Fix stored XSS in Calendar name (CVE-2023-24690)

DawoudIO · DawoudIO · commit ce846c86870f · 2025-11-29T16:21:28.000-08:00
Add strip_tags() sanitization when creating new calendars to prevent XSS payloads from being stored in the database. This is part of CVE-2023-24690 which covers multiple XSS vulnerabilities: - Calendar Name XSS (fixed here) - Group Name XSS (fixed in PR #7675) - Group Description XSS (fixed in PR #7675) Fixes #6444
diff --git a/src/api/routes/calendar/calendar.php b/src/api/routes/calendar/calendar.php
@@ -193,7 +193,7 @@ function NewCalendar(Request $request, Response $response, $args): Response
 {
     $input = $request->getParsedBody();
     $Calendar = new Calendar();
-    $Calendar->setName($input['Name']);
+    $Calendar->setName(strip_tags($input['Name']));
     $Calendar->setForegroundColor($input['ForegroundColor']);
     $Calendar->setBackgroundColor($input['BackgroundColor']);
     $Calendar->save();

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ function NewCalendar(Request $request, Response $response, $args): Response`
`193`	`193`	`{`
`194`	`194`	`$input = $request->getParsedBody();`
`195`	`195`	`$Calendar = new Calendar();`
`196`		`- $Calendar->setName($input['Name']);`
	`196`	`+ $Calendar->setName(strip_tags($input['Name']));`
`197`	`197`	`$Calendar->setForegroundColor($input['ForegroundColor']);`
`198`	`198`	`$Calendar->setBackgroundColor($input['BackgroundColor']);`
`199`	`199`	`$Calendar->save();`