Skip to content

Commit

Permalink
Stop allowing HTML in Event Sermon text
Browse files Browse the repository at this point in the history 
Resolves #6851
  • Loading branch information
@respencer
respencer committed Jun 10, 2024
1 parent fc49dc5 commit a715932
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 105 deletions.
115 changes: 39 additions & 76 deletions src/EventEditor.php
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,5 @@
<?php

/*******************************************************************************
*
* filename : EventEditor.php
* last change : 2005-09-10
* website : https://churchcrm.io
* copyright : Copyright 2005 Todd Pillars
* Copyright 2012 Michael Wilt
*
* function : Editor for Church Events
*
******************************************************************************/

// table fields
// event_id int(11)
// event_type enum('CS', 'SS', 'VOL')
// event_title varchar(255)
// event_desc varchar(255)
// event_text text
// event_start datetime
// event_end datetime
// inactive int(1) default 0

require 'Include/Config.php';
require 'Include/Functions.php';

Expand All @@ -30,14 +8,14 @@
use ChurchCRM\model\ChurchCRM\Event;
use ChurchCRM\model\ChurchCRM\EventQuery;
use ChurchCRM\Utils\InputUtils;
use ChurchCRM\Utils\RedirectUtils;

AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isAddEvent());

$sPageTitle = gettext('Church Event Editor');

AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isAddEvent());
require 'Include/Header.php';

$sAction = 'Create Event';
require 'Include/Header.php';

if (isset($_GET['calendarAction'])) {
$sAction = 'Edit';
Expand All @@ -49,35 +27,28 @@

if (array_key_exists('EID', $_POST)) {
$sOpp = $_POST['EID'];
} // from EDIT button on event listing
}

if (array_key_exists('EN_tyid', $_POST)) {
$tyid = $_POST['EN_tyid'];
} else { // from event type list page
} else {
$tyid = 0;
}
}

$EventExists = 0;
$iEventID = 0;
$iErrors = 0;

if (!$sAction) {
$sAction = 'Create Event';
}

//
// process the action inputs
//
if ($sAction === 'Create Event' && !empty($tyid)) {
//
// user is coming from the event types screen and thus there

// User is coming from the event types screen and thus there
// is no existing event in the event_event table
//
// will use the event type information to smart-prefill the
// event fields...but still allow the user to edit everything
// except event type since event type is tied to the attendance count fields
//
$EventExists = 0;

$sSQL = "SELECT * FROM event_types WHERE type_id=$tyid";
$rsOpps = RunQuery($sSQL);
$numRows = mysqli_num_rows($rsOpps);
Expand Down Expand Up @@ -112,10 +83,9 @@
}
$nCnts = $iNumCounts;
$sCountNotes = '';
//
// this switch manages the smart-prefill of the form based on the event type

// This switch manages the smart-prefill of the form based on the event type
// definitions, recurrence type, etc.
//
switch ($sDefRecurType) {
case 'none':
$sEventStartDate = date('Y-m-d');
Expand All @@ -128,13 +98,13 @@
break;

case 'weekly':
// check for the last occurrence of this type_id in the events table and
// Check for the last occurrence of this type_id in the events table and
// create a new event based on this date reference
$sSQL = "SELECT * FROM events_event WHERE event_type = '$iTypeID' ORDER BY event_start DESC LIMIT 1";
$ecOpps = RunQuery($sSQL);
$numRows = mysqli_num_rows($ecOpps);
if ($numRows > 0) {
// use the most recent event if it exists
// Use the most recent event if it exists
$ecRow = mysqli_fetch_array($ecOpps, MYSQLI_BOTH);
extract($ecRow);
$aStartTokens = explode(' ', $event_start);
Expand All @@ -149,7 +119,7 @@
$iEventEndHour = $iEventStartHour + 1;
$iEventEndMins = $iEventStartMins;
} else {
// use the event type definition
// Use the event type definition
$sEventStartDate = date('Y-m-d', strtotime("last $iDefRecurDOW"));
$aStartTimeTokens = explode(':', $sDefStartTime);
$iEventStartHour = $aStartTimeTokens[0];
Expand All @@ -161,13 +131,13 @@
break;

