From 8838f818ecd00ca7db210f3f4bf99b3be2dff87c Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Wed, 25 Apr 2018 10:53:36 -0400
Subject: [PATCH] Escape js strings in smarty templates

---
 templates/CRM/Batch/Form/Entry.tpl            |  2 +-
 templates/CRM/Case/Audit/Audit.tpl            |  2 +-
 templates/CRM/Contact/Form/Contact.tpl        |  2 +-
 templates/CRM/Contact/Form/CustomData.tpl     |  8 +-
 templates/CRM/Contact/Form/Merge.tpl          |  2 +-
 .../CRM/Contact/Import/Form/MapTable.tpl      |  2 +-
 .../CRM/Contribute/Form/AdditionalPayment.tpl |  2 +-
 .../CRM/Contribute/Form/Contribution.tpl      |  6 +-
 templates/CRM/Contribute/Page/PaymentInfo.tpl |  2 +-
 templates/CRM/Custom/Form/ChangeFieldType.tpl |  2 +-
 templates/CRM/Custom/Form/Group.tpl           |  2 +-
 templates/CRM/Event/Form/Participant.tpl      |  2 +-
 templates/CRM/Member/Form/Membership.tpl      | 87 +++++++++----------
 templates/CRM/Profile/Form/GreetingType.tpl   |  2 +-
 .../CRM/common/deferredFinancialType.tpl      |  4 +-
 templates/CRM/common/importProgress.tpl       |  2 +-
 templates/CRM/common/paymentBlock.tpl         |  2 +-
 17 files changed, 63 insertions(+), 68 deletions(-)

diff --git a/templates/CRM/Batch/Form/Entry.tpl b/templates/CRM/Batch/Form/Entry.tpl
index f2104f0d6c..fe7ebcde7e 100644
--- a/templates/CRM/Batch/Form/Entry.tpl
+++ b/templates/CRM/Batch/Form/Entry.tpl
@@ -341,7 +341,7 @@ function updateContactInfo(blockNo, prefix) {
   {/literal}
   {if $contactFields}
   {foreach from=$contactFields item=val key=fldName}
-  var fldName = "{$fldName}";
+  var fldName = {$fldName|@json_encode};
   {literal}
   if (returnProperties) {
     returnProperties = returnProperties + ',';
diff --git a/templates/CRM/Case/Audit/Audit.tpl b/templates/CRM/Case/Audit/Audit.tpl
index 0a39bfb6f2..af6770c2d2 100644
--- a/templates/CRM/Case/Audit/Audit.tpl
+++ b/templates/CRM/Case/Audit/Audit.tpl
@@ -154,7 +154,7 @@ There's the potential for collisions (two different labels having the same short
 
        if ( button.name == 'case_report' ) {
             var dataUrl = {/literal}"{crmURL p='civicrm/case/report/print' h=0 q='caseID='}"{literal}+id;
-            dataUrl     = dataUrl + '&cid={/literal}{$clientID}{literal}'+'&asn={/literal}{$activitySetName}{literal}';
+            dataUrl     = dataUrl + '&cid={/literal}{$clientID}{literal}&asn=' + {/literal}{$activitySetName|@json_encode}{literal};
             var redact  = '{/literal}{$_isRedact}{literal}'
 
             var isRedact = 1;
diff --git a/templates/CRM/Contact/Form/Contact.tpl b/templates/CRM/Contact/Form/Contact.tpl
index b56ccc653e..7c0302360c 100644
--- a/templates/CRM/Contact/Form/Contact.tpl
+++ b/templates/CRM/Contact/Form/Contact.tpl
@@ -112,7 +112,7 @@
   <script type="text/javascript" >
   CRM.$(function($) {
     var $form = $("form.{/literal}{$form.formClass}{literal}"),
-      action = "{/literal}{$action}{literal}",
+      action = {/literal}{$action|@json_encode}{literal},
       _ = CRM._;
 
