(security/core#67) Port APIv3's escaping scheme to APIv4

[civicrm-core.git] / Civi / Api4 / Utils / FormattingUtil.php

diff --git a/Civi/Api4/Utils/FormattingUtil.php b/Civi/Api4/Utils/FormattingUtil.php
index b845ea66084389cb26e253535a068077ef29f7f8..f848f5ba2650969b28d0fa09cbcc564fd198db33 100644 (file)
--- a/Civi/Api4/Utils/FormattingUtil.php
+++ b/Civi/Api4/Utils/FormattingUtil.php
@@ -81,6 +81,8 @@ class FormattingUtil {
         $params[$name] = 'null';
       }
     }
+
+    \CRM_Utils_API_HTMLInputCoder::singleton()->encodeRow($params);
   }
 
   /**
@@ -127,6 +129,11 @@ class FormattingUtil {
         $value = date('Ymd', strtotime($value));
         break;
     }
+
+    $hic = \CRM_Utils_API_HTMLInputCoder::singleton();
+    if (!$hic->isSkippedField($fieldSpec['name'])) {
+      $value = $hic->encodeValue($value);
+    }
   }
 
 }