mirror of
https://github.com/nextcloud/server.git
synced 2026-02-27 18:37:17 +01:00
Merge pull request #56961 from nextcloud/backport/56925/stable28
[stable28] fix(dav): handle HTML in CalDAV invitations
This commit is contained in:
Joas Schilling
GitHub
@@ -165,19 +165,31 @@ class EmailProvider extends AbstractProvider {
|
||||
IL10N $l10n,
|
||||
string $calendarDisplayName,
|
||||
VEvent $vevent):void {
|
||||
$template->addBodyListItem($calendarDisplayName, $l10n->t('Calendar:'),
|
||||
$this->getAbsoluteImagePath('actions/info.png'));
|
||||
$template->addBodyListItem(
|
||||
htmlspecialchars($calendarDisplayName),
|
||||
$l10n->t('Calendar:'),
|
||||
$this->getAbsoluteImagePath('actions/info.png'),
|
||||
htmlspecialchars($calendarDisplayName),
|
||||
);
|
||||
|
||||
$template->addBodyListItem($this->generateDateString($l10n, $vevent), $l10n->t('Date:'),
|
||||
$this->getAbsoluteImagePath('places/calendar.png'));
|
||||
|
||||
if (isset($vevent->LOCATION)) {
|
||||
$template->addBodyListItem((string) $vevent->LOCATION, $l10n->t('Where:'),
|
||||
$this->getAbsoluteImagePath('actions/address.png'));
|
||||
$template->addBodyListItem(
|
||||
htmlspecialchars((string)$vevent->LOCATION),
|
||||
$l10n->t('Where:'),
|
||||
$this->getAbsoluteImagePath('actions/address.png'),
|
||||
htmlspecialchars((string)$vevent->LOCATION),
|
||||
);
|
||||
}
|
||||
if (isset($vevent->DESCRIPTION)) {
|
||||
$template->addBodyListItem((string) $vevent->DESCRIPTION, $l10n->t('Description:'),
|
||||
$this->getAbsoluteImagePath('actions/more.png'));
|
||||
$template->addBodyListItem(
|
||||
htmlspecialchars((string)$vevent->DESCRIPTION),
|
||||
$l10n->t('Description:'),
|
||||
$this->getAbsoluteImagePath('actions/more.png'),
|
||||
htmlspecialchars((string)$vevent->DESCRIPTION),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -39,6 +39,7 @@ use Sabre\VObject\ITip\Message;
|
||||
use Sabre\VObject\Parameter;
|
||||
use Sabre\VObject\Property;
|
||||
use Sabre\VObject\Recur\EventIterator;
|
||||
use function htmlspecialchars;
|
||||
|
||||
class IMipService {
|
||||
|
||||
@@ -99,10 +100,11 @@ class IMipService {
|
||||
if (!isset($vevent->$property)) {
|
||||
return $default;
|
||||
}
|
||||
$newstring = $vevent->$property->getValue();
|
||||
$value = $vevent->$property->getValue();
|
||||
$newstring = $value === null ? null : htmlspecialchars($value);
|
||||
if(isset($oldVEvent->$property) && $oldVEvent->$property->getValue() !== $newstring) {
|
||||
$oldstring = $oldVEvent->$property->getValue();
|
||||
return sprintf($strikethrough, $oldstring, $newstring);
|
||||
return sprintf($strikethrough, htmlspecialchars($oldstring), $newstring);
|
||||
}
|
||||
return $newstring;
|
||||
}
|
||||
@@ -114,9 +116,9 @@ class IMipService {
|
||||
if (!isset($vevent->$property)) {
|
||||
return $default;
|
||||
}
|
||||
/** @var string|null $newString */
|
||||
$newString = $vevent->$property->getValue();
|
||||
$oldString = isset($oldVEvent->$property) ? $oldVEvent->$property->getValue() : null;
|
||||
$value = $vevent->$property->getValue();
|
||||
$newString = $value === null ? null : htmlspecialchars($value);
|
||||
$oldString = isset($oldVEvent->$property) ? htmlspecialchars($oldVEvent->$property->getValue()) : null;
|
||||
if ($oldString !== $newString) {
|
||||
return sprintf(
|
||||
"<span style='text-decoration: line-through'>%s</span><br />%s",
|
||||
@@ -282,11 +284,10 @@ class IMipService {
|
||||
$strikethrough = "<span style='text-decoration: line-through'>%s</span>";
|
||||
|
||||
