escape data in calendar popover (#2960)

kimai · Nov 19, 2021 · 9470699 · 9470699
1 parent 89bfa82
commit 9470699
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 16 deletions.
diff --git a/assets/js/KimaiLoader.js b/assets/js/KimaiLoader.js
@@ -36,6 +36,7 @@ import KimaiDatePicker from "./plugins/KimaiDatePicker";
 import KimaiConfirmationLink from "./plugins/KimaiConfirmationLink";
 import KimaiMultiUpdateTable from "./plugins/KimaiMultiUpdateTable";
 import KimaiDateUtils from "./plugins/KimaiDateUtils";
+import KimaiEscape from "./plugins/KimaiEscape";
 
 export default class KimaiLoader {
 
@@ -48,6 +49,7 @@ export default class KimaiLoader {
             new KimaiTranslation(translations)
         );
 
+        kimai.registerPlugin(new KimaiEscape());
         kimai.registerPlugin(new KimaiEvent());
         kimai.registerPlugin(new KimaiAPI());
         kimai.registerPlugin(new KimaiAlert());

diff --git a/assets/js/KimaiPlugin.js b/assets/js/KimaiPlugin.js
@@ -71,14 +71,6 @@ export default class KimaiPlugin {
      * @returns {string}
      */
     escape(title) {
-        const tagsToReplace = {
-            '&': '&amp;',
-            '<': '&lt;',
-            '>': '&gt;',
-        };
-
-        return title.replace(/[&<>]/g, function(tag) {
-            return tagsToReplace[tag] || tag;
-        });
+        return this.getPlugin('escape').escapeForHtml(title);
     };
 }
diff --git a/assets/js/plugins/KimaiEscape.js b/assets/js/plugins/KimaiEscape.js
@@ -0,0 +1,35 @@
+/*
+ * This file is part of the Kimai time-tracking app.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+/*!
+ * [KIMAI] KimaiEscape: sanitize strings
+ */
+
+import KimaiPlugin from "../KimaiPlugin";
+
+export default class KimaiEscape extends KimaiPlugin {
+
+    getId() {
+        return 'escape';
+    }
+
+    /**
+     * @param {string} title
+     * @returns {string}
+     */
+    escapeForHtml(title) {
+        const tagsToReplace = {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+        };
+
+        return title.replace(/[&<>]/g, function(tag) {
+            return tagsToReplace[tag] || tag;
+        });
+    };
+}
diff --git a/public/build/app.920ba43e.js b/public/build/app.920ba43e.js
diff --git a/public/build/app.9e8f68cf.js.LICENSE.txt → public/build/app.920ba43e.js.LICENSE.txt b/public/build/app.9e8f68cf.js.LICENSE.txt → public/build/app.920ba43e.js.LICENSE.txt
@@ -91,6 +91,10 @@
  * [KIMAI] KimaiDateUtils: responsible for handling date specific tasks
  */
 
+/*!
+ * [KIMAI] KimaiEscape: sanitize strings
+ */
+
 /*!
  * [KIMAI] KimaiEvent: helper to trigger events
  */

diff --git a/public/build/app.9e8f68cf.js b/public/build/app.9e8f68cf.js
diff --git a/public/build/entrypoints.json b/public/build/entrypoints.json
@@ -3,7 +3,7 @@
     "app": {
       "js": [
         "build/runtime.b8e7bb04.js",
-        "build/app.9e8f68cf.js"
+        "build/app.920ba43e.js"
       ],
       "css": [
         "build/app.3bc2b4d9.css"

diff --git a/public/build/manifest.json b/public/build/manifest.json
@@ -1,6 +1,6 @@
 {
   "build/app.css": "build/app.3bc2b4d9.css",
-  "build/app.js": "build/app.9e8f68cf.js",
+  "build/app.js": "build/app.920ba43e.js",
   "build/invoice.css": "build/invoice.ff32661a.css",
   "build/invoice.js": "build/invoice.19f36eca.js",
   "build/invoice-pdf.css": "build/invoice-pdf.9a7468ef.css",

diff --git a/templates/calendar/user.html.twig b/templates/calendar/user.html.twig
@@ -120,11 +120,13 @@
 
         function renderEventPopoverContent(eventObj)
         {
+            const escaper = kimai.getPlugin('escape');
+
             return '<div class="calendar-entry">' +
                     '<ul>' +
-                        '<li>' + '{{ 'label.customer'|trans }}: ' + eventObj.customer + '</li>' +
-                        '<li>' + '{{ 'label.project'|trans }}: ' + eventObj.project + '</li>' +
-                        '<li>' + '{{ 'label.activity'|trans }}: ' + eventObj.activity + '</li>' +
+                        '<li>' + '{{ 'label.customer'|trans }}: ' + escaper.escapeForHtml(eventObj.customer) + '</li>' +
+                        '<li>' + '{{ 'label.project'|trans }}: ' + escaper.escapeForHtml(eventObj.project) + '</li>' +
+                        '<li>' + '{{ 'label.activity'|trans }}: ' + escaper.escapeForHtml(eventObj.activity) + '</li>' +
                     '</ul>' +
                     (eventObj.description !== null || eventObj.tags.length > 0 ? '<hr>' : '') +
                     (eventObj.description ? '<p>' + eventObj.description + '</p>' : '') +