Security: Protect agenda events using Security::remove_XSS

jmontoyaa · jmontoyaa · commit 39b316269845 · 2018-10-08T13:24:54.000+02:00
diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php
@@ -1319,6 +1319,8 @@ public function getEvents(
                 break;
         }
 
+        $this->cleanEvents();
+
         switch ($format) {
             case 'json':
                 if (empty($this->events)) {
@@ -1337,6 +1339,26 @@ public function getEvents(
         }
     }
 
+    /**
+     * Clean events
+     *
+     * @return bool
+     */
+    public function cleanEvents()
+    {
+        if (empty($this->events)) {
+
+            return false;
+        }
+
+        foreach ($this->events as &$event) {
+            $event['description'] = Security::remove_XSS($event['description']);
+            $event['title'] = Security::remove_XSS($event['title']);
+        }
+
+        return true;
+    }
+
     /**
      * @param int $id
      * @param int $minute_delta
