From ef49e709c8adecc3a83cdc6164a67162991d2213 Mon Sep 17 00:00:00 2001
From: Tobias Krebs <t.krebs@ep-3.de>
Date: Fri, 7 Oct 2022 02:49:47 +0200
Subject: [PATCH] Fix potential XSS vulnerability, fixes #564

---
 module/Backend/src/Backend/View/Helper/User/UserFormat.php    | 4 ++--
 module/Backend/view/backend/booking/edit-choice.phtml         | 4 ++--
 module/Backend/view/backend/booking/players.phtml             | 4 ++--
 .../Calendar/View/Helper/Cell/Render/FreeForPrivileged.php    | 2 +-
 .../View/Helper/Cell/Render/OccupiedForPrivileged.php         | 2 +-
 .../Calendar/View/Helper/Cell/Render/OccupiedForVisitors.php  | 4 ++--
 module/Frontend/view/frontend/index/userpanel.online.phtml    | 4 ++--
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/module/Backend/src/Backend/View/Helper/User/UserFormat.php b/module/Backend/src/Backend/View/Helper/User/UserFormat.php
index c029591e..3a7a5004 100644
--- a/module/Backend/src/Backend/View/Helper/User/UserFormat.php
+++ b/module/Backend/src/Backend/View/Helper/User/UserFormat.php
@@ -28,7 +28,7 @@ public function __invoke(User $user, $search = null)
             $user->need('uid'));
 
         $html .= sprintf('<td>%s</td>',
-            $user->need('alias'));
+            $view->escapeHtml($user->need('alias')));
 
         $html .= sprintf('<td>%s</td>',
             $view->t($user->getStatus()));
@@ -76,4 +76,4 @@ public function __invoke(User $user, $search = null)
         return $html;
     }
 
-}
\ No newline at end of file
+}
diff --git a/module/Backend/view/backend/booking/edit-choice.phtml b/module/Backend/view/backend/booking/edit-choice.phtml
index d906f6b8..14117114 100644
--- a/module/Backend/view/backend/booking/edit-choice.phtml
+++ b/module/Backend/view/backend/booking/edit-choice.phtml
@@ -19,11 +19,11 @@ $this->setup(array(
                     <span class="symbolic symbolic-booking">
                         <b><?= $this->timeRange($reservation->get('time_start'), $reservation->get('time_end'), '%s to %s') ?></b>
 
-                        <?= $this->t('from') ?> <?= $reservation->getExtra('booking')->getExtra('user')->get('alias') ?>
+                        <?= $this->t('from') ?> <?= $this->escapeHtml($reservation->getExtra('booking')->getExtra('user')->get('alias')) ?>
                     </span>
                 </a>
             </p>
 
         <?php endforeach; ?>
     </div>
-</div>
\ No newline at end of file
+</div>
diff --git a/module/Backend/view/backend/booking/players.phtml b/module/Backend/view/backend/booking/players.phtml
index b545c686..24b51a37 100644
--- a/module/Backend/view/backend/booking/players.phtml
+++ b/module/Backend/view/backend/booking/players.phtml
@@ -18,7 +18,7 @@ $this->setup(array(
     printf('<p>%s <a href="%s">%s</a></p>',
         $this->translate('Booked by'),
         $this->url('backend/user/edit', ['uid' => $this->user->need('uid')]),
-        $this->user->need('alias'));
+        $this->escapeHtml($this->user->need('alias')));
 
     echo '<div class="separator separator-line"></div>';
 
@@ -63,7 +63,7 @@ $this->setup(array(
                 $this->translate('User matched by'),
                 $this->translate(ucfirst($userMatch)),
                 $this->url('backend/user/edit', ['uid' => $user->need('uid')]),
-                $user->need('alias'));
+                $this->escapeHtml($user->need('alias')));
         } else {
             echo '<td></td>';
         }
diff --git a/module/Calendar/src/Calendar/View/Helper/Cell/Render/FreeForPrivileged.php b/module/Calendar/src/Calendar/View/Helper/Cell/Render/FreeForPrivileged.php
index bc2bffb4..520e9feb 100644
--- a/module/Calendar/src/Calendar/View/Helper/Cell/Render/FreeForPrivileged.php
+++ b/module/Calendar/src/Calendar/View/Helper/Cell/Render/FreeForPrivileged.php
@@ -25,7 +25,7 @@ public function __invoke(array $reservations, array $cellLinkParams, Square $squ
             $cellLabel = $booking->needExtra('user')->need('alias');
             $cellGroup = ' cc-group-' . $booking->need('bid');
 