     $('.crm-accordion-body').each( function() {
diff --git a/templates/CRM/Contact/Form/CustomData.tpl b/templates/CRM/Contact/Form/CustomData.tpl
index b6300f6d72..34b7f841b5 100644
--- a/templates/CRM/Contact/Form/CustomData.tpl
+++ b/templates/CRM/Contact/Form/CustomData.tpl
@@ -41,10 +41,10 @@
     <script type="text/javascript">
       CRM.$(function() {
         {/literal}
-        var customValueCount = "{$customValueCount}",
-          groupID = "{$groupID}",
-          contact_type = "{$contact_type}",
-          contact_subtype = "{$contact_subtype}",
+        var customValueCount = {$customValueCount|@json_encode},
+          groupID = {$groupID|@json_encode},
+          contact_type = {$contact_type|@json_encode},
+          contact_subtype = {$contact_subtype|@json_encode},
           i = 1;
         {literal}
         // FIXME: This is pretty terrible. Loading each item at a time via ajax.
diff --git a/templates/CRM/Contact/Form/Merge.tpl b/templates/CRM/Contact/Form/Merge.tpl
index 99005c377b..7a769a8357 100644
--- a/templates/CRM/Contact/Form/Merge.tpl
+++ b/templates/CRM/Contact/Form/Merge.tpl
@@ -311,7 +311,7 @@
     }
 
     // Update operation description
-    var operation_description = "{/literal}{ts}add{/ts}{literal}";
+    var operation_description = "{/literal}{ts escape='js'}add{/ts}{literal}";
     var add_new_check_length = this_controls.find(".location_operation_checkbox input:checked").length;
     if (mainBlock != false) {
       if (add_new_check_length > 0) {
diff --git a/templates/CRM/Contact/Import/Form/MapTable.tpl b/templates/CRM/Contact/Import/Form/MapTable.tpl
index 9f11ba212f..19b6b94fb3 100644
--- a/templates/CRM/Contact/Import/Form/MapTable.tpl
+++ b/templates/CRM/Contact/Import/Form/MapTable.tpl
@@ -175,7 +175,7 @@
             var select = $(this).next();
             $('option', select).each(function() {
               if ($(this).attr('value') == defaultLocationType
-              && $(this).text() == "{/literal}{$defaultLocationTypeLabel}{literal}") {
+                && $(this).text() == {/literal}{$defaultLocationTypeLabel|@json_encode}{literal}) {
                 select.val(defaultLocationType);
               }
             });
diff --git a/templates/CRM/Contribute/Form/AdditionalPayment.tpl b/templates/CRM/Contribute/Form/AdditionalPayment.tpl
index 4bc6dc0be0..cc73538580 100644
--- a/templates/CRM/Contribute/Form/AdditionalPayment.tpl
+++ b/templates/CRM/Contribute/Form/AdditionalPayment.tpl
@@ -121,7 +121,7 @@
     {literal}
     <script type="text/javascript">
 
-    var url = "{/literal}{$dataUrl}{literal}";
+    var url = {/literal}{$dataUrl|@json_encode}{literal};
 
       CRM.$(function($) {
         showHideByValue( 'is_email_receipt', '', 'notice', 'table-row', 'radio', false );
diff --git a/templates/CRM/Contribute/Form/Contribution.tpl b/templates/CRM/Contribute/Form/Contribution.tpl
index 2f7d27fc15..44f813d4be 100644
--- a/templates/CRM/Contribute/Form/Contribution.tpl
+++ b/templates/CRM/Contribute/Form/Contribution.tpl
@@ -385,7 +385,7 @@
       }
     }
 
-  var url = "{/literal}{$dataUrl}{literal}";
+  var url = {/literal}{$dataUrl|@json_encode}{literal};
 
