Add HTML purification to status messages

author Sean Madsen <sean@seanmadsen.com>

Sun, 22 Apr 2018 02:11:56 +0000 (22:11 -0400)

committer Tim Otten <totten@civicrm.org>

Wed, 18 Jul 2018 20:51:53 +0000 (13:51 -0700)
author Sean Madsen <sean@seanmadsen.com>
Sun, 22 Apr 2018 02:11:56 +0000 (22:11 -0400)
committer Tim Otten <totten@civicrm.org>
Wed, 18 Jul 2018 20:51:53 +0000 (13:51 -0700)
diff --git a/CRM/Core/Session.php b/CRM/Core/Session.php

index ccadd74bcda457240cbbfc7d97c12a90654b3a52..7c1c1a42a1a3f3922712c94cf92ea47c73157822 100644 (file)
--- a/CRM/Core/Session.php
+++ b/CRM/Core/Session.php
@@ -471,6 +471,10 @@ class CRM_Core_Session {
      $session = self::singleton();
      $session->initialize();
  
+    // Sanitize any HTML we're displaying. This helps prevent reflected XSS in error messages.
+    $text = CRM_Utils_String::purifyHTML($text);
+    $title = CRM_Utils_String::purifyHTML($title);
+
      // default options
      $options += array('unique' => TRUE);
author	Sean Madsen <sean@seanmadsen.com>
	Sun, 22 Apr 2018 02:11:56 +0000 (22:11 -0400)
committer	Tim Otten <totten@civicrm.org>
	Wed, 18 Jul 2018 20:51:53 +0000 (13:51 -0700)