From 7906b4924c2dc3727c3540682f432ebbb93f810d Mon Sep 17 00:00:00 2001
From: Craig Knudsen <craig@k5n.us>
Date: Fri, 13 Jan 2023 09:30:42 -0500
Subject: [PATCH] Security fix: Location event field XSS - CWE-79: Cross-site
 Scripting (XSS) - Stored - The location field was not being properly escaped
 when presented in   a number of views, allowing malicious script to run on
 the user's   browser.

---
 includes/functions.php | 2 +-
 view_entry.php         | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/functions.php b/includes/functions.php
index 28e111c51..7c8572abd 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -6220,7 +6220,7 @@ function build_entry_popup ( $popupid, $user, $description, $time,
    . ( strlen ( $time )
     ? '<dt>' . translate ( 'Time' ) . ":</dt>\n<dd>$time</dd>\n" : '' )
    . ( ! empty ( $location ) && $details
-    ? '<dt>' . translate ( 'Location' ) . ":</dt>\n<dd> $location</dd>\n" : '' )
+    ? '<dt>' . translate ( 'Location' ) . ":</dt>\n<dd>" . htmlspecialchars($location) . "</dd>\n" : '' )
    . ( ! empty ( $reminder ) && $details
     ? '<dt>' . translate ( 'Send Reminder' ) . ":</dt>\n<dd> $reminder</dd>\n" : '' );
 
diff --git a/view_entry.php b/view_entry.php
index 20bc4f4a9..e6dd59234 100644
--- a/view_entry.php
+++ b/view_entry.php
@@ -419,8 +419,8 @@
 echo '</div><div class="w-100"></div></div>' . "\n";
 
 if ($DISABLE_LOCATION_FIELD != 'Y' && !empty($location)) {
-echo '<div class="row"><div class="col-3">' . translate('Description') . "</div>\n";
-echo '<div class="col-9">'  . $location . "</div>\n";
+echo '<div class="row"><div class="col-3">' . translate('Location') . "</div>\n";
+echo '<div class="col-9">'  . htmlentities($location) . "</div>\n";
 echo '<div class="w-100"></div></div>' . "\n";
 }