1 files changed, 19 insertions, 6 deletions

diff --git a/modules-available/dozmod/pages/actionlog.inc.php b/modules-available/dozmod/pages/actionlog.inc.php
index abf617fc..182198c2 100644
--- a/modules-available/dozmod/pages/actionlog.inc.php
+++ b/modules-available/dozmod/pages/actionlog.inc.php
@@ -11,7 +11,7 @@ class SubPage
 		User::assertPermission("actionlog.view");
 		self::$action = Request::get('action', '', 'string');
 		if (self::$action !== '' && self::$action !== 'showtarget' && self::$action !== 'showuser') {
-			Util::traceError('Invalid action for actionlog: "' . self::$action . '"');
+			ErrorHandler::traceError('Invalid action for actionlog: "' . self::$action . '"');
 		}
 		self::$uuid = Request::get('uuid', '', 'string');
 	}
@@ -80,7 +80,19 @@ class SubPage
 			ORDER BY al.dateline DESC LIMIT 500", array('uuid' => self::$uuid), true, false);
 	}
 
-	private static function addImageHeader()
+	private static function mangleHtml($desc)
+	{
+		if (substr($desc, 0, 5) === '<html') {
+			$desc = strip_tags($desc,
+				'<strong><b><i><u><ul><li><font><span><p><div><hr><h1><h2><h3><h4><h5><h6>');
+			$desc = preg_replace('/\b(on\w+|style)[\s\r\n]*=[\s\r\n]*(\'.*?\'|".*?"|[^\'"]\S*)/si', '', $desc);
+		} else {
+			$desc = nl2br(htmlspecialchars($desc));
+		}
+		return $desc;
+	}
+
+	private static function addImageHeader(): bool
 	{
 		$image = Database::queryFirst('SELECT o.userid AS ouserid, o.firstname AS ofirstname, o.lastname AS olastname,
 				u.userid AS uuserid, u.firstname AS ufirstname, u.lastname AS ulastname,
@@ -96,13 +108,13 @@ class SubPage
 			// Mangle date and render
 			$image['createtime_s'] = date('d.m.Y H:i', $image['createtime']);
 			$image['updatetime_s'] = date('d.m.Y H:i', $image['updatetime']);
-			$image['descriptionHtml'] = nl2br(htmlspecialchars($image['description']));
+			$image['descriptionHtml'] = self::mangleHtml($image['description']);
 			Render::addTemplate('actionlog-image', $image);
 		}
 		return $image !== false;
 	}
 
-	private static function addLectureHeader()
+	private static function addLectureHeader(): bool
 	{
 		$lecture = Database::queryFirst('SELECT o.userid AS ouserid, o.firstname AS ofirstname, o.lastname AS olastname,
 				u.userid AS uuserid, u.firstname AS ufirstname, u.lastname AS ulastname,
@@ -120,7 +132,8 @@ class SubPage
 			$lecture['createtime_s'] = date('d.m.Y H:i', $lecture['createtime']);
 			$lecture['updatetime_s'] = date('d.m.Y H:i', $lecture['updatetime']);
 			$lecture['lastused_s'] = date('d.m.Y H:i', $lecture['lastused']);
-			$lecture['descriptionHtml'] = nl2br(htmlspecialchars($lecture['description']));
+
+			$lecture['descriptionHtml'] = self::mangleHtml($lecture['description']);
 			Render::addTemplate('actionlog-lecture', $lecture);
 		}
 		return $lecture !== false;
@@ -131,7 +144,7 @@ class SubPage
 		// query action log
 		$res = Database::simpleQuery($query, $params);
 		$events = array();
-		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
+		foreach ($res as $row) {
 			$row['dateline_s'] = date('d.m.Y H:i', $row['dateline']);
 			if (isset($row['imgname'])) {
 				$row['targeturl'] = '?do=dozmod&section=actionlog&action=showtarget&uuid=' . $row['targetid'];