Security: Fix XSS vulnerability in agenda - see security report 28 - additions

Author: ywarnier

main/inc/ajax/agenda.ajax.php

@@ -19,22 +19,26 @@
 }
 
 $agenda = new Agenda($type);
+// get filtered type
+$type = $agenda->getType();
 
 switch ($action) {
     case 'add_event':
         if (!$agenda->getIsAllowedToEdit()) {
             break;
         }
         $add_as_announcement = isset($_REQUEST['add_as_annonuncement']) ? $_REQUEST['add_as_annonuncement'] : null;
-        $comment = isset($_REQUEST['comment']) ? $_REQUEST['comment'] : null;
+        $title = isset($_REQUEST['title']) ? Security::remove_XSS($_REQUEST['title']) : null;
+        $content = isset($_REQUEST['content']) ? Security::remove_XSS($_REQUEST['content']) : null;
+        $comment = isset($_REQUEST['comment']) ? Security::remove_XSS($_REQUEST['comment']) : null;
         $userToSend = isset($_REQUEST['users_to_send']) ? $_REQUEST['users_to_send'] : [];
 
         echo $agenda->addEvent(
             $_REQUEST['start'],
             $_REQUEST['end'],
             $_REQUEST['all_day'],
-            $_REQUEST['title'],
-            $_REQUEST['content'],
+            $title,
+            $content,
             $userToSend,
             $add_as_announcement,
             null, //$parentEventId = null,
@@ -54,8 +58,8 @@
             $_REQUEST['start'],
             $_REQUEST['end'],
             $_REQUEST['all_day'],
-            $_REQUEST['title'],
-            $_REQUEST['content']
+            $title,
+            $content
         );
         break;
     case 'delete_event':

main/inc/lib/agenda.lib.php

@@ -160,6 +160,18 @@ public function setType($type)
         }
     }
 
+    /**
+     * Returns the type previously set (and filtered) through setType
+     * If setType() was not called, then type defaults to "personal" as
+     * set in the class definition.
+     */
+    public function getType()
+    {
+        if (isset($this->type)) {
+            return $this->type;
+        }
+    }
+
     /**
      * @param int $id
      */