b8fc9896c49eae50cea45620ba66bff9745e88 Mon Sep 17 00:00:00 2001
From: Stevani Andolo <stevani.andolo@moodle.com>
Date: Wed, 1 May 2024 20:07:33 +0800
Subject: [PATCH] MDL-81412 calendar: Sanitise calendar event names

---
 calendar/lib.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/calendar/lib.php b/calendar/lib.php
index f582ea3751d..ca490817941 100644
--- a/calendar/lib.php
+++ b/calendar/lib.php
@@ -3555,6 +3555,18 @@ function calendar_get_view(\calendar_information $calendar, $view, $includenavig
         }
     }
 
+    // Check if $data has events.
+    if (isset($data->events)) {
+        // Let's check and sanitize all "name" in $data->events before it's sent to front end.
+        foreach ($data->events as $d) {
+            $name = $d->name ?? null;
+            // Encode special characters if our decoded name does not match the original name.
+            if ($name && (html_entity_decode($name) !== $name)) {
+                $d->name = htmlspecialchars(html_entity_decode($name), ENT_QUOTES, 'utf-8');
+            }
+        }
+    }
+
     return [$data, $template];
 }