Skip to content

Commit 737ae01

Browse files
nickvergessennickvergessen
authored
Merge pull request #56962 from nextcloud/backport/56925/stable29
[stable29] fix(dav): handle HTML in CalDAV invitations
2 parents 4eaac9d + ecdcbb4 commit 737ae01

File tree

2 files changed

+33
-20
lines changed

2 files changed

+33
-20
lines changed

apps/dav/lib/CalDAV/Reminder/NotificationProvider/EmailProvider.php

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -165,19 +165,31 @@ private function addBulletList(IEMailTemplate $template,
165165
IL10N $l10n,
166166
string $calendarDisplayName,
167167
VEvent $vevent):void {
168-
$template->addBodyListItem($calendarDisplayName, $l10n->t('Calendar:'),
169-
$this->getAbsoluteImagePath('actions/info.png'));
168+
$template->addBodyListItem(
169+
htmlspecialchars($calendarDisplayName),
170+
$l10n->t('Calendar:'),
171+
$this->getAbsoluteImagePath('actions/info.png'),
172+
htmlspecialchars($calendarDisplayName),
173+
);
170174

171175
$template->addBodyListItem($this->generateDateString($l10n, $vevent), $l10n->t('Date:'),
172176
$this->getAbsoluteImagePath('places/calendar.png'));
173177

174178
if (isset($vevent->LOCATION)) {
175-
$template->addBodyListItem((string) $vevent->LOCATION, $l10n->t('Where:'),
176-
$this->getAbsoluteImagePath('actions/address.png'));
179+
$template->addBodyListItem(
180+
htmlspecialchars((string)$vevent->LOCATION),
181+
$l10n->t('Where:'),
182+
$this->getAbsoluteImagePath('actions/address.png'),
183+
htmlspecialchars((string)$vevent->LOCATION),
184+
);
177185
}
178186
if (isset($vevent->DESCRIPTION)) {
179-
$template->addBodyListItem((string) $vevent->DESCRIPTION, $l10n->t('Description:'),
180-
$this->getAbsoluteImagePath('actions/more.png'));
187+
$template->addBodyListItem(
188+
htmlspecialchars((string)$vevent->DESCRIPTION),
189+
$l10n->t('Description:'),
190+
$this->getAbsoluteImagePath('actions/more.png'),
191+
htmlspecialchars((string)$vevent->DESCRIPTION),
192+
);
181193
}
182194
}
183195

apps/dav/lib/CalDAV/Schedule/IMipService.php

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
use Sabre\VObject\Parameter;
4040
use Sabre\VObject\Property;
4141
use Sabre\VObject\Recur\EventIterator;
42+
use function htmlspecialchars;
4243

4344
class IMipService {
4445

@@ -99,10 +100,11 @@ private function generateDiffString(VEvent $vevent, VEvent $oldVEvent, string $p
99100
if (!isset($vevent->$property)) {
100101
return $default;
101102
}
102-
$newstring = $vevent->$property->getValue();
103+
$value = $vevent->$property->getValue();
104+
$newstring = $value === null ? null : htmlspecialchars($value);
103105
if(isset($oldVEvent->$property) && $oldVEvent->$property->getValue() !== $newstring) {
104106
$oldstring = $oldVEvent->$property->getValue();
105-
return sprintf($strikethrough, $oldstring, $newstring);
107+
return sprintf($strikethrough, htmlspecialchars($oldstring), $newstring);
106108
}
107109
return $newstring;
108110
}
@@ -114,9 +116,9 @@ private function generateLinkifiedDiffString(VEvent $vevent, VEvent $oldVEvent,
114116
if (!isset($vevent->$property)) {
115117
return $default;
116118
}
117-
/** @var string|null $newString */
118-
$newString = $vevent->$property->getValue();
119-
$oldString = isset($oldVEvent->$property) ? $oldVEvent->$property->getValue() : null;
119+
$value = $vevent->$property->getValue();
120+
$newString = $value === null ? null : htmlspecialchars($value);
121+
$oldString = isset($oldVEvent->$property) ? htmlspecialchars($oldVEvent->$property->getValue()) : null;
120122
if ($oldString !== $newString) {
121123
return sprintf(
122124
"<span style='text-decoration: line-through'>%s</span><br />%s",
@@ -282,11 +284,10 @@ public function buildCancelledBodyData(VEvent $vEvent): array {
282284
$strikethrough = "<span style='text-decoration: line-through'>%s</span>";
283285

