From 09adb67dbff4bb27fd3bf8baf508573725a7766e Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Thu, 6 Aug 2020 06:31:22 +1000
Subject: [PATCH] security/core#95 Purify Summary and description fields for
 events on the event info and event cart screens

---
 templates/CRM/Event/Page/EventInfo.tpl | 4 ++--
 templates/CRM/Event/Page/List.tpl      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/CRM/Event/Page/EventInfo.tpl b/templates/CRM/Event/Page/EventInfo.tpl
index 38a9beaba2..4b858973e4 100644
--- a/templates/CRM/Event/Page/EventInfo.tpl
+++ b/templates/CRM/Event/Page/EventInfo.tpl
@@ -89,12 +89,12 @@
 
   {if $event.summary}
       <div class="crm-section event_summary-section">
-        {$event.summary}
+        {$event.summary|purify}
       </div>
   {/if}
   {if $event.description}
       <div class="crm-section event_description-section summary">
-          {$event.description}
+          {$event.description|purify}
       </div>
   {/if}
   <div class="clear"></div>
diff --git a/templates/CRM/Event/Page/List.tpl b/templates/CRM/Event/Page/List.tpl
index e5f5fa182f..4cbf20b541 100644
--- a/templates/CRM/Event/Page/List.tpl
+++ b/templates/CRM/Event/Page/List.tpl
@@ -30,7 +30,7 @@
     {foreach from=$events key=uid item=event}
       <tr class="{cycle values="odd-row,even-row"} {$row.class}">
         <td><a href="{crmURL p='civicrm/event/info' q="reset=1&id=`$event.event_id`"}" title="{ts}read more{/ts}"><strong>{$event.title}</strong></a></td>
-        <td>{if $event.summary}{$event.summary} (<a href="{crmURL p='civicrm/event/info' q="reset=1&id=`$event.event_id`"}" title="{ts}details...{/ts}">{ts}read more{/ts}...</a>){else}&nbsp;{/if}</td>
+        <td>{if $event.summary}{$event.summary|purify} (<a href="{crmURL p='civicrm/event/info' q="reset=1&id=`$event.event_id`"}" title="{ts}details...{/ts}">{ts}read more{/ts}...</a>){else}&nbsp;{/if}</td>
         <td class="nowrap" data-order="{$event.start_date|crmDate:'%Y-%m-%d'}">
           {if $event.start_date}{$event.start_date|crmDate}{if $event.end_date}<br /><em>{ts}through{/ts}</em><br />{strip}
             {* Only show end time if end date = start date *}
-- 
2.25.1