WebCalendar is a PHP application used to maintain a calendar for a single user or an intranet group of users. It can also be configured as an event calendar.
If a username has a special character (such as a period, which is common in usernames), it is not possible to edit a group containing that user. This patch fixes that. Now, the username can safely contain anything but a double quote.
For true safety, it may also be beneficial to backslash-escape any double quotes as well, but I don't think that should be strictly required as usernames probably shouldn't contain double quotes anyway, and I don't think the bug is exploitable for XSS in this particular context either.
If a username has a special character (such as a period, which is common in usernames), it is not possible to edit a group containing that user. This patch fixes that. Now, the username can safely contain anything but a double quote.
For true safety, it may also be beneficial to backslash-escape any double quotes as well, but I don't think that should be strictly required as usernames probably shouldn't contain double quotes anyway, and I don't think the bug is exploitable for XSS in this particular context either.