Resolve #9 by purifying label of entity reference values

diff --git a/CRM/Core/Form/Renderer.php b/CRM/Core/Form/Renderer.php
index 230cfa142fd4167d376762db1dbe9946304e70fa..0d1bd6cb7791eadbeb7f7c18b0b78c87388a698c 100644 (file)
--- a/CRM/Core/Form/Renderer.php
+++ b/CRM/Core/Form/Renderer.php
@@ -248,6 +248,14 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
       $params = $field->getAttribute('data-api-params');
       $params = $params ? json_decode($params, TRUE) : array();
       $result = civicrm_api3($entity, 'getlist', array('id' => $val) + $params);
+      // Purify label output of entityreference fields
+      if (!empty($result['values'])) {
+        foreach ($result['values'] as &$res) {
+          if (!empty($res['label'])) {
+            $res['label'] = CRM_Utils_String::purifyHTML($res['label']);
+          }
+        }
+      }
       if ($field->isFrozen()) {
         // Prevent js from treating frozen entityRef as a "live" field
         $field->removeAttribute('class');