security/core#81 Escape html in CRM_Core_LegacyErrorHandler messages

author Coleman Watts <coleman@civicrm.org>

Tue, 12 May 2020 14:14:32 +0000 (10:14 -0400)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 19 Aug 2020 06:16:57 +0000 (16:16 +1000)
author Coleman Watts <coleman@civicrm.org>
Tue, 12 May 2020 14:14:32 +0000 (10:14 -0400)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 19 Aug 2020 06:16:57 +0000 (16:16 +1000)
diff --git a/CRM/Core/LegacyErrorHandler.php b/CRM/Core/LegacyErrorHandler.php

index f82b3ce6d3d2f9f2b72ff42be5118f085d54fc5c..de515ecee12ec0d5bd6ef988e742e1c24a3738b6 100644 (file)
--- a/CRM/Core/LegacyErrorHandler.php
+++ b/CRM/Core/LegacyErrorHandler.php
@@ -16,9 +16,9 @@ class CRM_Core_LegacyErrorHandler {
        $message = $e->getMessage();
        $session = CRM_Core_Session::singleton();
        $session->setStatus(
-        $message,
-        CRM_Utils_Array::value('message_title', $params),
-        CRM_Utils_Array::value('message_type', $params, 'error')
+        htmlspecialchars($message),
+        htmlspecialchars($params['message_title'] ?? ts('Error')),
+        $params['message_type'] ?? 'error'
        );
      }
    }
author	Coleman Watts <coleman@civicrm.org>
	Tue, 12 May 2020 14:14:32 +0000 (10:14 -0400)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 19 Aug 2020 06:16:57 +0000 (16:16 +1000)