From 697b50de27aedc8ecde4f2875ef8b3b0fc7e4218 Mon Sep 17 00:00:00 2001 From: eileen Date: Tue, 15 Jan 2019 15:43:34 +1300 Subject: [PATCH] Escape the header title & section title in reports. In extended reports I'm making it possible for column titles to be user edited. since they will represent user input it makes sense to escape on output. I think core makes sense as the place to do this as it is best practice to escape all output in the smarty layer and I have tested that it still works fine --- templates/CRM/Report/Form/Layout/Table.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/CRM/Report/Form/Layout/Table.tpl b/templates/CRM/Report/Form/Layout/Table.tpl index e7f24d6b84..76c0ca053c 100644 --- a/templates/CRM/Report/Form/Layout/Table.tpl +++ b/templates/CRM/Report/Form/Layout/Table.tpl @@ -40,12 +40,12 @@ {/if} {if !$skip} {if $header.colspan} - {$header.title} + {$header.title|escape} {assign var=skip value=true} {assign var=skipCount value=`$header.colspan`} {assign var=skipMade value=1} {else} - {$header.title} + {$header.title|escape} {assign var=skip value=false} {/if} {else} {* for skip case *} @@ -93,7 +93,7 @@ {$l}/if{$r} - {$section.title}: {$l}$printValue|default:"none"{$r} + {$section.title|escape}: {$l}$printValue|default:"none"{$r} ({$l}sectionTotal key=$row.{$column} depth={$smarty.foreach.sections.index}{$r}) -- 2.25.1