Security: Agenda: Strictly filter event content

chamilo · Apr 12, 2024 · 42566a0 · 42566a0
1 parent 2b83d15
commit 42566a0
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php
@@ -274,7 +274,7 @@ public function addEvent(
                 $attributes = [
                     'user' => api_get_user_id(),
                     'title' => $title,
-                    'text' => $content,
+                    'text' => Security::remove_XSS($content),
                     'date' => $start,
                     'enddate' => $end,
                     'all_day' => $allDay,
@@ -320,7 +320,7 @@ public function addEvent(
             case 'course':
                 $attributes = [
                     'title' => $title,
-                    'content' => $content,
+                    'content' => Security::remove_XSS($content),
                     'start_date' => $start,
                     'end_date' => $end,
                     'all_day' => $allDay,
@@ -476,7 +476,7 @@ public function addEvent(
                 if (api_is_platform_admin()) {
                     $attributes = [
                         'title' => $title,
-                        'content' => $content,
+                        'content' => Security::remove_XSS($content),
                         'start_date' => $start,
                         'end_date' => $end,
                         'all_day' => $allDay,
@@ -1876,7 +1876,7 @@ public function get_event($id)
                 if (Database::num_rows($result)) {
                     $event = Database::fetch_array($result, 'ASSOC');
                     $event['description'] = $event['text'];
-                    $event['content'] = $event['text'];
+                    $event['content'] = Security::remove_XSS($event['text'], STUDENT);
                     $event['start_date'] = $event['date'];
                     $event['end_date'] = $event['enddate'];
                 }
@@ -1904,7 +1904,7 @@ public function get_event($id)
                             'agenda_event_invitation_id' => $event->getInvitation()->getId(),
                             'collective' => $event->isCollective(),
                             'description' => $event->getText(),
-                            'content' => $event->getText(),
+                            'content' => Security::remove_XSS($event->getText(), STUDENT),
                             'start_date' => $event->getDate()->format('Y-m-d H:i:s'),
                             'end_date' => $event->getEndDate()->format('Y-m-d H:i:s'),
                         ];
@@ -1919,7 +1919,7 @@ public function get_event($id)
                     $result = Database::query($sql);
                     if (Database::num_rows($result)) {
                         $event = Database::fetch_array($result, 'ASSOC');
-                        $event['description'] = $event['content'];
+                        $event['description'] = Security::remove_XSS($event['content'], STUDENT);
 
                         // Getting send to array
                         $event['send_to'] = $this->getUsersAndGroupSubscribedToEvent(
@@ -1952,7 +1952,7 @@ public function get_event($id)
                 $result = Database::query($sql);
                 if (Database::num_rows($result)) {
                     $event = Database::fetch_array($result, 'ASSOC');
-                    $event['description'] = $event['content'];
+                    $event['description'] = Security::remove_XSS($event['content']);
                 }
                 break;
         }