case 'monthly':
// check for the last occurrence of this type_id in the events table and
// Check for the last occurrence of this type_id in the events table and
// create a new event based on this date reference
$sSQL = "SELECT * FROM events_event WHERE event_type = '$iTypeID' ORDER BY event_start DESC LIMIT 1";
$ecOpps = RunQuery($sSQL);
$numRows = mysqli_num_rows($ecOpps);
if ($numRows > 0) {
// use the most recent event if it exists
// Use the most recent event if it exists
$ecRow = mysqli_fetch_array($ecOpps, MYSQLI_BOTH);
extract($ecRow);
$aStartTokens = explode(' ', $event_start);
Expand All @@ -182,7 +152,7 @@
$iEventEndHour = intval($aEventStartTimeTokens[0]) + 1;
$iEventEndMins = $aEventStartTimeTokens[1];
} else {
// use the event type definition
// Use the event type definition
$currentDOM = date('d');
if ($currentDOM < $iDefRecurDOM) {
$sEventStartDate = date('Y-m-d', mktime(0, 0, 0, date('m') - 1, $iDefRecurDOM, date('Y')));
Expand All @@ -204,7 +174,7 @@
$ecOpps = RunQuery($sSQL);
$numRows = mysqli_num_rows($ecOpps);
if ($numRows > 0) {
// use the most recent event if it exists
// Use the most recent event, if it exists
$ecRow = mysqli_fetch_array($ecOpps, MYSQLI_BOTH);
extract($ecRow);
$aStartTokens = explode(' ', $event_start);
Expand All @@ -219,15 +189,18 @@
$iEventEndHour = intval($aEventStartTimeTokens[0]) + 1;
$iEventEndMins = $aEventStartTimeTokens[1];
} else {
// use the event type definition
// Use the event type definition
$currentDOY = time();
$defaultDOY = strtotime($sDefRecurDOY);
if ($currentDOY < $defaultDOY) { // event is future
if ($currentDOY < $defaultDOY) {
// Event is in the future
$sEventStartDate = $sDefRecurDOY;
} elseif ($currentDOY > $defaultDOY + (365 * 24 * 60 * 60)) { // event is over 1 year past
} elseif ($currentDOY > $defaultDOY + (365 * 24 * 60 * 60)) {
// Event is over 1 year in the past
$aDMY = explode('-', $sDefRecurDOY);
$sEventStartDate = date('Y-m-d', mktime(0, 0, 0, $aDMY[1], $aDMY[2], date('Y') - 1));
} else { // event is past
} else {
// Event is past
$aDMY = explode('-', $sDefRecurDOY);
$sEventStartDate = date('Y-m-d', mktime(0, 0, 0, $aDMY[1], $aDMY[2], date('Y')));
}
Expand All @@ -247,7 +220,6 @@
$iEventStatus = 0;
$iTypeID = $type_id;
} elseif ($sAction = 'Edit' && !empty($sOpp)) {
// Get data for the form as it now exists..
$EventExists = 1;
$sSQL = "SELECT * FROM events_event as t1, event_types as t2 WHERE t1.event_type = t2.type_id AND t1.event_id ='" . $sOpp . "' LIMIT 1";
$rsOpps = RunQuery($sSQL);
Expand All @@ -274,11 +246,11 @@
$iEventStatus = $inactive;

$sSQL = "SELECT * FROM eventcounts_evtcnt WHERE evtcnt_eventid='$iEventID' ORDER BY evtcnt_countid ASC";
// echo $cvSQL;

$cvOpps = RunQuery($sSQL);
$iNumCounts = mysqli_num_rows($cvOpps);
$nCnts = $iNumCounts;
// echo "numcounts = {$aNumCounts}\n\l";

if ($iNumCounts) {
for ($c = 0; $c < $iNumCounts; $c++) {
$aRow = mysqli_fetch_array($cvOpps, MYSQLI_BOTH);
Expand All @@ -290,7 +262,6 @@
}
}
} elseif (isset($_POST['SaveChanges'])) {
// Does the user want to save changes to text fields?
$iEventID = $_POST['EventID'];
$iTypeID = $_POST['EventTypeID'];
$EventExists = $_POST['EventExists'];
Expand Down Expand Up @@ -342,15 +313,14 @@

$sCountNotes = $_POST['EventCountNotes'];

