projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a35c96d)
security/core#1 Escape outputs in report stats
authorSean Madsen <sean@seanmadsen.com>
Sun, 22 Apr 2018 15:07:56 +0000 (11:07 -0400)
committerTim Otten <totten@civicrm.org>
Wed, 18 Jul 2018 20:51:54 +0000 (13:51 -0700)
templates/CRM/Report/Form/Statistics.tpl patch | blob | blame | history
templates/CRM/Report/Form/Tabs/Developer.tpl patch | blob | blame | history

diff --git a/templates/CRM/Report/Form/Statistics.tpl b/templates/CRM/Report/Form/Statistics.tpl
index 86359c15cde213720f2f076686bb97a538aec4a5..09cd260176b80f555da3558ab563ca2ab038c7bb 100644 (file)
--- a/templates/CRM/Report/Form/Statistics.tpl
+++ b/templates/CRM/Report/Form/Statistics.tpl
@@ -33,13 +33,13 @@
       {foreach from=$statistics.groups item=row}
         <tr>
           <th class="statistics" scope="row">{$row.title}</th>
-          <td>{$row.value}</td>
+          <td>{$row.value|escape}</td>
         </tr>
       {/foreach}
       {foreach from=$statistics.filters item=row}
         <tr>
           <th class="statistics" scope="row">{$row.title}</th>
-          <td>{$row.value}</td>
+          <td>{$row.value|escape}</td>
         </tr>
       {/foreach}
     </table>
@@ -53,11 +53,11 @@
         <th class="statistics" scope="row">{$row.title}</th>
         <td>
           {if $row.type eq 1024}
-            {$row.value|crmMoney}
+            {$row.value|crmMoney|escape}
           {elseif $row.type eq 2}
-            {$row.value}
+            {$row.value|escape}
           {else}
-            {$row.value|crmNumberFormat}
+            {$row.value|crmNumberFormat|escape}
           {/if}
 
         </td>
diff --git a/templates/CRM/Report/Form/Tabs/Developer.tpl b/templates/CRM/Report/Form/Tabs/Developer.tpl
index 774f5c7b5f39282b8271cb59c3a0ebd09efd968b..dd2f3a195d2e047649b44e57e9d8780a4a8adf48 100644 (file)
--- a/templates/CRM/Report/Form/Tabs/Developer.tpl
+++ b/templates/CRM/Report/Form/Tabs/Developer.tpl
@@ -1,4 +1,4 @@
 <div id="report-tab-set-developer" class="civireport-criteria">
   <p><b>{ts}Class used{/ts}: {$report_class}</b></p>
-  <pre>{$sql}</pre>
+  <pre>{$sql|purify}</pre>
 </div>