projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c0a137)
CRM-16995: Addressed XSS vulnerability.
authorFrank J. Gómez <frank@ginkgostreet.com>
Wed, 12 Aug 2015 18:49:24 +0000 (14:49 -0400)
committerFrank J. Gómez <frank@ginkgostreet.com>
Wed, 12 Aug 2015 18:49:24 +0000 (14:49 -0400)
Civi/Angular/Page/Main.php patch | blob | blame | history
templates/Civi/Angular/Page/Main.tpl patch | blob | blame | history

diff --git a/Civi/Angular/Page/Main.php b/Civi/Angular/Page/Main.php
index 8f60319f5695eaea103c9d4cb9a19ebc709b29b7..c06d52f55f3a5cf840be1bed51509efcdf515f5b 100644 (file)
--- a/Civi/Angular/Page/Main.php
+++ b/Civi/Angular/Page/Main.php
@@ -109,9 +109,12 @@ class Main extends \CRM_Core_Page {
       }
     }
 
-    // Set the location hash so that Angular knows which page it is trying to load.
-    $route = \CRM_Utils_Request::retrieve('route', 'String');
-    $this->assign("route", $route);
+    // If trying to load an Angular page via AJAX, the route must be passed as a
+    // URL parameter, since PHP doesn't know about URL fragments (i.e, what
+    // comes after the #).
+    \CRM_Core_Resources::singleton()->addSetting(array(
+      'angularRoute' => \CRM_Utils_Request::retrieve('route', 'String'),
+    ));
   }
 
 }
diff --git a/templates/Civi/Angular/Page/Main.tpl b/templates/Civi/Angular/Page/Main.tpl
index c547e66f15d3c9bd93e40fe2afe2ccbc8e6723a5..4918da28aec034e409212a4fc6362e71c4cec21e 100644 (file)
--- a/templates/Civi/Angular/Page/Main.tpl
+++ b/templates/Civi/Angular/Page/Main.tpl
@@ -1,9 +1,10 @@
-{if $route}
-  <script type="text/javascript">
-    location.hash = '{$route}';
-  </script>
-{/if}
 {literal}
+<script type="text/javascript">
+  if (CRM.hasOwnProperty('angularRoute') && CRM.angularRoute) {
+    location.hash = CRM.angularRoute;
+  }
+</script>
+
 <div ng-app="crmApp">
   <div ng-view></div>
 </div>