projects
/
civicrm-core.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
fa9a2fb
)
Add HTML purification to status messages
author
Sean Madsen
<sean@seanmadsen.com>
Sun, 22 Apr 2018 02:11:56 +0000
(22:11 -0400)
committer
Tim Otten
<totten@civicrm.org>
Wed, 18 Jul 2018 21:55:05 +0000
(14:55 -0700)
This is a security protection measure that protects us just a little bit
more against XSS.
CRM/Core/Session.php
patch
|
blob
|
blame
|
history
diff --git
a/CRM/Core/Session.php
b/CRM/Core/Session.php
index b81cc961f0f96b95a715fc3ea6f9a2b47a50f27f..632a9e14ab9a632b767d571f5cdff72ff2167ef9 100644
(file)
--- a/
CRM/Core/Session.php
+++ b/
CRM/Core/Session.php
@@
-471,6
+471,10
@@
class CRM_Core_Session {
$session = self::singleton();
$session->initialize();
+ // Sanitize any HTML we're displaying. This helps prevent reflected XSS in error messages.
+ $text = CRM_Utils_String::purifyHTML($text);
+ $title = CRM_Utils_String::purifyHTML($title);
+
// default options
$options += array('unique' => TRUE);