security/core#40 Purify activity details when viewing case activities and case reports

diff --git a/CRM/Case/XMLProcessor/Report.php b/CRM/Case/XMLProcessor/Report.php
index 453f39ecf96579af1447e7b832ed2f5f2ccdf930..720bbbabe70e4167966a1db6572606a284808d76 100644 (file)
--- a/CRM/Case/XMLProcessor/Report.php
+++ b/CRM/Case/XMLProcessor/Report.php
@@ -443,7 +443,7 @@ WHERE      a.id = %1
 
     $activity['fields'][] = array(
       'label' => ts('Details'),
-      'value' => $this->redact(CRM_Utils_String::stripAlternatives($activityDAO->details)),
+      'value' => $this->redact(CRM_Utils_String::purifyHTML(CRM_Utils_String::stripAlternatives($activityDAO->details))),
       'type' => 'Memo',
     );
 

diff --git a/templates/CRM/Case/Form/ActivityView.tpl b/templates/CRM/Case/Form/ActivityView.tpl
index 5a7e78ff63c0d66795c47be283a35413b79dfac9..68979f60a6538fa53ba242d1f38de8e8b29e1cfc 100644 (file)
--- a/templates/CRM/Case/Form/ActivityView.tpl
+++ b/templates/CRM/Case/Form/ActivityView.tpl
@@ -41,7 +41,7 @@
                 {if $parentID}<a class="open-inline-noreturn" href="{crmURL p='civicrm/case/activity/view' h=0 q="cid=$contactID&aid=$parentID"}">&raquo; {ts}Prompted by{/ts}</a>{/if}
               </td>
             {else}
-              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
+              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br|purify}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
             {/if}
           </tr>
         {/foreach}