From: Seamus Lee <seamuslee001@gmail.com>
Date: Sun, 9 Feb 2020 08:32:48 +0000 (+1100)
Subject: security/core#40 Purify activity details when viewing case activities and case reports
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=504ab71eb6c47debe50fc671afa497a9415b5a31;p=civicrm-core.git

security/core#40 Purify activity details when viewing case activities and case reports
---

diff --git a/CRM/Case/XMLProcessor/Report.php b/CRM/Case/XMLProcessor/Report.php
index 183aa0bf93..c4fcba5670 100644
--- a/CRM/Case/XMLProcessor/Report.php
+++ b/CRM/Case/XMLProcessor/Report.php
@@ -461,7 +461,7 @@ WHERE      a.id = %1
     $activity['fields'][] = array(
       'name' => 'Details',
       'label' => ts('Details'),
-      'value' => $this->redact(CRM_Utils_String::stripAlternatives($activityDAO->details)),
+      'value' => $this->redact(CRM_Utils_String::purifyHTML(CRM_Utils_String::stripAlternatives($activityDAO->details))),
       'type' => 'Memo',
     );
 
diff --git a/templates/CRM/Case/Form/ActivityView.tpl b/templates/CRM/Case/Form/ActivityView.tpl
index 5a7e78ff63..68979f60a6 100644
--- a/templates/CRM/Case/Form/ActivityView.tpl
+++ b/templates/CRM/Case/Form/ActivityView.tpl
@@ -41,7 +41,7 @@
                 {if $parentID}<a class="open-inline-noreturn" href="{crmURL p='civicrm/case/activity/view' h=0 q="cid=$contactID&aid=$parentID"}">&raquo; {ts}Prompted by{/ts}</a>{/if}
               </td>
             {else}
-              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
+              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br|purify}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
             {/if}
           </tr>
         {/foreach}