fix html injection

2023-03-03 17:55:18 +01:00
parent 777e3ec008
commit c341d340e6
1 changed files with 8 additions and 2 deletions
--- a/templates/calendar/user.html.twig
+++ b/templates/calendar/user.html.twig
@@ -180,6 +180,13 @@
        {
            const escaper = kimai.getPlugin('escape');

+            let tags = '';
+            if (eventObj.tags !== null && eventObj.tags.length > 0) {
+                for (let tag of eventObj.tags) {
+                    tags += '<span class="badge bg-green">' + escaper.escapeForHtml(tag) + '</span>';
+                }
+            }
+
            return '<div class="calendar-entry">' +
                    '<ul>' +
                        '<li>' + '{{ 'label.customer'|trans }}: ' + escaper.escapeForHtml(eventObj.customer) + '</li>' +
@@ -187,8 +194,7 @@
                        '<li>' + '{{ 'label.activity'|trans }}: ' + escaper.escapeForHtml(eventObj.activity) + '</li>' +
                    '</ul>' +
                    (eventObj.description !== null || eventObj.tags.length > 0 ? '<hr>' : '') +
-                    (eventObj.description ? '<p>' + eventObj.description + '</p>' : '') +
-                    (eventObj.tags !== null && eventObj.tags.length > 0 ? '<span class="badge bg-green">' + eventObj.tags.join('</span> <span class="badge bg-green">') + '</span>' : '') +
+                    (eventObj.description ? '<p>' + escaper.escapeForHtml(eventObj.description) + '</p>' : '') + tags +
                '</div>'
            ;
        }