   {/literal}
     {if $context eq 'standalone' and $outBound_option != 2 }
@@ -520,7 +520,7 @@ function buildAmount( priceSetId, financialtypeIds ) {
     // show/hide price set amount and total amount.
     cj("#totalAmountORPriceSet").show( );
     cj("#totalAmount").show( );
-    var choose = "{/literal}{ts}Choose price set{/ts}{literal}";
+    var choose = "{/literal}{ts escape='js'}Choose price set{/ts}{literal}";
     cj("#price_set_id option[value='']").html( choose );
 
     cj('label[for="total_amount"]').text('{/literal}{ts}Total Amount{/ts}{literal}');
@@ -554,7 +554,7 @@ function buildAmount( priceSetId, financialtypeIds ) {
 
   cj( "#totalAmountORPriceSet" ).hide( );
   cj( "#totalAmount").hide( );
-  var manual = "{/literal}{ts}Manual contribution amount{/ts}{literal}";
+  var manual = "{/literal}{ts escape='js'}Manual contribution amount{/ts}{literal}";
   cj("#price_set_id option[value='']").html( manual );
 
   cj('label[for="total_amount"]').text('{/literal}{ts}Price Sets{/ts}{literal}');
diff --git a/templates/CRM/Contribute/Page/PaymentInfo.tpl b/templates/CRM/Contribute/Page/PaymentInfo.tpl
index 0a4ffacecb..4c9d8cc1f4 100644
--- a/templates/CRM/Contribute/Page/PaymentInfo.tpl
+++ b/templates/CRM/Contribute/Page/PaymentInfo.tpl
@@ -36,7 +36,7 @@ CRM.$(function($) {
         $("#payment-info").html(html).trigger('crmLoad');
       }
     });
-
+    // Fixme: Possible bug - the following line won't be processed by smarty because it's in a literal block
     var taxAmount = "{$totalTaxAmount}";
     if (taxAmount) {
       $('.total_amount-section').show();
diff --git a/templates/CRM/Custom/Form/ChangeFieldType.tpl b/templates/CRM/Custom/Form/ChangeFieldType.tpl
index 3977814ef2..c86e943d1c 100644
--- a/templates/CRM/Custom/Form/ChangeFieldType.tpl
+++ b/templates/CRM/Custom/Form/ChangeFieldType.tpl
@@ -43,7 +43,7 @@
 {literal}
 <script type="text/Javascript">
   function checkCustomDataField( ) {
-    var srcHtmlType = '{/literal}{$srcHtmlType}{literal}';
+    var srcHtmlType = {/literal}{$srcHtmlType|@json_encode}{literal};
     var singleValOps = ['Text', 'Select', 'Radio', 'Autocomplete-Select'];
     var multiValOps  = ['CheckBox', 'Multi-Select'];
     var dstHtmlType = cj('#dst_html_type').val( );
diff --git a/templates/CRM/Custom/Form/Group.tpl b/templates/CRM/Custom/Form/Group.tpl
index d59a8b1e69..709b36cf06 100644
--- a/templates/CRM/Custom/Form/Group.tpl
+++ b/templates/CRM/Custom/Form/Group.tpl
@@ -93,7 +93,7 @@ CRM.$(function($) {
 
   $('#extends_0').each(showHideStyle).change(showHideStyle);
 
-  var isGroupEmpty = "{/literal}{$isGroupEmpty}{literal}";
+  var isGroupEmpty = {/literal}{$isGroupEmpty|@json_encode}{literal};
   if (isGroupEmpty) {
     showRange(true);
   }
diff --git a/templates/CRM/Event/Form/Participant.tpl b/templates/CRM/Event/Form/Participant.tpl
index 07de7971f3..3fb2212b7b 100644
--- a/templates/CRM/Event/Form/Participant.tpl
+++ b/templates/CRM/Event/Form/Participant.tpl
@@ -404,7 +404,7 @@
             return;
           }
 
