Security fix: Location event field XSS

- CWE-79: Cross-site Scripting (XSS) - Stored - The location field was not being properly escaped when presented in a number of views, allowing malicious script to run on the user's browser.
craigk5n · Jan 13, 2023 · 7906b49 · 7906b49
1 parent b3c4f4f
commit 7906b49
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/includes/functions.php b/includes/functions.php
@@ -6220,7 +6220,7 @@ function build_entry_popup ( $popupid, $user, $description, $time,
    . ( strlen ( $time )
     ? '<dt>' . translate ( 'Time' ) . ":</dt>\n<dd>$time</dd>\n" : '' )
    . ( ! empty ( $location ) && $details
-    ? '<dt>' . translate ( 'Location' ) . ":</dt>\n<dd> $location</dd>\n" : '' )
+    ? '<dt>' . translate ( 'Location' ) . ":</dt>\n<dd>" . htmlspecialchars($location) . "</dd>\n" : '' )
    . ( ! empty ( $reminder ) && $details
     ? '<dt>' . translate ( 'Send Reminder' ) . ":</dt>\n<dd> $reminder</dd>\n" : '' );
 

diff --git a/view_entry.php b/view_entry.php
@@ -419,8 +419,8 @@
 echo '</div><div class="w-100"></div></div>' . "\n";
 
 if ($DISABLE_LOCATION_FIELD != 'Y' && !empty($location)) {
-echo '<div class="row"><div class="col-3">' . translate('Description') . "</div>\n";
-echo '<div class="col-9">'  . $location . "</div>\n";
+echo '<div class="row"><div class="col-3">' . translate('Location') . "</div>\n";
+echo '<div class="col-9">'  . htmlentities($location) . "</div>\n";
 echo '<div class="w-100"></div></div>' . "\n";
 }