Main menu

Forum


× Help Forum English

Special chars need to be escaped in event title

  • Lemke
  • Topic Author
  • Fresh Boarder
  • Fresh Boarder
More
1 week 2 days ago #17076 by Lemke
I am currently evaluating whether ICagenda is suitable for my purposes. In the course I discovered that event titles containing double quotes lead to errors. Example:
The event title is
Industrielle Praxis "Cloud Operations Workshop mit Bosch" (Workshop für Studierende)

This leads to the following generated html:
<div class="event ic-event ic-clearfix">
       <a href="/joomla/index.php/veranstaltungen-2/1-industrielle-praxis-cloud-operations-workshop-mit-bosch-workshop-fuer-studierende?date=2020-11-02-17-30" title="Industrielle Praxis " cloud="" operations="" workshop="" mit="" bosch"="" (workshop="" für="" studierende)"="">

I suppose the event title needs to be escaped using php htmlspecialchars. This might also be a security risk.

Please Log in or Create an account to join the conversation.

  • Lyr!C
  • Lyr!C's Avatar
  • Administrateur
  • Administrateur
  • Lead Developer
More
1 week 2 days ago #17077 by Lyr!C
Hello,

Thank you for this report!

I don't see any security risk here, as it's only in a html layout rendering function.

But it's missing to escape...

Attached a version with the patch!

Best regards,
Cyril

File Attachment:

File Name: iCagenda_3...dev1.zip
File Size:1,775 KB

Latest version : 3.7.14

We recommend every user to keep your iCagenda updated.
Don't forget to have your Joomla!™ up-to-date!


Do you like iCagenda?
I would appreciate if you could take 5 minutes to post a review on JED (Joomla Extensions Directory) .
Attachments:

Please Log in or Create an account to join the conversation.

Moderators: Lyr!C
Time to create page: 0.056 seconds

Follow Us

Create your Joomla templates with Template Creator CK