-          var participantId  = "{/literal}{$participantId}{literal}";
+          var participantId  = {/literal}{$participantId|@json_encode}{literal};
 
           if (participantId) {
             dataUrl += '&participantId=' + participantId;
diff --git a/templates/CRM/Member/Form/Membership.tpl b/templates/CRM/Member/Form/Membership.tpl
index 5d3bb8eef6..cdda8dd679 100644
--- a/templates/CRM/Member/Form/Membership.tpl
+++ b/templates/CRM/Member/Form/Membership.tpl
@@ -299,11 +299,10 @@
         // skip this for test and live modes because financial type is set automatically
         cj("#financial_type_id").val(allMemberships[memType]['financial_type_id']);
         var term = cj('#num_terms').val();
-        var taxRates = '{/literal}{$taxRates}{literal}';
-        var taxTerm = '{/literal}{$taxTerm}{literal}';
-        var taxRates = JSON.parse(taxRates);
+        var taxRates = {/literal}{$taxRates}{literal};
+        var taxTerm = {/literal}{$taxTerm|@json_encode}{literal};
         var taxRate = taxRates[allMemberships[memType]['financial_type_id']];
-        var currency = '{/literal}{$currency}{literal}';
+        var currency = {/literal}{$currency|@json_encode}{literal};
         var taxAmount = (taxRate/100)*allMemberships[memType]['total_amount_numeric'];
         taxAmount = isNaN (taxAmount) ? 0:taxAmount;
         if (term) {
@@ -541,10 +540,10 @@
       var action = {/literal}'{$action}'{literal};
 
       //for update lets hide it when not already recurring.
-      if ( action == 2 ) {
+      if (action == 2) {
         //user can't cancel auto renew by unchecking.
-        if ( cj("#auto_renew").prop('checked' ) ) {
-          cj("#auto_renew").attr( 'readonly', true );
+        if (cj("#auto_renew").prop('checked')) {
+          cj("#auto_renew").attr('readonly', true);
         }
         else {
           cj("#autoRenew").hide( );
@@ -552,16 +551,22 @@
       }
 
       //we should do all auto renew for cc memberships.
-      if ( !mode ) return;
+      if (!mode) {
+        return;
+      }
 
       //get the required values in case missing.
-      if ( !processorId )  processorId = cj( '#payment_processor_id' ).val( );
-      if ( !membershipType ) membershipType = parseInt( cj('#membership_type_id_1').val( ) );
+      if (!processorId) {
+        processorId = cj( '#payment_processor_id' ).val( );
+      }
+      if (!membershipType) {
+        membershipType = parseInt( cj('#membership_type_id_1').val( ) );
+      }
 
       //we don't have both required values.
-      if ( !processorId || !membershipType ) {
-        cj("#auto_renew").prop('checked', false );
-        cj("#autoRenew").hide( );
+      if (!processorId || !membershipType) {
+        cj("#auto_renew").prop('checked', false);
+        cj("#autoRenew").hide();
         showEmailOptions();
         return;
       }
@@ -570,26 +575,24 @@
       var autoRenewOptions = {/literal}{$autoRenewOptions}{literal};
       var currentOption    = autoRenewOptions[membershipType];
 
-      if ( !currentOption || !recurProcessors[processorId] ) {
+      if (!currentOption || !recurProcessors[processorId]) {
         cj("#auto_renew").prop('checked', false );
         cj("#autoRenew").hide();
         return;
       }
 
-      if ( currentOption == 1 ) {
-        cj("#autoRenew").show( );
-        if ( cj("#auto_renew").attr( 'readonly' ) ) {
-          cj("#auto_renew").prop('checked', false );
-          cj("#auto_renew").removeAttr( 'readonly' );
+      if (currentOption == 1) {
+        cj("#autoRenew").show();
+        if (cj("#auto_renew").attr('readonly')) {
+          cj("#auto_renew").prop('checked', false).removeAttr('readonly');
         }
       }
       else if ( currentOption == 2 ) {
-        cj("#autoRenew").show( );
-        cj("#auto_renew").prop('checked', true );
-        cj("#auto_renew").attr( 'readonly', true );
+        cj("#autoRenew").show();
+        cj("#auto_renew").prop('checked', true).attr('readonly', true);
       }
       else {
-        cj("#auto_renew").prop('checked', false );
+        cj("#auto_renew").prop('checked', false);
         cj("#autoRenew").hide( );
       }
       showEmailOptions();
@@ -599,21 +602,18 @@
 
