Fix stored XSS in Calendar name (CVE-2023-24690) (#7681)

DawoudIO · web-flow · commit f179fa746ea7 · 2025-11-29T18:22:21.000-08:00
diff --git a/src/api/routes/calendar/calendar.php b/src/api/routes/calendar/calendar.php
@@ -193,7 +193,7 @@ function NewCalendar(Request $request, Response $response, $args): Response
 {
     $input = $request->getParsedBody();
     $Calendar = new Calendar();
-    $Calendar->setName($input['Name']);
+    $Calendar->setName(InputUtils::filterString($input['Name']));
     $Calendar->setForegroundColor($input['ForegroundColor']);
     $Calendar->setBackgroundColor($input['BackgroundColor']);
     $Calendar->save();

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ function NewCalendar(Request $request, Response $response, $args): Response`
`193`	`193`	`{`
`194`	`194`	`$input = $request->getParsedBody();`
`195`	`195`	`$Calendar = new Calendar();`
`196`		`- $Calendar->setName($input['Name']);`
	`196`	`+ $Calendar->setName(InputUtils::filterString($input['Name']));`
`197`	`197`	`$Calendar->setForegroundColor($input['ForegroundColor']);`
`198`	`198`	`$Calendar->setBackgroundColor($input['BackgroundColor']);`
`199`	`199`	`$Calendar->save();`