From 845098507e0d38639b4f4d354b63b85763b3893d Mon Sep 17 00:00:00 2001
From: Sean Madsen <sean@seanmadsen.com>
Date: Sun, 22 Apr 2018 09:53:29 -0400
Subject: [PATCH] security/core#3 Improve output escaping for errors

- In the template, use either `escape` or `purify` for all outputs.
- Remove `htmlspecialchars()` call in PHP since it's now happening in
  Smarty via `escape`.
---
 CRM/Core/Error.php             |  2 +-
 templates/CRM/common/fatal.tpl | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CRM/Core/Error.php b/CRM/Core/Error.php
index ab491e8b81..088d252d46 100644
--- a/CRM/Core/Error.php
+++ b/CRM/Core/Error.php
@@ -329,7 +329,7 @@ class CRM_Core_Error extends PEAR_ErrorStack {
    */
   public static function fatal($message = NULL, $code = NULL, $email = NULL) {
     $vars = array(
-      'message' => htmlspecialchars($message),
+      'message' => $message,
       'code' => $code,
     );
 
diff --git a/templates/CRM/common/fatal.tpl b/templates/CRM/common/fatal.tpl
index 4b59d55730..537dee6bde 100644
--- a/templates/CRM/common/fatal.tpl
+++ b/templates/CRM/common/fatal.tpl
@@ -29,7 +29,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 
 <head>
-  <title>{$pageTitle}</title>
+  <title>{$pageTitle|escape}</title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <base href="{$config->resourceBase}" />
   <style type="text/css" media="screen">
@@ -50,10 +50,10 @@
 {/if}
 <div class="messages status no-popup">  <i class="crm-i fa-exclamation-triangle crm-i-red"></i>
  <span class="status-fatal">{ts}Sorry, due to an error, we are unable to fulfill your request at the moment. You may want to contact your administrator or service provider with more details about what action you were performing when this occurred.{/ts}</span>
-    <div class="crm-section crm-error-message">{$message}</div>
+    <div class="crm-section crm-error-message">{$message|escape}</div>
     {if $error.message && $message != $error.message}
         <hr style="solid 1px" />
-        <div class="crm-section crm-error-message">{$error.message}</div>
+        <div class="crm-section crm-error-message">{$error.message|escape}</div>
     {/if}
     {if ($code OR $mysql_code OR $errorDetails) AND $config->debug}
         <div class="crm-accordion-wrapper collapsed crm-fatal-error-details-block">
@@ -62,13 +62,13 @@
          </div><!-- /.crm-accordion-header -->
          <div class="crm-accordion-body">
             {if $code}
-                <div class="crm-section">{ts}Error Code:{/ts} {$code}</div>
+                <div class="crm-section">{ts}Error Code:{/ts} {$code|purify}</div>
             {/if}
             {if $mysql_code}
-                <div class="crm-section">{ts}Database Error Code:{/ts} {$mysql_code}</div>
+                <div class="crm-section">{ts}Database Error Code:{/ts} {$mysql_code|purify}</div>
             {/if}
             {if $errorDetails}
-                <div class="crm-section">{ts}Additional Details:{/ts} {$errorDetails}</div>
+                <div class="crm-section">{ts}Additional Details:{/ts} {$errorDetails|purify}</div>
             {/if}
          </div><!-- /.crm-accordion-body -->
         </div><!-- /.crm-accordion-wrapper -->
-- 
2.25.1