From: Sean Madsen <sean@seanmadsen.com>
Date: Sun, 22 Apr 2018 02:11:56 +0000 (-0400)
Subject: Add HTML purification to status messages
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d1134220ff7fc1ce3227c7c17c568be1f229307c;p=civicrm-core.git

Add HTML purification to status messages

This is a security protection measure that protects us just a little bit
more against XSS.
---

diff --git a/CRM/Core/Session.php b/CRM/Core/Session.php
index ccadd74bcd..7c1c1a42a1 100644
--- a/CRM/Core/Session.php
+++ b/CRM/Core/Session.php
@@ -471,6 +471,10 @@ class CRM_Core_Session {
     $session = self::singleton();
     $session->initialize();
 
+    // Sanitize any HTML we're displaying. This helps prevent reflected XSS in error messages.
+    $text = CRM_Utils_String::purifyHTML($text);
+    $title = CRM_Utils_String::purifyHTML($title);
+
     // default options
     $options += array('unique' => TRUE);