CRM-16821. Improve output escaping from CRM_Core_Error.

diff --git a/CRM/Core/Error.php b/CRM/Core/Error.php
index bac07e05d3e8d1197b51d43f08df7b2845954692..3afdd9b2067cfc8db54fb41ceb5d26370ab0a14f 100644 (file)
--- a/CRM/Core/Error.php
+++ b/CRM/Core/Error.php
@@ -312,7 +312,7 @@ class CRM_Core_Error extends PEAR_ErrorStack {
    */
   public static function fatal($message = NULL, $code = NULL, $email = NULL) {
     $vars = array(
-      'message' => $message,
+      'message' => htmlspecialchars($message),
       'code' => $code,
     );
 
@@ -378,6 +378,7 @@ class CRM_Core_Error extends PEAR_ErrorStack {
     }
 
     $template = CRM_Core_Smarty::singleton();
+
     $template->assign($vars);
 
     $config->userSystem->outputError($template->fetch($config->fatalErrorTemplate));
@@ -583,7 +584,8 @@ class CRM_Core_Error extends PEAR_ErrorStack {
 
     $file_log = self::createDebugLogger($comp);
     $file_log->log("$message\n");
-    $str = "<p/><code>$message</code>";
+
+    $str = '<p/><code>' . htmlspecialchars($message) . '</code>';
     if ($out && CRM_Core_Permission::check('view debug output')) {
       echo $str;
     }

diff --git a/CRM/Core/Payment.php b/CRM/Core/Payment.php
index 2cb276b4597c0a7c21b70c78b4a9e9dabd7f562f..04238bcecd45583cca5452e43f7cd9993623aac2 100644 (file)
--- a/CRM/Core/Payment.php
+++ b/CRM/Core/Payment.php
@@ -582,9 +582,7 @@ abstract class CRM_Core_Payment {
         $params['processor_id'] = $_GET['processor_id'] = $lastParam;
       }
       else {
-        throw new CRM_Core_Exception("Either 'processor_id' (recommended) or 'processor_name' (deprecated) is
-        required
-        for payment callback");
+        throw new CRM_Core_Exception("Either 'processor_id' (recommended) or 'processor_name' (deprecated) is required for payment callback.");
       }
     }
 
@@ -599,7 +597,7 @@ abstract class CRM_Core_Payment {
     if (isset($params['processor_id'])) {
       $sql .= " WHERE pp.id = %2";
       $args[2] = array($params['processor_id'], 'Integer');
-      $notFound = "No active instances of payment processor ID#'{$params['processor_id']}'  were found.";
+      $notFound = ts("No active instances of payment processor %1 were found.", array(1 => $params['processor_id']));
     }
     else {
       // This is called when processor_name is passed - passing processor_id instead is recommended.
@@ -609,7 +607,7 @@ abstract class CRM_Core_Payment {
         'Integer',
       );
       $args[2] = array($params['processor_name'], 'String');
-      $notFound = "No active instances of the '{$params['processor_name']}' payment processor were found.";
+      $notFound = ts("No active instances of payment processor '%1' were found.", array(1 => $params['processor_name']));
     }
 
     $dao = CRM_Core_DAO::executeQuery($sql, $args);
@@ -655,10 +653,9 @@ abstract class CRM_Core_Payment {
     }
 
     if (!$extension_instance_found) {
-      CRM_Core_Error::fatal(
-        "No extension instances of the '{$params['processor_name']}' payment processor were found.<br />" .
-        "$method method is unsupported in legacy payment processors."
-      );
+      $message = "No extension instances of the '%1' payment processor were found.<br />" .
+        "%2 method is unsupported in legacy payment processors.";
+      CRM_Core_Error::fatal(ts($message, array(1 => $params['processor_name'], 2 => $method)));
     }
   }