From 1fe6af5975d774fb89a8bfa472d829da1373a799 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Thu, 28 Jan 2021 20:17:04 -0500 Subject: [PATCH] Search Kit - Fix encoding of search metadata in afforms --- ext/search/Civi/Search/AfformSearchMetadataInjector.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ext/search/Civi/Search/AfformSearchMetadataInjector.php b/ext/search/Civi/Search/AfformSearchMetadataInjector.php index e304f53f17..e65323c197 100644 --- a/ext/search/Civi/Search/AfformSearchMetadataInjector.php +++ b/ext/search/Civi/Search/AfformSearchMetadataInjector.php @@ -39,15 +39,15 @@ class AfformSearchMetadataInjector { ->addSelect('settings', 'saved_search.api_entity', 'saved_search.api_params') ->execute()->first(); if ($display) { - pq($component)->attr('settings', \CRM_Utils_JS::encode($display['settings'] ?? [])); - pq($component)->attr('api-entity', \CRM_Utils_JS::encode($display['saved_search.api_entity'])); - pq($component)->attr('api-params', \CRM_Utils_JS::encode($display['saved_search.api_params'])); + pq($component)->attr('settings', htmlspecialchars(\CRM_Utils_JS::encode($display['settings'] ?? []))); + pq($component)->attr('api-entity', htmlspecialchars(\CRM_Utils_JS::encode($display['saved_search.api_entity']))); + pq($component)->attr('api-params', htmlspecialchars(\CRM_Utils_JS::encode($display['saved_search.api_params']))); // Add entity names to the fieldset so that afform can populate field metadata $fieldset = pq($component)->parents('[af-fieldset]'); if ($fieldset->length) { $entityList = array_merge([$display['saved_search.api_entity']], array_column($display['saved_search.api_params']['join'] ?? [], 0)); - $fieldset->attr('api-entities', \CRM_Utils_JS::encode($entityList)); + $fieldset->attr('api-entities', htmlspecialchars(\CRM_Utils_JS::encode($entityList))); } } } -- 2.25.1