From 7d766578a67c0725a63f6ce4df447bece46e4c0c Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Sun, 9 Feb 2020 19:32:48 +1100
Subject: [PATCH] security/core#40 Purify activity details when viewing case
 activities and case reports

---
 CRM/Case/XMLProcessor/Report.php         | 2 +-
 templates/CRM/Case/Form/ActivityView.tpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CRM/Case/XMLProcessor/Report.php b/CRM/Case/XMLProcessor/Report.php
index 453f39ecf9..720bbbabe7 100644
--- a/CRM/Case/XMLProcessor/Report.php
+++ b/CRM/Case/XMLProcessor/Report.php
@@ -443,7 +443,7 @@ WHERE      a.id = %1
 
     $activity['fields'][] = array(
       'label' => ts('Details'),
-      'value' => $this->redact(CRM_Utils_String::stripAlternatives($activityDAO->details)),
+      'value' => $this->redact(CRM_Utils_String::purifyHTML(CRM_Utils_String::stripAlternatives($activityDAO->details))),
       'type' => 'Memo',
     );
 
diff --git a/templates/CRM/Case/Form/ActivityView.tpl b/templates/CRM/Case/Form/ActivityView.tpl
index 5a7e78ff63..68979f60a6 100644
--- a/templates/CRM/Case/Form/ActivityView.tpl
+++ b/templates/CRM/Case/Form/ActivityView.tpl
@@ -41,7 +41,7 @@
                 {if $parentID}<a class="open-inline-noreturn" href="{crmURL p='civicrm/case/activity/view' h=0 q="cid=$contactID&aid=$parentID"}">&raquo; {ts}Prompted by{/ts}</a>{/if}
               </td>
             {else}
-              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
+              <td colspan="2">{if $row.label eq 'Details'}{$row.value|crmStripAlternatives|nl2br|purify}{elseif $row.type eq 'Date'}{$row.value|crmDate}{else}{$row.value}{/if}</td>
             {/if}
           </tr>
         {/foreach}
-- 
2.25.1