// If no errors, then update.
if ($iErrors === 0) {
if ($EventExists == 0) {
if ($EventExists === 0) {
$event = new Event();
$event
->setType(InputUtils::legacyFilterInput($iTypeID))
->setTitle(InputUtils::legacyFilterInput($sEventTitle))
->setDesc(InputUtils::legacyFilterInput($sEventDesc))
->setText(InputUtils::filterHTML($sEventText))
->setText(InputUtils::legacyFilterInput($sEventText))
->setStart(InputUtils::legacyFilterInput($sEventStart))
->setEnd(InputUtils::legacyFilterInput($sEventEnd))
->setInActive(InputUtils::legacyFilterInput($iEventStatus));
Expand All @@ -376,7 +346,7 @@
->setType(InputUtils::legacyFilterInput($iTypeID))
->setTitle(InputUtils::legacyFilterInput($sEventTitle))
->setDesc(InputUtils::legacyFilterInput($sEventDesc))
->setText(InputUtils::filterHTML($sEventText))
->setText(InputUtils::legacyFilterInput($sEventText))
->setStart(InputUtils::legacyFilterInput($sEventStart))
->setEnd(InputUtils::legacyFilterInput($sEventEnd))
->setInActive(InputUtils::legacyFilterInput($iEventStatus));
Expand All @@ -398,19 +368,17 @@
header('Location: ListEvents.php');
}
}

// Construct the form
?>

<div class='card'>
<div class='card-header'>
<h3><?= ($EventExists == 0) ? gettext('Create a new Event') : gettext('Editing Event ID: ') . $iEventID ?></h3>
<h3><?= ($EventExists === 0) ? gettext('Create a new Event') : gettext('Editing Event ID: ') . $iEventID ?></h3>

<?php
if ($iErrors !== 0) {
echo "<div class='alert alert-danger'>" . gettext('There were ') . $iErrors . gettext(' errors. Please see below') . '</div>';
} else {
if ($iErrors === 0) {
echo '<div>' . gettext('Items with a ') . '<span style="color: red">*</span>' . gettext(' are required') . '</div>';
} else {
echo "<div class='alert alert-danger'>" . gettext('There were ') . $iErrors . gettext(' errors. Please see below') . '</div>';
}
?>
</div>
Expand Down Expand Up @@ -450,7 +418,7 @@
</tr>

<?php
} else { // if (empty($iTypeID))?>
} else { ?>
<tr>
<td class="LabelColumn"><span style="color: red">*</span><?= gettext('Event Type') ?>:</td>
<td colspan="3" class="TextColumn">
Expand All @@ -459,7 +427,6 @@
<?= ($iTypeID . '-' . $sTypeName) ?>
</td>
</tr>

<tr>
<td class="LabelColumn"><span style="color: red">*</span><?= gettext('Event Title') ?>:</td>
<td colspan="1" class="TextColumn">
Expand All @@ -480,15 +447,13 @@
<input type="text" name="EventDateRange" value=""
maxlength="10" id="EventDateRange" size="50" class='form-control' width="100%" style="width: 100%" required>
</td>

</tr>

<tr>
<td class="LabelColumn"><?= gettext('Attendance Counts') ?></td>
<td class="TextColumn" colspan="3">
<input type="hidden" name="NumAttendCounts" value="<?= $nCnts ?>">
<?php
if ($nCnts == 0) {
if ($nCnts === 0) {
echo gettext('No Attendance counts recorded');
} else {
?>
Expand All @@ -504,17 +469,15 @@
</td>
</tr>
<?php
} //end for loop
?>
} ?>
<tr>
<td><strong><?= gettext('Attendance Notes: ') ?>&nbsp;</strong></td>
<td><input type="text" name="EventCountNotes" value="<?= $sCountNotes ?>" class='form-control'>
</td>
</tr>
</table>
<?php
} //endif
?>
} ?>
</td>
</tr>

Expand All @@ -541,7 +504,7 @@
<td><input type="submit" name="SaveChanges" value="<?= gettext('Save Changes') ?>" class="btn btn-primary"></td>
</tr>
<?php
} // if (empty($iTypeID))?>
} ?>
</table>
</form>
</div>
Expand Down
Loading

0 comments on commit a715932

Please sign in to comment.