$newMeetingWhen = $this->generateWhenString($vEvent);
|
||||
$newSummary = isset($vEvent->SUMMARY) && (string)$vEvent->SUMMARY !== '' ? (string)$vEvent->SUMMARY : $this->l10n->t('Untitled event');
|
||||
;
|
||||
$newDescription = isset($vEvent->DESCRIPTION) && (string)$vEvent->DESCRIPTION !== '' ? (string)$vEvent->DESCRIPTION : $defaultVal;
|
||||
$newSummary = htmlspecialchars(isset($vEvent->SUMMARY) && (string)$vEvent->SUMMARY !== '' ? (string)$vEvent->SUMMARY : $this->l10n->t('Untitled event'));
|
||||
$newDescription = htmlspecialchars(isset($vEvent->DESCRIPTION) && (string)$vEvent->DESCRIPTION !== '' ? (string)$vEvent->DESCRIPTION : $defaultVal);
|
||||
$newUrl = isset($vEvent->URL) && (string)$vEvent->URL !== '' ? sprintf('<a href="%1$s">%1$s</a>', $vEvent->URL) : $defaultVal;
|
||||
$newLocation = isset($vEvent->LOCATION) && (string)$vEvent->LOCATION !== '' ? (string)$vEvent->LOCATION : $defaultVal;
|
||||
$newLocation = htmlspecialchars(isset($vEvent->LOCATION) && (string)$vEvent->LOCATION !== '' ? (string)$vEvent->LOCATION : $defaultVal);
|
||||
$newLocationHtml = $this->linkify($newLocation) ?? $newLocation;
|
||||
|
||||
$data = [];
|
||||
@@ -536,18 +537,18 @@ class IMipService {
|
||||
*/
|
||||
public function addBulletList(IEMailTemplate $template, VEvent $vevent, $data) {
|
||||
$template->addBodyListItem(
|
||||
$data['meeting_title_html'] ?? $data['meeting_title'], $this->l10n->t('Title:'),
|
||||
$data['meeting_title_html'] ?? htmlspecialchars($data['meeting_title']), $this->l10n->t('Title:'),
|
||||
$this->getAbsoluteImagePath('caldav/title.png'), $data['meeting_title'], '', IMipPlugin::IMIP_INDENT);
|
||||
if ($data['meeting_when'] !== '') {
|
||||
$template->addBodyListItem($data['meeting_when_html'] ?? $data['meeting_when'], $this->l10n->t('Time:'),
|
||||
$template->addBodyListItem($data['meeting_when_html'] ?? htmlspecialchars($data['meeting_when']), $this->l10n->t('Time:'),
|
||||
$this->getAbsoluteImagePath('caldav/time.png'), $data['meeting_when'], '', IMipPlugin::IMIP_INDENT);
|
||||
}
|
||||
if ($data['meeting_location'] !== '') {
|
||||
$template->addBodyListItem($data['meeting_location_html'] ?? $data['meeting_location'], $this->l10n->t('Location:'),
|
||||
$template->addBodyListItem($data['meeting_location_html'] ?? htmlspecialchars($data['meeting_location']), $this->l10n->t('Location:'),
|
||||
$this->getAbsoluteImagePath('caldav/location.png'), $data['meeting_location'], '', IMipPlugin::IMIP_INDENT);
|
||||
}
|
||||
if ($data['meeting_url'] !== '') {
|
||||
$template->addBodyListItem($data['meeting_url_html'] ?? $data['meeting_url'], $this->l10n->t('Link:'),
|
||||
$template->addBodyListItem($data['meeting_url_html'] ?? htmlspecialchars($data['meeting_url']), $this->l10n->t('Link:'),
|
||||
$this->getAbsoluteImagePath('caldav/link.png'), $data['meeting_url'], '', IMipPlugin::IMIP_INDENT);
|
||||
}
|
||||
|
||||
@@ -555,7 +556,7 @@ class IMipService {
|
||||
|
||||
/* Put description last, like an email body, since it can be arbitrarily long */
|
||||
if ($data['meeting_description']) {
|
||||
$template->addBodyListItem($data['meeting_description_html'] ?? $data['meeting_description'], $this->l10n->t('Description:'),
|
||||
$template->addBodyListItem($data['meeting_description_html'] ?? htmlspecialchars($data['meeting_description']), $this->l10n->t('Description:'),
|
||||
$this->getAbsoluteImagePath('caldav/description.png'), $data['meeting_description'], '', IMipPlugin::IMIP_INDENT);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user