security/core#94 Escape subject content when loading the Activity list for a contact

diff --git a/templates/CRM/Activity/Selector/Selector.tpl b/templates/CRM/Activity/Selector/Selector.tpl
index ffb235266b9b01db7122fd5960f86b4778fa30fb..4817467ee5cc16e28ad0168db7a4eb6b89fa0069 100644 (file)
--- a/templates/CRM/Activity/Selector/Selector.tpl
+++ b/templates/CRM/Activity/Selector/Selector.tpl
@@ -50,7 +50,7 @@
 
   {literal}
     <script type="text/javascript">
-      (function($) {
+      (function($, _) {
         var context = {/literal}"{$context}"{literal};
         CRM.$('table.contact-activity-selector-' + context).data({
           "ajax": {
@@ -67,11 +67,16 @@
           }
         });
         $(function($) {
+          $('table.contact-activity-selector-' + context).on('xhr.dt', function(e, settings, json, xhr) {
+            for (var i=0, ien=json.data.length; i<ien; i++) {
+              json.data[i].subject = _.escape(json.data[i].subject);
+            }
+          });
           $('.activity-search-options :input').change(function(){
-            CRM.$('table.contact-activity-selector-' + context).DataTable().draw();
+            $('table.contact-activity-selector-' + context).DataTable().draw();
           });
         });
-      })(CRM.$);
+      })(CRM.$, CRM._);
     </script>
   {/literal}
   <style type="text/css">