From 69a3a43d603c541ec2b9069e13a5ae2dbed54987 Mon Sep 17 00:00:00 2001
From: Sean Madsen <sean@seanmadsen.com>
Date: Sun, 22 Apr 2018 11:07:56 -0400
Subject: [PATCH] security/core#1 Escape outputs in report stats

---
 templates/CRM/Report/Form/Statistics.tpl     | 10 +++++-----
 templates/CRM/Report/Form/Tabs/Developer.tpl |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/CRM/Report/Form/Statistics.tpl b/templates/CRM/Report/Form/Statistics.tpl
index 86359c15cd..09cd260176 100644
--- a/templates/CRM/Report/Form/Statistics.tpl
+++ b/templates/CRM/Report/Form/Statistics.tpl
@@ -33,13 +33,13 @@
       {foreach from=$statistics.groups item=row}
         <tr>
           <th class="statistics" scope="row">{$row.title}</th>
-          <td>{$row.value}</td>
+          <td>{$row.value|escape}</td>
         </tr>
       {/foreach}
       {foreach from=$statistics.filters item=row}
         <tr>
           <th class="statistics" scope="row">{$row.title}</th>
-          <td>{$row.value}</td>
+          <td>{$row.value|escape}</td>
         </tr>
       {/foreach}
     </table>
@@ -53,11 +53,11 @@
         <th class="statistics" scope="row">{$row.title}</th>
         <td>
           {if $row.type eq 1024}
-            {$row.value|crmMoney}
+            {$row.value|crmMoney|escape}
           {elseif $row.type eq 2}
-            {$row.value}
+            {$row.value|escape}
           {else}
-            {$row.value|crmNumberFormat}
+            {$row.value|crmNumberFormat|escape}
           {/if}
 
         </td>
diff --git a/templates/CRM/Report/Form/Tabs/Developer.tpl b/templates/CRM/Report/Form/Tabs/Developer.tpl
index 774f5c7b5f..dd2f3a195d 100644
--- a/templates/CRM/Report/Form/Tabs/Developer.tpl
+++ b/templates/CRM/Report/Form/Tabs/Developer.tpl
@@ -1,4 +1,4 @@
 <div id="report-tab-set-developer" class="civireport-criteria">
   <p><b>{ts}Class used{/ts}: {$report_class}</b></p>
-  <pre>{$sql}</pre>
+  <pre>{$sql|purify}</pre>
 </div>
-- 
2.25.1