diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php
index 45dbbbf12c0..228ff397607 100644
--- a/htdocs/comm/action/class/actioncomm.class.php
+++ b/htdocs/comm/action/class/actioncomm.class.php
@@ -1591,16 +1591,16 @@ class ActionComm extends CommonObject
$tooltip = img_picto('', $this->picto).' '.$langs->trans('Action').'';
if (!empty($this->ref)) {
- $tooltip .= '
'.$langs->trans('Ref').': '.$this->ref;
+ $tooltip .= '
'.$langs->trans('Ref').': '.dol_escape_htmltag($this->ref);
}
if (!empty($label)) {
- $tooltip .= '
'.$langs->trans('Title').': '.$label;
+ $tooltip .= '
'.$langs->trans('Title').': '.dol_escape_htmltag($label);
}
if (!empty($labeltype)) {
- $tooltip .= '
'.$langs->trans('Type').': '.$labeltype;
+ $tooltip .= '
'.$langs->trans('Type').': '.dol_escape_htmltag($labeltype);
}
if (!empty($this->location)) {
- $tooltip .= '
'.$langs->trans('Location').': '.$this->location;
+ $tooltip .= '
'.$langs->trans('Location').': '.dol_escape_htmltag($this->location);
}
if (isset($this->transparency)) {
$tooltip .= '
'.$langs->trans('Busy').': '.yn($this->transparency);
@@ -1609,7 +1609,7 @@ class ActionComm extends CommonObject
$langs->load("mails");
$tooltip .= '
';
//$tooltip .= '
'.img_picto('', 'email').' '.$langs->trans("Email").'';
- $tooltip .= '
'.$langs->trans('MailTopic').': '.$this->email_subject;
+ $tooltip .= '
'.$langs->trans('MailTopic').': '.dol_escape_htmltag($this->email_subject);
$tooltip .= '
'.$langs->trans('MailFrom').': '.str_replace(array('<', '>'), array('<', '>'), $this->email_from);
$tooltip .= '
'.$langs->trans('MailTo').': '.str_replace(array('<', '>'), array('<', '>'), $this->email_to);
if (!empty($this->email_tocc)) {
@@ -1697,7 +1697,7 @@ class ActionComm extends CommonObject
if ($withpicto) {
$result .= img_object(($notooltip ? '' : $langs->trans("ShowAction").': '.$label), ($overwritepicto ? $overwritepicto : 'action'), (($this->type_color && $overwritepicto) ? 'style="color: #'.$this->type_color.' !important;" ' : '').($notooltip ? 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'"' : 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'classfortooltip"'), 0, 0, $notooltip ? 0 : 1);
}
- $result .= $labelshort;
+ $result .= dol_escape_htmltag($labelshort);
$result .= $linkend;
global $action;
diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php
index f46b0adc3cb..bfb5ca991b9 100644
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@@ -1272,9 +1272,9 @@ if (count($listofextcals)) {
$event->datef = $dateend + $usertime;
if ($icalevent['SUMMARY']) {
- $event->label = $icalevent['SUMMARY'];
+ $event->label = dol_string_nohtmltag($icalevent['SUMMARY']);
} elseif ($icalevent['DESCRIPTION']) {
- $event->label = dol_nl2br($icalevent['DESCRIPTION'], 1);
+ $event->label = dol_nl2br(dol_string_nohtmltag($icalevent['DESCRIPTION']), 1);
} else {
$event->label = $langs->trans("ExtSiteNoLabel");
}
@@ -1985,7 +1985,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
// Show title
$titletoshow = $daterange;
- $titletoshow .= ($titletoshow ? ' ' : '').($event->label ? $event->label : $event->libelle);
+ $titletoshow .= ($titletoshow ? ' ' : '').dol_escape_htmltag($event->label ? $event->label : $event->libelle);
if ($event->type_code != 'ICALEVENT') {
$savlabel = $event->label ? $event->label : $event->libelle;