-            return $view->calendarCellLink($cellLabel, $view->url('backend/booking/edit', [], $cellLinkParams), 'cc-free cc-free-partially' . $cellGroup);
+            return $view->calendarCellLink($view->escapeHtml($cellLabel), $view->url('backend/booking/edit', [], $cellLinkParams), 'cc-free cc-free-partially' . $cellGroup);
         } else {
 	        $labelFree = $square->getMeta('label.free', 'Still free');
 
diff --git a/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForPrivileged.php b/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForPrivileged.php
index e852568b..68a2bde9 100644
--- a/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForPrivileged.php
+++ b/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForPrivileged.php
@@ -39,7 +39,7 @@ public function __invoke(array $reservations, array $cellLinkParams)
 
             switch ($booking->need('status')) {
                 case 'single':
-                    return $view->calendarCellLink($cellLabel, $view->url('backend/booking/edit', [], $cellLinkParams), 'cc-single' . $cellGroup, null, $cellStyle);
+                    return $view->calendarCellLink($view->escapeHtml($cellLabel), $view->url('backend/booking/edit', [], $cellLinkParams), 'cc-single' . $cellGroup, null, $cellStyle);
                 case 'subscription':
                     return $view->calendarCellLink($cellLabel, $view->url('backend/booking/edit', [], $cellLinkParams), 'cc-multiple' . $cellGroup, null, $cellStyle);
             }
diff --git a/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForVisitors.php b/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForVisitors.php
index 5cdb98fb..fde49294 100644
--- a/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForVisitors.php
+++ b/module/Calendar/src/Calendar/View/Helper/Cell/Render/OccupiedForVisitors.php
@@ -36,13 +36,13 @@ public function __invoke(array $reservations, array $cellLinkParams, Square $squ
                         $cellLabel = $this->view->t('Occupied');
                     }
 
-                    return $view->calendarCellLink($cellLabel, $view->url('square', [], $cellLinkParams), 'cc-single' . $cellGroup);
+                    return $view->calendarCellLink($view->escapeHtml($cellLabel), $view->url('square', [], $cellLinkParams), 'cc-single' . $cellGroup);
                 case 'subscription':
                     if (! $cellLabel) {
                         $cellLabel = $this->view->t('Subscription');
                     }
 
-                    return $view->calendarCellLink($cellLabel, $view->url('square', [], $cellLinkParams), 'cc-multiple' . $cellGroup);
+                    return $view->calendarCellLink($view->escapeHtml($cellLabel), $view->url('square', [], $cellLinkParams), 'cc-multiple' . $cellGroup);
             }
         }
     }
diff --git a/module/Frontend/view/frontend/index/userpanel.online.phtml b/module/Frontend/view/frontend/index/userpanel.online.phtml
index 95ef88c2..51d3c7d6 100644
--- a/module/Frontend/view/frontend/index/userpanel.online.phtml
+++ b/module/Frontend/view/frontend/index/userpanel.online.phtml
@@ -2,7 +2,7 @@
     <tr>
         <td class="responsive-pass-4" style="padding-right: 12px; border-right: solid 1px #CCC;">
             <div id="userpanel-status" class="no-wrap">
-                <?= sprintf($this->t('Online as %s'), $this->user->need('alias')) ?>
+                <?= sprintf($this->t('Online as %s'), $this->escapeHtml($this->user->need('alias'))) ?>
             </div>
         </td>
 
@@ -36,4 +36,4 @@
             <a href="<?= $this->url('service/help') ?>" class="default-button" data-tooltip="<?= sprintf($this->t('Get additional %shelp and information%s'), '<b>', '</b>') ?>"><b>?</b></a>
         </td>
     </tr>
-</table>
\ No newline at end of file
+</table>