From 36f74a0dc8fb5edb573e12fc1248dafa3eca3563 Mon Sep 17 00:00:00 2001
From: David Siegfried <david.siegfried@uni-vechta.de>
Date: Wed, 20 Dec 2023 10:33:51 +0000
Subject: [PATCH] make multipersonsearch safe, re #3572

Closes #3585 and #3583

Merge request studip/studip!2468
---
 app/views/resources/booking/index.php                 |  4 ++--
 .../javascripts/studip-jquery.multi-select.tweaks.js  | 11 +++++------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/app/views/resources/booking/index.php b/app/views/resources/booking/index.php
index 3e004ecf2b5..eaeb954db52 100644
--- a/app/views/resources/booking/index.php
+++ b/app/views/resources/booking/index.php
@@ -12,7 +12,7 @@
                          ? $booking->resource->getDerivedClassInstance()
                          : null ?>
     <?= $derived_resource
-      ? $derived_resource->getFullName()
+      ? htmlReady($derived_resource->getFullName())
       : _('unbekannt') ?>
 
     <h3><?= _('ZeitrÃ¤ume') ?></h3>
@@ -117,7 +117,7 @@
             <h3><?= _('Gebucht fÃ¼r:') ?></h3>
             <a href="<?= URLHelper::getScriptLink(
                      'dispatch.php/profile',
-                     ['username' => $booking->assigned_user->username]
+                     ['username' =>$booking->assigned_user->username]
                      ) ?>">
                 <?= htmlReady($booking->assigned_user->getFullName()) ?>
             </a>
diff --git a/resources/assets/javascripts/studip-jquery.multi-select.tweaks.js b/resources/assets/javascripts/studip-jquery.multi-select.tweaks.js
index dd6fc2d083a..f68d2488ca6 100644
--- a/resources/assets/javascripts/studip-jquery.multi-select.tweaks.js
+++ b/resources/assets/javascripts/studip-jquery.multi-select.tweaks.js
@@ -29,7 +29,7 @@ import { $gettext } from './lib/gettext.js';
 (function ($, MultiSelect) {
     'use strict';
 
-    var originals = {
+    const originals = {
         generateLisFromOption: MultiSelect.prototype.generateLisFromOption,
         addOption: MultiSelect.prototype.addOption,
         escapeHTML: MultiSelect.prototype.escapeHTML,
@@ -37,16 +37,15 @@ import { $gettext } from './lib/gettext.js';
     };
 
     MultiSelect.prototype.generateLisFromOption = function (option, index, $container) {
-        var $option       = $(option),
-            chunks        = $option.text().split('--');
-
+        let $option = $(option),
+            chunks = $option.html().split(/\s--\s/);
         if (index === -1) {
             $option.prop('disabled', true);
             index = undefined;
         }
 
         if (chunks.length > 1) {
-            $option.attr('style', 'background-image: url(' + chunks.shift()  + ')');
+            $option.attr('style', 'background-image: url(' + encodeURI(chunks.shift().trim())  + ')');
 
             $option.text(chunks.join("\n"));
 
@@ -68,7 +67,7 @@ import { $gettext } from './lib/gettext.js';
     };
 
     MultiSelect.prototype.escapeHTML = function (text) {
-        var result = originals.escapeHTML.call(this, text);
+        const result = originals.escapeHTML.call(this, text);
         return result.replace("\n", '<br>');
     };
 
-- 
GitLab