From b1e847f11d47ba7123283d9474b2bbd64e231532 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Fri, 30 Sep 2022 11:17:02 +0000
Subject: [PATCH] correctly encode output, fixes #1619

Closes #1619

Merge request studip/studip!1047
---
 lib/models/LogEvent.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/models/LogEvent.php b/lib/models/LogEvent.php
index 2e83590da9f..7205dbac5e5 100644
--- a/lib/models/LogEvent.php
+++ b/lib/models/LogEvent.php
@@ -240,7 +240,7 @@ class LogEvent extends SimpleORMap implements PrivacyObject
             return $this->$field;
         }
 
-        return '<em>' . $study_area->getPath(' &gt ') . '</em>';
+        return '<em>' . htmlReady($study_area->getPath(' > ')) . '</em>';
     }
 
     /**
@@ -265,8 +265,7 @@ class LogEvent extends SimpleORMap implements PrivacyObject
         $plugin_manager = PluginManager::getInstance();
         $plugin_info = $plugin_manager->getPluginInfoById($this->$field);
 
-        return $plugin_info ? '<em>'
-                . $plugin_info['name'] . '</em>' : $this->$field;
+        return $plugin_info ? '<em>' . htmlReady($plugin_info['name']) . '</em>' : $this->$field;
     }
 
     /**
@@ -280,10 +279,10 @@ class LogEvent extends SimpleORMap implements PrivacyObject
         $all_semester = Semester::findAllVisible(false);
         foreach ($all_semester as $val) {
             if (!empty($val['beginn']) && ($val['beginn'] == $this->$field)) {
-                return '<em>' . $val['name'] . '</em>';
+                return '<em>' . htmlReady($val['name']) . '</em>';
             }
         }
-        return $this->$field;
+        return htmlReady($this->$field);
     }
 
     /**
-- 
GitLab