fix XSS issues with date formatting, fixes #6277

Closes #6277 Merge request studip/studip!4751
author: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> 2026-02-27 14:50:39 +0100
committer: David Siegfried <david.siegfried@uni-vechta.de> 2026-02-27 13:50:39 +0000
commit: ce679651ccf784da2e4bf57d53b57d895a4fbea3 (patch)
tree: 5946f87af5fcd461808285488fcfc8258afd863b /app/controllers/course
parent: e752624e6621cda3e9821694d0699e2c91224746 (diff)
3 files changed, 15 insertions, 15 deletions
diff --git a/app/controllers/course/block_appointments.php b/app/controllers/course/block_appointments.php
index 9e6b9c2..c735244 100644
--- a/app/controllers/course/block_appointments.php
+++ b/app/controllers/course/block_appointments.php
@@ -272,11 +272,11 @@ class Course_BlockAppointmentsController extends AuthenticatedController
                 }
                 if ($result && $booking_failures) {
                     //Not all selected rooms for the date could be booked:
-                    $partially_booked_dates[] = $d->getFullName();
+                    $partially_booked_dates[] = htmlReady($d->getFullName());
                 }
             }
 
-            return $result ? $d->getFullName() : null;
+            return $result ? htmlReady($d->getFullName()) : null;
         }, $dates));
 
         if ($date_count > 1) {
diff --git a/app/controllers/course/overview.php b/app/controllers/course/overview.php
index fc0f441..4325de8 100644
--- a/app/controllers/course/overview.php
+++ b/app/controllers/course/overview.php
@@ -67,7 +67,7 @@ class Course_OverviewController extends AuthenticatedController
             $this->next_date   = $this->course->getNextDate();
             $this->first_date  = $this->course->getFirstDate();
             $show_link         = $GLOBALS["perm"]->have_studip_perm('autor', $this->course_id) && $this->course->isToolActive('schedule');
-            $this->times_rooms = implode('<br>', $this->course->getAllDatesInSemester()->toStringArray());
+            $this->times_rooms = $this->course->getAllDatesInSemester()->toHtml();
 
             //Load lecturers:
             $lecturers = $this->course->getMembersWithStatus('dozent');
diff --git a/app/controllers/course/timesrooms.php b/app/controllers/course/timesrooms.php
index ae2c567..8349445 100644
--- a/app/controllers/course/timesrooms.php
+++ b/app/controllers/course/timesrooms.php
@@ -371,7 +371,7 @@ class Course_TimesroomsController extends AuthenticatedController
                             PageLayout::postWarning(
                                 studip_interpolate(
                                     _('Die Buchung des Raumes %{room_name} zu diesem Termin wird bei der Verlängerung des Zeitbereiches gelöscht, da sie keine Buchungsrechte an dem Raum haben!'),
-                                    ['room_name' => $room->name]
+                                    ['room_name' => htmlReady($room->name)]
                                 )
                             );
                         }
@@ -759,9 +759,9 @@ class Course_TimesroomsController extends AuthenticatedController
                                             studip_interpolate(
                                                 _('Der Raum %{room_name} wird an dem Termin %{date} bereits durch die Veranstaltung %{course_name} belegt.'),
                                                 [
-                                                    'room_name' => $room->name,
-                                                    'date' => $termin->getFullName(),
-                                                    'course_name' => $course->name
+                                                    'room_name' => htmlReady($room->name),
+                                                    'date' => htmlReady($termin->getFullName()),
+                                                    'course_name' => htmlReady($course->name)
                                                 ]
                                             ),
                                             $message_links
@@ -771,8 +771,8 @@ class Course_TimesroomsController extends AuthenticatedController
                                             studip_interpolate(
                                                 _('Der Raum %{room_name} wird an dem Termin %{date} bereits anderweitig belegt.'),
                                                 [
-                                                    'room_name' => $room->name,
-                                                    'date' => $termin->getFullName()
+                                                    'room_name' => htmlReady($room->name),
+                                                    'date' => htmlReady($termin->getFullName())
                                                 ]
                                             ),
                                             $message_links
@@ -1309,7 +1309,7 @@ class Course_TimesroomsController extends AuthenticatedController
                         $error_messages[] = sprintf(
                             studip_interpolate(
                                 _('%{date}: Die eingegebene Rüstzeit überschreitet das erlaubte Maximum von %d Minuten!'),
-                                ['date' => $singledate->getFullName()]
+                                ['date' => htmlReady($singledate->getFullName())]
                             ),
                             $max_preparation_time
                         );
@@ -1334,17 +1334,17 @@ class Course_TimesroomsController extends AuthenticatedController
                                     $error_messages[] = studip_interpolate(
                                         _('Der Raum %{room_name} wird an dem Termin %{date} bereits durch die Veranstaltung %{course_name} belegt.'),
                                         [
-                                            'room_name' => $room->name,
-                                            'date' => $singledate->getFullName(),
-                                            'course_name' => $course->name
+                                            'room_name' => htmlReady($room->name),
+                                            'date' => htmlReady($singledate->getFullName()),
+                                            'course_name' => htmlReady($course->name)
                                         ]
                                     );
                                 } else {
                                     $error_messages[] = studip_interpolate(
                                         _('Der Raum %{room_name} wird an dem Termin %{date} bereits anderweitig belegt.'),
                                         [
-                                            'room_name' => $room->name,
-                                            'date' => $singledate->getFullName()
+                                            'room_name' => htmlReady($room->name),
+                                            'date' => htmlReady($singledate->getFullName())
                                         ]
                                     );
                                 }
author	Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>	2026-02-27 14:50:39 +0100
committer	David Siegfried <david.siegfried@uni-vechta.de>	2026-02-27 13:50:39 +0000
commit	ce679651ccf784da2e4bf57d53b57d895a4fbea3 (patch)
tree	5946f87af5fcd461808285488fcfc8258afd863b /app/controllers/course
parent	e752624e6621cda3e9821694d0699e2c91224746 (diff)