     {literal}
 
-    var customDataType = '{/literal}{$customDataType}{literal}';
+    var customDataType = {/literal}{$customDataType|@json_encode}{literal};
 
     // load form during form rule.
     {/literal}{if $buildPriceSet}{literal}
-    cj( "#totalAmountORPriceSet" ).hide( );
-    cj( "#mem_type_id" ).hide( );
-    cj('#total_amount').attr("readonly", true);
-    cj( "#num_terms_row" ).hide( );
-    cj(".crm-membership-form-block-financial_type_id-mode").hide();
+      cj("#totalAmountORPriceSet, #mem_type_id, #num_terms_row, .crm-membership-form-block-financial_type_id-mode").hide();
+      cj('#total_amount').attr("readonly", true);
     {/literal}{/if}{literal}
 
     function buildAmount( priceSetId ) {
-  if ( !priceSetId ) {
-    priceSetId = cj("#price_set_id").val( );
-  }
+      if (!priceSetId) {
+        priceSetId = cj("#price_set_id").val();
+      }
         var fname = '#priceset';
         if ( !priceSetId ) {
         cj('#membership_type_id_1').val(0);
@@ -624,7 +624,7 @@
 
         // show/hide price set amount and total amount.
         cj( "#mem_type_id").show( );
-        var choose = "{/literal}{ts}Choose price set{/ts}{literal}";
+        var choose = "{/literal}{ts escape='js'}Choose price set{/ts}{literal}";
         cj("#price_set_id option[value='']").html( choose );
         cj( "#totalAmountORPriceSet" ).show( );
         cj('#total_amount').removeAttr("readonly");
@@ -632,16 +632,13 @@
         cj(".crm-membership-form-block-financial_type_id-mode").show();
 
         {/literal}{if $allowAutoRenew}{literal}
-        cj('#autoRenew').hide();
-        var autoRenew = cj("#auto_renew");
-        autoRenew.removeAttr( 'readOnly' );
-        autoRenew.prop('checked', false );
+          cj('#autoRenew').hide();
+          cj("#auto_renew").removeAttr('readOnly').prop('checked', false );
         {/literal}{/if}{literal}
         return;
       }
 
-      cj( "#total_amount" ).val( '' );
-      cj('#total_amount').attr("readonly", true);
+      cj( "#total_amount" ).val('').attr("readonly", true);
 
       var dataUrl = {/literal}"{crmURL h=0 q='snippet=4'}"{literal} + '&priceSetId=' + priceSetId;
 
@@ -655,7 +652,7 @@
 
       cj( "#totalAmountORPriceSet" ).hide( );
       cj( "#mem_type_id" ).hide( );
-      var manual = "{/literal}{ts}Manual membership and price{/ts}{literal}";
+      var manual = "{/literal}{ts escape='js'}Manual membership and price{/ts}{literal}";
       cj("#price_set_id option[value='']").html( manual );
       cj( "#num_terms_row" ).hide( );
       cj(".crm-membership-form-block-financial_type_id-mode").hide();
@@ -711,14 +708,12 @@
         {/literal}{if $allowAutoRenew}{literal}
         cj('#autoRenew').hide();
         var autoRenew = cj("#auto_renew");
-        autoRenew.removeAttr( 'readOnly' );
-        autoRenew.prop('checked', false );
-        if ( autoRenewOption == 1 ) {
+        autoRenew.removeAttr('readOnly').prop('checked', false );
+        if (autoRenewOption == 1) {
           cj('#autoRenew').show();
         }
-        else if ( autoRenewOption == 2 ) {
-          autoRenew.attr( 'readOnly', true );
-          autoRenew.prop('checked',  true );
+        else if (autoRenewOption == 2) {
+          autoRenew.attr('readOnly', true).prop('checked',  true );
           cj('#autoRenew').show();
         }
         {/literal}{/if}{literal}
diff --git a/templates/CRM/Profile/Form/GreetingType.tpl b/templates/CRM/Profile/Form/GreetingType.tpl
index d23a64f476..14e5c808f0 100644
--- a/templates/CRM/Profile/Form/GreetingType.tpl
+++ b/templates/CRM/Profile/Form/GreetingType.tpl
@@ -27,7 +27,7 @@
 <span>{$form.$n.html|crmAddClass:big}</span>&nbsp;<span id="{$customGreeting}_html" class="hiddenElement">{$form.$customGreeting.html|crmAddClass:big}</span>
 
