From 0ac9fd523d8a15cf512680861f5a1c57d0097bce Mon Sep 17 00:00:00 2001 From: Chris Burgess Date: Thu, 9 Jul 2015 16:51:22 +1200 Subject: [PATCH] CRM-16821. Improve output escaping from CRM_Core_Error. --- CRM/Core/Error.php | 6 ++++-- CRM/Core/Payment.php | 15 ++++++--------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/CRM/Core/Error.php b/CRM/Core/Error.php index bac07e05d3..3afdd9b206 100644 --- a/CRM/Core/Error.php +++ b/CRM/Core/Error.php @@ -312,7 +312,7 @@ class CRM_Core_Error extends PEAR_ErrorStack { */ public static function fatal($message = NULL, $code = NULL, $email = NULL) { $vars = array( - 'message' => $message, + 'message' => htmlspecialchars($message), 'code' => $code, ); @@ -378,6 +378,7 @@ class CRM_Core_Error extends PEAR_ErrorStack { } $template = CRM_Core_Smarty::singleton(); + $template->assign($vars); $config->userSystem->outputError($template->fetch($config->fatalErrorTemplate)); @@ -583,7 +584,8 @@ class CRM_Core_Error extends PEAR_ErrorStack { $file_log = self::createDebugLogger($comp); $file_log->log("$message\n"); - $str = "

$message"; + + $str = '

' . htmlspecialchars($message) . ''; if ($out && CRM_Core_Permission::check('view debug output')) { echo $str; } diff --git a/CRM/Core/Payment.php b/CRM/Core/Payment.php index 2cb276b459..04238bcecd 100644 --- a/CRM/Core/Payment.php +++ b/CRM/Core/Payment.php @@ -582,9 +582,7 @@ abstract class CRM_Core_Payment { $params['processor_id'] = $_GET['processor_id'] = $lastParam; } else { - throw new CRM_Core_Exception("Either 'processor_id' (recommended) or 'processor_name' (deprecated) is - required - for payment callback"); + throw new CRM_Core_Exception("Either 'processor_id' (recommended) or 'processor_name' (deprecated) is required for payment callback."); } } @@ -599,7 +597,7 @@ abstract class CRM_Core_Payment { if (isset($params['processor_id'])) { $sql .= " WHERE pp.id = %2"; $args[2] = array($params['processor_id'], 'Integer'); - $notFound = "No active instances of payment processor ID#'{$params['processor_id']}' were found."; + $notFound = ts("No active instances of payment processor %1 were found.", array(1 => $params['processor_id'])); } else { // This is called when processor_name is passed - passing processor_id instead is recommended. @@ -609,7 +607,7 @@ abstract class CRM_Core_Payment { 'Integer', ); $args[2] = array($params['processor_name'], 'String'); - $notFound = "No active instances of the '{$params['processor_name']}' payment processor were found."; + $notFound = ts("No active instances of payment processor '%1' were found.", array(1 => $params['processor_name'])); } $dao = CRM_Core_DAO::executeQuery($sql, $args); @@ -655,10 +653,9 @@ abstract class CRM_Core_Payment { } if (!$extension_instance_found) { - CRM_Core_Error::fatal( - "No extension instances of the '{$params['processor_name']}' payment processor were found.
" . - "$method method is unsupported in legacy payment processors." - ); + $message = "No extension instances of the '%1' payment processor were found.
" . + "%2 method is unsupported in legacy payment processors."; + CRM_Core_Error::fatal(ts($message, array(1 => $params['processor_name'], 2 => $method))); } } -- 2.25.1