From a87abbb24f77d5115138e90c5b51bfeec336db0b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Joshua=20R=C3=BCsweg?= <josh@bastelstu.be>
Date: Mon, 6 Aug 2018 15:19:10 +0200
Subject: [PATCH] Check data key and sanitize value for getDataAttributes See
 #2508

---
 .../files/lib/system/reaction/ReactionHandler.class.php  | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/reaction/ReactionHandler.class.php b/wcfsetup/install/files/lib/system/reaction/ReactionHandler.class.php
index 3f2326c6d0..fd0017b67e 100644
--- a/wcfsetup/install/files/lib/system/reaction/ReactionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/reaction/ReactionHandler.class.php
@@ -26,6 +26,7 @@ use wcf\system\SingletonFactory;
 use wcf\system\user\notification\UserNotificationHandler;
 use wcf\system\WCF;
 use wcf\util\JSON;
+use wcf\util\StringUtil;
 
 /**
  * Handles the reactions of objects.
@@ -135,11 +136,15 @@ class ReactionHandler extends SingletonFactory {
 		$returnDataAttributes = '';
 		
 		foreach ($dataAttributes as $key => $value) {
+			if (!preg_match('/^[a-z0-9-]+$/', $key)) {
+				throw new \RuntimeException("Invalid key '". $key ."' for data attribute.");
+			}
+			
 			if (!empty($returnDataAttributes)) {
 				$returnDataAttributes .= ' ';
 			}
 			
-			$returnDataAttributes .= 'data-'. $key .'="'. $value .'"';
+			$returnDataAttributes .= 'data-'. $key .'="'. StringUtil::encodeHTML($value) .'"';
 		}
 		
 		return $returnDataAttributes;
@@ -316,7 +321,7 @@ class ReactionHandler extends SingletonFactory {
 			if (UserActivityEventHandler::getInstance()->getObjectTypeID($likeable->getObjectType()->objectType.'.recentActivityEvent')) {
 				$objectType = ObjectTypeCache::getInstance()->getObjectTypeByName('com.woltlab.wcf.user.recentActivityEvent', $likeable->getObjectType()->objectType.'.recentActivityEvent');
 				
-				if ($objectType->supportReactions) {
+				if ($objectType->supportsReactions) {
 					if ($like->likeID) {
 						UserActivityEventHandler::getInstance()->removeEvent($likeable->getObjectType()->objectType . '.recentActivityEvent', $likeable->getObjectID(), $user->userID);
 					}
-- 
2.20.1