From 48d9d2e0b794eb51371af8ab990cc0f634699616 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Thu, 6 Aug 2020 09:46:33 +1000
Subject: [PATCH] security/core#96 Escape the profile description field

---
 templates/CRM/UF/Page/Group.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/CRM/UF/Page/Group.tpl b/templates/CRM/UF/Page/Group.tpl
index a59a5a3445..d77ffdede5 100644
--- a/templates/CRM/UF/Page/Group.tpl
+++ b/templates/CRM/UF/Page/Group.tpl
@@ -77,7 +77,7 @@
                     <a href="{crmURL p='civicrm/contact/view' q="reset=1&cid=`$row.created_id`"}">{ts}{$row.created_by}{/ts}</a>
                   {/if}
                 </td>
-                <td class="crmf-description crm-editable" data-type="textarea">{$row.description}</td>
+                <td class="crmf-description crm-editable" data-type="textarea">{$row.description|escape}</td>
                 <td>{$row.group_type}</td>
                 <td>{$row.id}</td>
                 <td>{$row.module}</td>
@@ -122,7 +122,7 @@
                     <a href="{crmURL p='civicrm/contact/view' q="reset=1&cid=`$row.created_id`"}">{ts}{$row.created_by}{/ts}</a>
                   {/if}
                 </td>
-                <td>{$row.description}</td>
+                <td>{$row.description|escape}</td>
                 <td>{$row.group_type}</td>
                 <td>{$row.id}</td>
                 <td>{$row.module}</td>
-- 
2.25.1