From 01c3b1a3c3c4837f267f6c531538a8b57583669a Mon Sep 17 00:00:00 2001 From: Murtaza Sultani Date: Tue, 29 Jul 2025 14:25:37 +0200 Subject: Resolve "Forum: Speichern der Inhalte umgeht den HTML-Purifier" Closes #5758 Merge request studip/studip!4394 --- lib/classes/JsonApi/Routes/Forum/PostingStore.php | 2 +- lib/classes/JsonApi/Routes/Forum/PostingUpdate.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/classes/JsonApi/Routes/Forum/PostingStore.php b/lib/classes/JsonApi/Routes/Forum/PostingStore.php index f7a667e..1b563b9 100644 --- a/lib/classes/JsonApi/Routes/Forum/PostingStore.php +++ b/lib/classes/JsonApi/Routes/Forum/PostingStore.php @@ -52,7 +52,7 @@ class PostingStore extends JsonApiController 'range_id' => $discussion->range_id, 'parent_id' => $parent_id ?? null, 'discussion_id' => $discussion->discussion_id, - 'content' => Markup::markAsHtml(self::arrayGet($json, 'data.attributes.content')), + 'content' => Markup::purifyHtml(Markup::markAsHtml(self::arrayGet($json, 'data.attributes.content'))), 'anonymous' => (self::arrayGet($json, 'data.attributes.anonymous') && \Config::get()->FORUM_ANONYMOUS_POSTINGS), 'user_id' => $user->user_id ]); diff --git a/lib/classes/JsonApi/Routes/Forum/PostingUpdate.php b/lib/classes/JsonApi/Routes/Forum/PostingUpdate.php index c720bb6..cd50373 100644 --- a/lib/classes/JsonApi/Routes/Forum/PostingUpdate.php +++ b/lib/classes/JsonApi/Routes/Forum/PostingUpdate.php @@ -44,7 +44,7 @@ class PostingUpdate extends JsonApiController throw new AuthorizationFailedException(); } - $posting->content = Markup::markAsHtml(self::arrayGet($json, 'data.attributes.content')); + $posting->content = Markup::purifyHtml(Markup::markAsHtml(self::arrayGet($json, 'data.attributes.content'))); $posting->anonymous = (self::arrayGet($json, 'data.attributes.anonymous') && \Config::get()->FORUM_ANONYMOUS_POSTINGS); $posting->store(); -- cgit v1.0