From 522936fab1249e719fd91ce4883bb9e4c88d5d36 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 23 Dec 2020 19:45:56 +1100
Subject: [PATCH] Escape information supplied by extensions to prevent XSS

---
 templates/CRM/Admin/Page/ExtensionDetails.tpl | 20 +++++++++----------
 templates/CRM/Admin/Page/Extensions/Main.tpl  | 10 +++++-----
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/templates/CRM/Admin/Page/ExtensionDetails.tpl b/templates/CRM/Admin/Page/ExtensionDetails.tpl
index bab021bf14..a769842de6 100644
--- a/templates/CRM/Admin/Page/ExtensionDetails.tpl
+++ b/templates/CRM/Admin/Page/ExtensionDetails.tpl
@@ -1,6 +1,6 @@
 <table class="crm-info-panel">
         {foreach from=$extension.urls key=label item=url}
-            <tr><td class="label">{$label}</td><td><a href="{$url}">{$url}</a></td></tr>
+            <tr><td class="label">{$label|escape}</td><td><a href="{$url|escape}">{$url|escape}</a></td></tr>
         {/foreach}
     <tr>
         <td class="label">{ts}Author{/ts}</td>
@@ -16,19 +16,19 @@
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments}</td>
+      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Version{/ts}</td><td>{$extension.version}</td>
+        <td class="label">{ts}Version{/ts}</td><td>{$extension.version|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate}</td>
+        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}License{/ts}</td><td>{$extension.license}</td>
+        <td class="label">{ts}License{/ts}</td><td>{$extension.license|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage}</td>
+        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage|escape}</td>
     </tr>
     <tr>
         <td class="label">{ts}Requires{/ts}</td>
@@ -49,17 +49,17 @@
         <td class="label">{ts}Compatible with{/ts}</td>
         <td>
             {foreach from=$extension.compatibility.ver item=ver}
-                {$ver} &nbsp;
+                {$ver|escape} &nbsp;
             {/foreach}
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path}</td>
+      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl}</td>
+      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Key{/ts}</td><td>{$extension.key}</td>
+      <td class="label">{ts}Key{/ts}</td><td>{$extension.key|escape}</td>
     </tr>
 </table>
diff --git a/templates/CRM/Admin/Page/Extensions/Main.tpl b/templates/CRM/Admin/Page/Extensions/Main.tpl
index 881d1a4d0c..e7598bab04 100644
--- a/templates/CRM/Admin/Page/Extensions/Main.tpl
+++ b/templates/CRM/Admin/Page/Extensions/Main.tpl
@@ -19,19 +19,19 @@ Depends: CRM/common/enableDisableApi.tpl and CRM/common/jsortable.tpl
       </thead>
       <tbody>
         {foreach from=$localExtensionRows key=extKey item=row}
-        <tr id="extension-{$row.file}" class="crm-entity crm-extension-{$row.file}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
+        <tr id="extension-{$row.file|escape}" class="crm-entity crm-extension-{$row.file|escape}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
           <td class="crm-extensions-label">
-              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label}</strong><br/>{$row.description}
+              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label|escape}</strong><br/>{$row.description|escape}
               {if $extAddNewEnabled && $remoteExtensionRows[$extKey] && $remoteExtensionRows[$extKey].upgradelink}
                 <div class="crm-extensions-upgrade">{$remoteExtensionRows[$extKey].upgradelink}</div>
               {/if}
           </td>
           <td class="crm-extensions-label">{$row.statusLabel} {if $row.upgradable}<br/>({ts}Outdated{/ts}){/if}</td>
-          <td class="crm-extensions-label">{$row.version} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
-          <td class="crm-extensions-description">{$row.type|capitalize}</td>
+          <td class="crm-extensions-label">{$row.version|escape} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
+          <td class="crm-extensions-description">{$row.type|escape|capitalize}</td>
           <td>{$row.action|replace:'xx':$row.id}</td>
         </tr>
-        <tr class="hiddenElement" id="crm-extensions-details-{$row.file}">
+        <tr class="hiddenElement" id="crm-extensions-details-{$row.file|escape}">
             <td>
                 {include file="CRM/Admin/Page/ExtensionDetails.tpl" extension=$row localExtensionRows=$localExtensionRows remoteExtensionRows=$remoteExtensionRows}
             </td>
-- 
2.25.1