From 56892e32e82bc95409bf30f76de7cbcd517877ea Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 20 Oct 2022 16:45:08 +0200 Subject: [PATCH] FIX #yogosha13195 --- htdocs/comm/action/class/actioncomm.class.php | 12 ++++++------ htdocs/comm/action/index.php | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 45dbbbf12c0..228ff397607 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1591,16 +1591,16 @@ class ActionComm extends CommonObject $tooltip = img_picto('', $this->picto).' '.$langs->trans('Action').''; if (!empty($this->ref)) { - $tooltip .= '
'.$langs->trans('Ref').': '.$this->ref; + $tooltip .= '
'.$langs->trans('Ref').': '.dol_escape_htmltag($this->ref); } if (!empty($label)) { - $tooltip .= '
'.$langs->trans('Title').': '.$label; + $tooltip .= '
'.$langs->trans('Title').': '.dol_escape_htmltag($label); } if (!empty($labeltype)) { - $tooltip .= '
'.$langs->trans('Type').': '.$labeltype; + $tooltip .= '
'.$langs->trans('Type').': '.dol_escape_htmltag($labeltype); } if (!empty($this->location)) { - $tooltip .= '
'.$langs->trans('Location').': '.$this->location; + $tooltip .= '
'.$langs->trans('Location').': '.dol_escape_htmltag($this->location); } if (isset($this->transparency)) { $tooltip .= '
'.$langs->trans('Busy').': '.yn($this->transparency); @@ -1609,7 +1609,7 @@ class ActionComm extends CommonObject $langs->load("mails"); $tooltip .= '
'; //$tooltip .= '
'.img_picto('', 'email').' '.$langs->trans("Email").''; - $tooltip .= '
'.$langs->trans('MailTopic').': '.$this->email_subject; + $tooltip .= '
'.$langs->trans('MailTopic').': '.dol_escape_htmltag($this->email_subject); $tooltip .= '
'.$langs->trans('MailFrom').': '.str_replace(array('<', '>'), array('&lt', '&gt'), $this->email_from); $tooltip .= '
'.$langs->trans('MailTo').': '.str_replace(array('<', '>'), array('&lt', '&gt'), $this->email_to); if (!empty($this->email_tocc)) { @@ -1697,7 +1697,7 @@ class ActionComm extends CommonObject if ($withpicto) { $result .= img_object(($notooltip ? '' : $langs->trans("ShowAction").': '.$label), ($overwritepicto ? $overwritepicto : 'action'), (($this->type_color && $overwritepicto) ? 'style="color: #'.$this->type_color.' !important;" ' : '').($notooltip ? 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'"' : 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'classfortooltip"'), 0, 0, $notooltip ? 0 : 1); } - $result .= $labelshort; + $result .= dol_escape_htmltag($labelshort); $result .= $linkend; global $action; diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index f46b0adc3cb..bfb5ca991b9 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -1272,9 +1272,9 @@ if (count($listofextcals)) { $event->datef = $dateend + $usertime; if ($icalevent['SUMMARY']) { - $event->label = $icalevent['SUMMARY']; + $event->label = dol_string_nohtmltag($icalevent['SUMMARY']); } elseif ($icalevent['DESCRIPTION']) { - $event->label = dol_nl2br($icalevent['DESCRIPTION'], 1); + $event->label = dol_nl2br(dol_string_nohtmltag($icalevent['DESCRIPTION']), 1); } else { $event->label = $langs->trans("ExtSiteNoLabel"); } @@ -1985,7 +1985,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa // Show title $titletoshow = $daterange; - $titletoshow .= ($titletoshow ? ' ' : '').($event->label ? $event->label : $event->libelle); + $titletoshow .= ($titletoshow ? ' ' : '').dol_escape_htmltag($event->label ? $event->label : $event->libelle); if ($event->type_code != 'ICALEVENT') { $savlabel = $event->label ? $event->label : $event->libelle;