From 1b0a9d272250a8f04305b8daa32dab4b04ee320b Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Wed, 9 Oct 2019 12:45:33 +0200 Subject: [PATCH] security/core#65 - Fix XSS in Dashboard Report Title This fixes an XSS in report titles displayed on the dashboard page by escaping the title on output. --- CRM/Core/BAO/Dashboard.php | 2 +- js/Common.js | 19 +++++++++++++++++++ js/jquery/jquery.dashboard.js | 4 ++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/CRM/Core/BAO/Dashboard.php b/CRM/Core/BAO/Dashboard.php index 562ad33b2a..2c89838c40 100644 --- a/CRM/Core/BAO/Dashboard.php +++ b/CRM/Core/BAO/Dashboard.php @@ -161,7 +161,7 @@ class CRM_Core_BAO_Dashboard extends CRM_Core_DAO_Dashboard { $data[$item['column_no']][] = [ 'id' => (int) $item['dashboard_id'], 'name' => $item['name'], - 'title' => CRM_Utils_String::purifyHtml($item['label']), + 'title' => $item['label'], 'url' => self::parseUrl($item['url']), 'cacheMinutes' => $item['cache_minutes'], 'fullscreenUrl' => self::parseUrl($item['fullscreen_url']), diff --git a/js/Common.js b/js/Common.js index 25e228b594..47c6e48b18 100644 --- a/js/Common.js +++ b/js/Common.js @@ -1598,6 +1598,25 @@ if (!CRM.vars) CRM.vars = {}; return (yiq >= 128) ? 'black' : 'white'; }; + // based on https://github.com/janl/mustache.js/blob/master/mustache.js + // If you feel the need to use this function, consider whether assembling HTML + // via DOM might be a cleaner approach rather than using string concatenation. + CRM.utils.escapeHtml = function(string) { + var entityMap = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '`': '`', + '=': '=' + }; + return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) { + return entityMap[s]; + }); + } + // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided $.ajaxPrefilter(function(s) { if (s.crossDomain) { diff --git a/js/jquery/jquery.dashboard.js b/js/jquery/jquery.dashboard.js index 394635d361..b87db357d1 100644 --- a/js/jquery/jquery.dashboard.js +++ b/js/jquery/jquery.dashboard.js @@ -389,7 +389,7 @@ }); CRM.alert( ts('You can re-add it by clicking the "Configure Your Dashboard" button.'), - ts('"%1" Removed', {1: widget.title}), + ts('"%1" Removed', {1: CRM.utils.escapeHtml(widget.title)}), 'success' ); }; @@ -483,7 +483,7 @@ function widgetHTML() { var html = ''; html += '
'; - html += '

' + widget.title + '

'; + html += '

' + CRM.utils.escapeHtml(widget.title) + '

'; html += '
'; html += '
'; return html; -- 2.25.1