 <script type="text/javascript">
-var fieldName = '{$n}';
+var fieldName = {$n|@json_encode};
 {literal}
 cj( "#" + fieldName ).change( function( ) {
     var fldName = cj(this).attr( 'id' );
diff --git a/templates/CRM/common/deferredFinancialType.tpl b/templates/CRM/common/deferredFinancialType.tpl
index 36f841ed17..f94e29f03e 100644
--- a/templates/CRM/common/deferredFinancialType.tpl
+++ b/templates/CRM/common/deferredFinancialType.tpl
@@ -30,9 +30,9 @@
 CRM.$(function($) {
   var more = $('.crm-button input.validate').click(function(e) {
     var message = "{/literal} {if $context eq 'Event'}
-        {ts}Note: Revenue for this event registration will not be deferred as the financial type does not have a deferred revenue account setup for it. If you want the revenue to be deferred, please select a different Financial Type with a Deferred Revenue account setup for it, or setup a Deferred Revenue account for this Financial Type.{/ts}
+        {ts escape='js'}Note: Revenue for this event registration will not be deferred as the financial type does not have a deferred revenue account setup for it. If you want the revenue to be deferred, please select a different Financial Type with a Deferred Revenue account setup for it, or setup a Deferred Revenue account for this Financial Type.{/ts}
       {else if $context eq 'MembershipType'}
-        {ts}Note: Revenue for these types of memberships will not be deferred as the financial type does not have a deferred revenue account setup for it. If you want the revenue to be deferred, please select a different Financial Type with a Deferred Revenue account setup for it, or setup a Deferred Revenue account for this Financial Type.{/ts}
+        {ts escape='js'}Note: Revenue for these types of memberships will not be deferred as the financial type does not have a deferred revenue account setup for it. If you want the revenue to be deferred, please select a different Financial Type with a Deferred Revenue account setup for it, or setup a Deferred Revenue account for this Financial Type.{/ts}
       {/if}
     {literal}";
     var deferredFinancialType = {/literal}{$deferredFinancialType|@json_encode}{literal};
diff --git a/templates/CRM/common/importProgress.tpl b/templates/CRM/common/importProgress.tpl
index b0666c3d88..e5f538d9bc 100644
--- a/templates/CRM/common/importProgress.tpl
+++ b/templates/CRM/common/importProgress.tpl
@@ -36,7 +36,7 @@ CRM.$(function($) {
     }
   });
   function setIntermediate() {
-    var dataUrl = "{/literal}{$statusUrl}{literal}";
+    var dataUrl = {/literal}{$statusUrl|@json_encode}{literal};
     $.getJSON(dataUrl, function(response) {
       var dataStr = response.toString();
       var result  = dataStr.split(",");
diff --git a/templates/CRM/common/paymentBlock.tpl b/templates/CRM/common/paymentBlock.tpl
index 57cc8c3ae6..d176e10226 100644
--- a/templates/CRM/common/paymentBlock.tpl
+++ b/templates/CRM/common/paymentBlock.tpl
@@ -64,7 +64,7 @@
    */
   function skipPaymentMethod() {
     var isHide = false;
-    var isMultiple = '{/literal}{$event.is_multiple_registrations}{literal}';
+    var isMultiple = {/literal}{$event.is_multiple_registrations|@json_encode}{literal};
     var alwaysShowFlag = (isMultiple && cj("#additional_participants").val());
     var alwaysHideFlag = (cj("#bypass_payment").val() == 1);
     var total_amount_tmp =  cj('#pricevalue').data('raw-total');
-- 
2.25.1