From 08050020861230ff96a6507b309cc172a9e70af8 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Fri, 16 Sep 2022 11:59:48 -0500
Subject: [PATCH] Fix scheduled maintenance xss (#14360)

Fix for fields title, notes, and maybe recurring_day. Other fields can't store html.

https://huntr.dev/bounties/bcb6ee68-1452-4fdb-932a-f1031d10984f/
---
 app/Http/Controllers/Table/AlertScheduleController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Table/AlertScheduleController.php b/app/Http/Controllers/Table/AlertScheduleController.php
index 0285ce24d8d3..d636de714ca7 100644
--- a/app/Http/Controllers/Table/AlertScheduleController.php
+++ b/app/Http/Controllers/Table/AlertScheduleController.php
@@ -65,8 +65,8 @@ protected function sortFields($request)
     public function formatItem($schedule)
     {
         return [
-            'title' => $schedule->title,
-            'notes' => $schedule->notes,
+            'title' => htmlentities($schedule->title),
+            'notes' => htmlentities($schedule->notes),
             'id' => $schedule->schedule_id,
             'start' => $schedule->recurring ? '' : $schedule->start->toDateTimeString('minutes'),
             'end' => $schedule->recurring ? '' : $schedule->end->toDateTimeString('minutes'),
@@ -75,7 +75,7 @@ public function formatItem($schedule)
             'end_recurring_dt' => $schedule->recurring ? $schedule->end_recurring_dt : '',
             'end_recurring_hr' => $schedule->recurring ? $schedule->end_recurring_hr : '',
             'recurring' => $schedule->recurring ? __('Yes') : __('No'),
-            'recurring_day' => $schedule->recurring ? implode(',', $schedule->recurring_day) : '',
+            'recurring_day' => $schedule->recurring ? htmlentities(implode(',', $schedule->recurring_day)) : '',
             'status' => $schedule->status,
         ];
     }