From 4bc223d10127155039daf8b971416dad74571eb1 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Thu, 11 Apr 2013 09:48:44 -0700
Subject: [PATCH] Fix help encoding CRM-12324

---
 CRM/Core/Smarty/plugins/function.help.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/CRM/Core/Smarty/plugins/function.help.php b/CRM/Core/Smarty/plugins/function.help.php
index 0800231583..f963ff4357 100644
--- a/CRM/Core/Smarty/plugins/function.help.php
+++ b/CRM/Core/Smarty/plugins/function.help.php
@@ -66,11 +66,15 @@ function smarty_function_help($params, &$smarty) {
   else {
     $name = trim(strip_tags($params['title']));
   }
-  $title = ts('%1 Help', array(1 => $name));
-  unset($params['text'], $params['title']);
+  // Escape for html
+  $title = htmlspecialchars(ts('%1 Help', array(1 => $name)));
+  // Escape for html and js
+  $name = htmlspecialchars(json_encode($name), ENT_QUOTES);
+
   // Format params to survive being passed through json & the url
+  unset($params['text'], $params['title']);
   foreach ($params as &$param) {
     $param = is_bool($param) || is_numeric($param) ? (int) $param : (string) $param;
   }
-  return '<a class="helpicon" title="' . $title . '" href="#" onclick=\'CRM.help("' . $name . '", ' . json_encode($params) . '); return false;\'>&nbsp;</a>';
+  return '<a class="helpicon" title="' . $title . '" href="#" onclick=\'CRM.help(' . $name . ', ' . json_encode($params) . '); return false;\'>&nbsp;</a>';
 }
-- 
2.25.1