From 4fa533919d3c3a9c1001e23da11d8201f9181252 Mon Sep 17 00:00:00 2001
From: Vasil Kolev <vasil@ludost.net>
Date: Sun, 16 Oct 2022 15:23:01 +0300
Subject: [PATCH] schedule: fix XSS, reported by Hetti

---
 schedule/parse.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/schedule/parse.php b/schedule/parse.php
index 04fd6a4..8bef3af 100644
--- a/schedule/parse.php
+++ b/schedule/parse.php
@@ -284,8 +284,8 @@ function parseData($config, $data) {
 				
 				// We don't want '()' when we don't have a speaker name
 				$fulltalk_spkr = strlen($speakers) > 0 ? (' (' . $speakers . ')') : '';
-				$fulltalks .= '<p><strong>' . $event['title'] . ' ' . $fulltalk_spkr . '</strong></p>';
-				$fulltalks .= '<p>' . $event['abstract'] . '</p>';
+				$fulltalks .= '<p><strong>' . htmlentities($event['title']) . ' ' . $fulltalk_spkr . '</strong></p>';
+				$fulltalks .= '<p>' . htmlentities($event['abstract']) . '</p>';
 				$fulltalks .= $fullfb;
 				$fulltalks .= '<div class="separator"></div></section>';
 				$known_events[$eid] = $eid;
@@ -396,7 +396,7 @@ function parseData($config, $data) {
 		}
 		
 		$fspk .= '</div>';
-		$fspk .= '<p>' . $speaker['biography'] . '</p>';
+		$fspk .= '<p>' . htmlentities($speaker['biography']) . '</p>';
 		$fspk .= '</div><div class="separator"></div>';
 	}