From 337fc3e6b84c3db631ddd9e637355072bda92615 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Frank=20J=2E=20G=C3=B3mez?= <frank@ginkgostreet.com>
Date: Wed, 12 Aug 2015 14:49:24 -0400
Subject: [PATCH] CRM-16995: Addressed XSS vulnerability.

---
 Civi/Angular/Page/Main.php           |  9 ++++++---
 templates/Civi/Angular/Page/Main.tpl | 11 ++++++-----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/Civi/Angular/Page/Main.php b/Civi/Angular/Page/Main.php
index 8f60319f56..c06d52f55f 100644
--- a/Civi/Angular/Page/Main.php
+++ b/Civi/Angular/Page/Main.php
@@ -109,9 +109,12 @@ class Main extends \CRM_Core_Page {
       }
     }
 
-    // Set the location hash so that Angular knows which page it is trying to load.
-    $route = \CRM_Utils_Request::retrieve('route', 'String');
-    $this->assign("route", $route);
+    // If trying to load an Angular page via AJAX, the route must be passed as a
+    // URL parameter, since PHP doesn't know about URL fragments (i.e, what
+    // comes after the #).
+    \CRM_Core_Resources::singleton()->addSetting(array(
+      'angularRoute' => \CRM_Utils_Request::retrieve('route', 'String'),
+    ));
   }
 
 }
diff --git a/templates/Civi/Angular/Page/Main.tpl b/templates/Civi/Angular/Page/Main.tpl
index c547e66f15..4918da28ae 100644
--- a/templates/Civi/Angular/Page/Main.tpl
+++ b/templates/Civi/Angular/Page/Main.tpl
@@ -1,9 +1,10 @@
-{if $route}
-  <script type="text/javascript">
-    location.hash = '{$route}';
-  </script>
-{/if}
 {literal}
+<script type="text/javascript">
+  if (CRM.hasOwnProperty('angularRoute') && CRM.angularRoute) {
+    location.hash = CRM.angularRoute;
+  }
+</script>
+
 <div ng-app="crmApp">
   <div ng-view></div>
 </div>
-- 
2.25.1