From 93bc14d1027a709502f9f82d142b7a1696984466 Mon Sep 17 00:00:00 2001
From: marcos <marcos.alconada@artica.es>
Date: Tue, 9 Jun 2020 11:40:39 +0200
Subject: [PATCH] fixed vulnerabilty on events comments

---
 pandora_console/include/ajax/events.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pandora_console/include/ajax/events.php b/pandora_console/include/ajax/events.php
index 60c74e9731..0ac931aef1 100644
--- a/pandora_console/include/ajax/events.php
+++ b/pandora_console/include/ajax/events.php
@@ -1088,10 +1088,18 @@ if ($dialogue_event_response) {
 }
 
 if ($add_comment) {
+    $aviability_comment = true;
     $comment = get_parameter('comment');
+    if (preg_match('<script>', io_safe_output($comment))) {
+        $aviability_comment = false;
+        $return = false;
+    }
+
     $event_id = get_parameter('event_id');
 
-    $return = events_comment($event_id, $comment, 'Added comment', $meta, $history);
+    if ($aviability_comment !== false) {
+        $return = events_comment($event_id, $comment, 'Added comment', $meta, $history);
+    }
 
     if ($return) {
         echo 'comment_ok';