fix XSS issues with date formatting, fixes #6277

Closes #6277 Merge request studip/studip!4751
author: Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> 2026-02-27 14:50:39 +0100
committer: David Siegfried <david.siegfried@uni-vechta.de> 2026-02-27 13:50:39 +0000
commit: ce679651ccf784da2e4bf57d53b57d895a4fbea3 (patch)
tree: 5946f87af5fcd461808285488fcfc8258afd863b /lib/models/SeminarCycleDate.php
parent: e752624e6621cda3e9821694d0699e2c91224746 (diff)
1 files changed, 20 insertions, 8 deletions
diff --git a/lib/models/SeminarCycleDate.php b/lib/models/SeminarCycleDate.php
index e400665..799cd4a 100644
--- a/lib/models/SeminarCycleDate.php
+++ b/lib/models/SeminarCycleDate.php
@@ -214,7 +214,7 @@ class SeminarCycleDate extends SimpleORMap
      *
      * @returns string The formatted string.
      */
-    public function toString(string $format = 'short') : string
+    public function toString(string $format = 'short', bool $as_html = false) : string
     {
         if (!in_array($format, ['short', 'long', 'long-start', 'full'])) {
             //Invalid format:
@@ -246,16 +246,24 @@ class SeminarCycleDate extends SimpleORMap
                 $room = $this->getMostBookedRoom();
 
                 if ($room) {
-                    $parameters['room_name'] = sprintf(
-                        '<a href="%1$s" data-dialog="size=auto">%2$s</a>',
-                        $room->getActionLink(),
-                        htmlReady($room->name)
-                    );
+                    if ($as_html) {
+                        $parameters['room_name'] = sprintf(
+                            '<a href="%1$s" data-dialog="size=auto">%2$s</a>',
+                            $room->getActionLink(),
+                            htmlReady($room->name)
+                        );
+                    } else {
+                        $parameters['room_name'] = $room->name;
+                    }
                 } else {
                     //Use the freetext room name:
                     $room = $this->getMostUsedFreetextRoomName();
                     if ($room) {
-                        $parameters['room_name'] = $room;
+                        if ($as_html) {
+                            $parameters['room_name'] = htmlReady($room);
+                        } else {
+                            $parameters['room_name'] = $room;
+                        }
                     }
                 }
                 $first_date = $this->getFirstDate();
@@ -273,7 +281,11 @@ class SeminarCycleDate extends SimpleORMap
             } elseif ($format === 'full') {
                 $parameters['start_week'] = $this->week_offset + 1;
                 if ($this->description) {
-                    $parameters['description'] = $this->description;
+                    if ($as_html) {
+                        $parameters['description'] = htmlReady($this->description);
+                    } else {
+                        $parameters['description'] = $this->description;
+                    }
                 }
                 if ($this->end_offset) {
                     $parameters['end_week'] = $this->end_offset;
author	Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de>	2026-02-27 14:50:39 +0100
committer	David Siegfried <david.siegfried@uni-vechta.de>	2026-02-27 13:50:39 +0000
commit	ce679651ccf784da2e4bf57d53b57d895a4fbea3 (patch)
tree	5946f87af5fcd461808285488fcfc8258afd863b /lib/models/SeminarCycleDate.php
parent	e752624e6621cda3e9821694d0699e2c91224746 (diff)