284286
$newMeetingWhen = $this->generateWhenString($vEvent);
285-
$newSummary = isset($vEvent->SUMMARY) && (string)$vEvent->SUMMARY !== '' ? (string)$vEvent->SUMMARY : $this->l10n->t('Untitled event');
286-
;
287-
$newDescription = isset($vEvent->DESCRIPTION) && (string)$vEvent->DESCRIPTION !== '' ? (string)$vEvent->DESCRIPTION : $defaultVal;
287+
$newSummary = htmlspecialchars(isset($vEvent->SUMMARY) && (string)$vEvent->SUMMARY !== '' ? (string)$vEvent->SUMMARY : $this->l10n->t('Untitled event'));
288+
$newDescription = htmlspecialchars(isset($vEvent->DESCRIPTION) && (string)$vEvent->DESCRIPTION !== '' ? (string)$vEvent->DESCRIPTION : $defaultVal);
288289
$newUrl = isset($vEvent->URL) && (string)$vEvent->URL !== '' ? sprintf('<a href="%1$s">%1$s</a>', $vEvent->URL) : $defaultVal;
289-
$newLocation = isset($vEvent->LOCATION) && (string)$vEvent->LOCATION !== '' ? (string)$vEvent->LOCATION : $defaultVal;
290+
$newLocation = htmlspecialchars(isset($vEvent->LOCATION) && (string)$vEvent->LOCATION !== '' ? (string)$vEvent->LOCATION : $defaultVal);
290291
$newLocationHtml = $this->linkify($newLocation) ?? $newLocation;
291292

292293
$data = [];
@@ -536,26 +537,26 @@ public function addAttendees(IEMailTemplate $template, VEvent $vevent) {
536537
*/
537538
public function addBulletList(IEMailTemplate $template, VEvent $vevent, $data) {
538539
$template->addBodyListItem(
539-
$data['meeting_title_html'] ?? $data['meeting_title'], $this->l10n->t('Title:'),
540+
$data['meeting_title_html'] ?? htmlspecialchars($data['meeting_title']), $this->l10n->t('Title:'),
540541
$this->getAbsoluteImagePath('caldav/title.png'), $data['meeting_title'], '', IMipPlugin::IMIP_INDENT);
541542
if ($data['meeting_when'] !== '') {
542-
$template->addBodyListItem($data['meeting_when_html'] ?? $data['meeting_when'], $this->l10n->t('Time:'),
543+
$template->addBodyListItem($data['meeting_when_html'] ?? htmlspecialchars($data['meeting_when']), $this->l10n->t('Time:'),
543544
$this->getAbsoluteImagePath('caldav/time.png'), $data['meeting_when'], '', IMipPlugin::IMIP_INDENT);
544545
}
545546
if ($data['meeting_location'] !== '') {
546-
$template->addBodyListItem($data['meeting_location_html'] ?? $data['meeting_location'], $this->l10n->t('Location:'),
547+
$template->addBodyListItem($data['meeting_location_html'] ?? htmlspecialchars($data['meeting_location']), $this->l10n->t('Location:'),
547548
$this->getAbsoluteImagePath('caldav/location.png'), $data['meeting_location'], '', IMipPlugin::IMIP_INDENT);
548549
}
549550
if ($data['meeting_url'] !== '') {
550-
$template->addBodyListItem($data['meeting_url_html'] ?? $data['meeting_url'], $this->l10n->t('Link:'),
551+
$template->addBodyListItem($data['meeting_url_html'] ?? htmlspecialchars($data['meeting_url']), $this->l10n->t('Link:'),
551552
$this->getAbsoluteImagePath('caldav/link.png'), $data['meeting_url'], '', IMipPlugin::IMIP_INDENT);
552553
}
553554

554555
$this->addAttendees($template, $vevent);
555556

556557
/* Put description last, like an email body, since it can be arbitrarily long */
557558
if ($data['meeting_description']) {
558-
$template->addBodyListItem($data['meeting_description_html'] ?? $data['meeting_description'], $this->l10n->t('Description:'),
559+
$template->addBodyListItem($data['meeting_description_html'] ?? htmlspecialchars($data['meeting_description']), $this->l10n->t('Description:'),
559560
$this->getAbsoluteImagePath('caldav/description.png'), $data['meeting_description'], '', IMipPlugin::IMIP_INDENT);
560561
}
561562
}

0 commit comments

Comments
 (0)