Fix help encoding CRM-12324

author Coleman Watts <coleman@civicrm.org>

Thu, 11 Apr 2013 16:48:44 +0000 (09:48 -0700)

committer Coleman Watts <coleman@civicrm.org>

Thu, 11 Apr 2013 17:56:55 +0000 (10:56 -0700)
author Coleman Watts <coleman@civicrm.org>
Thu, 11 Apr 2013 16:48:44 +0000 (09:48 -0700)
committer Coleman Watts <coleman@civicrm.org>
Thu, 11 Apr 2013 17:56:55 +0000 (10:56 -0700)
diff --git a/CRM/Core/Smarty/plugins/function.help.php b/CRM/Core/Smarty/plugins/function.help.php

index 0800231583efb55fcccf25dd6d7d690554f6cc86..f963ff43575a69ad661c4c68b82a6f0a0d9a9486 100644 (file)
--- a/CRM/Core/Smarty/plugins/function.help.php
+++ b/CRM/Core/Smarty/plugins/function.help.php
@@ -66,11 +66,15 @@ function smarty_function_help($params, &$smarty) {
    else {
      $name = trim(strip_tags($params['title']));
    }
-  $title = ts('%1 Help', array(1 => $name));
-  unset($params['text'], $params['title']);
+  // Escape for html
+  $title = htmlspecialchars(ts('%1 Help', array(1 => $name)));
+  // Escape for html and js
+  $name = htmlspecialchars(json_encode($name), ENT_QUOTES);
+
    // Format params to survive being passed through json & the url
+  unset($params['text'], $params['title']);
    foreach ($params as &$param) {
      $param = is_bool($param) || is_numeric($param) ? (int) $param : (string) $param;
    }
-  return '<a class="helpicon" title="' . $title . '" href="#" onclick=\'CRM.help("' . $name . '", ' . json_encode($params) . '); return false;\'>&nbsp;</a>';
+  return '<a class="helpicon" title="' . $title . '" href="#" onclick=\'CRM.help(' . $name . ', ' . json_encode($params) . '); return false;\'>&nbsp;</a>';
  }
author	Coleman Watts <coleman@civicrm.org>
	Thu, 11 Apr 2013 16:48:44 +0000 (09:48 -0700)
committer	Coleman Watts <coleman@civicrm.org>
	Thu, 11 Apr 2013 17:56:55 +0000 (10:56 -0700)