diff -Naur WebCalendar-1.2.4.orig/edit_entry_handler.php WebCalendar-1.2.4.new/edit_entry_handler.php --- WebCalendar-1.2.4.orig/edit_entry_handler.php 2012-02-17 11:09:49.523345221 +0100 +++ WebCalendar-1.2.4.new/edit_entry_handler.php 2012-02-17 12:50:59.541471469 +0100 @@ -152,16 +152,19 @@ $location = strip_tags ( $location ); } -// Don't allow certain HTML tags in description. +// Don't allow certain HTML tags in name, description and location. // Malicious users can use meta refresh to redirect users to another // site (possibly a malware site). This could be form a public submission // on an event calendar, and the admin gets sent to the malware site when // viewing the event to approve/reject it. $bannedTags = array ( 'HTML', 'HEAD', 'TITLE', 'BODY', 'SCRIPT', 'META', 'LINK', 'OBJECT', 'APPLET' ); -for ( $i = 0; $i < count ( $bannedTags ); $i++ ) { - if ( preg_match ( "/<\s*$bannedTags[$i]/i", $description ) ) { - $error = translate('Security violation!'); +foreach (array($name, $description, $location) as $chkfld) { + for ( $i = 0; $i < count ( $bannedTags ); $i++ ) { + if ( preg_match ( "/<\s*$bannedTags[$i]/i", $chkfld ) ) { + $error = translate('Security violation!'); + break 2; + } } } diff -Naur WebCalendar-1.2.4.orig/view_entry.php WebCalendar-1.2.4.new/view_entry.php --- WebCalendar-1.2.4.orig/view_entry.php 2012-02-17 11:09:49.466347759 +0100 +++ WebCalendar-1.2.4.new/view_entry.php 2012-02-17 12:41:58.190467151 +0100 @@ -421,7 +421,7 @@ </tr>' : '' ) . ( $DISABLE_URL_FIELD != 'Y' && ! empty ( $url ) ? ' <tr> <td class="aligntop bold">' . translate ( 'URL' ) . ':</td> - <td>' . activate_urls ( $url ) . '</td> + <td>' . activate_urls(htmlspecialchars($url)) . '</td> </tr>' : '' ); if ( $event_status != 'A' && ! empty ( $event_status ) ) { @@ -685,10 +685,10 @@ <td width="30%">'; if ( strlen ( $tempemail ) && $can_email != 'N' ) { echo '<a href="mailto:' . $tempemail . '?subject=' . $subject - . '"> ' . $tempfullname . '</a>'; + . '"> ' . htmlspecialchars($tempfullname) . '</a>'; $allmails[] = $tempemail; } else - echo ' ' . $tempfullname; + echo ' ' . htmlspecialchars($tempfullname); echo '</td> <td width="5%" align="center">' . $percentage . '%</td> @@ -711,7 +711,7 @@ '; if ( strlen ( $tempemail ) > 0 && $can_email != 'N' ) { echo '<a href="mailto:' . $tempemail . '?subject=' . $subject . '">' - . $tempfullname . '</a>'; + . htmlspecialchars($tempfullname) . '</a>'; $allmails[] = $tempemail; } else echo $tempfullname; @@ -727,7 +727,7 @@ for ( $i = 0, $cnt = count ( $ext_users ); $i < $cnt; $i++ ) { if ( ! empty ( $ext_users[$i] ) ) { echo ' - ' . $ext_users[$i] . ' (' . $externUserStr . ')<br />'; + ' . htmlspecialchars($ext_users[$i]) . ' (' . $externUserStr . ')<br />'; if ( preg_match ( '/mailto: (\S+)"/', $ext_users[$i], $match ) ) $allmails[] = $match[1]; }