Merge pull request #13197 from seamuslee001/lab_core_442

[civicrm-core.git] / CRM / Core / Session.php

diff --git a/CRM/Core/Session.php b/CRM/Core/Session.php
index b81cc961f0f96b95a715fc3ea6f9a2b47a50f27f..f618c8d3a1a0ded7e5a1b463dc1f6bacc2110faf 100644 (file)
--- a/CRM/Core/Session.php
+++ b/CRM/Core/Session.php
@@ -114,9 +114,8 @@ class CRM_Core_Session {
         if ($isRead) {
           return;
         }
-        $config =& CRM_Core_Config::singleton();
         // FIXME: This belongs in CRM_Utils_System_*
-        if ($config->userSystem->is_drupal && function_exists('drupal_session_start')) {
+        if (CRM_Core_Config::singleton()->userSystem->is_drupal && function_exists('drupal_session_start')) {
           // https://issues.civicrm.org/jira/browse/CRM-14356
           if (!(isset($GLOBALS['lazy_session']) && $GLOBALS['lazy_session'] == TRUE)) {
             drupal_session_start();
@@ -471,6 +470,10 @@ class CRM_Core_Session {
     $session = self::singleton();
     $session->initialize();
 
+    // Sanitize any HTML we're displaying. This helps prevent reflected XSS in error messages.
+    $text = CRM_Utils_String::purifyHTML($text);
+    $title = CRM_Utils_String::purifyHTML($title);
+
     // default options
     $options += array('unique' => TRUE);