From d1134220ff7fc1ce3227c7c17c568be1f229307c Mon Sep 17 00:00:00 2001
From: Sean Madsen <sean@seanmadsen.com>
Date: Sat, 21 Apr 2018 22:11:56 -0400
Subject: [PATCH] Add HTML purification to status messages

This is a security protection measure that protects us just a little bit
more against XSS.
---
 CRM/Core/Session.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CRM/Core/Session.php b/CRM/Core/Session.php
index ccadd74bcd..7c1c1a42a1 100644
--- a/CRM/Core/Session.php
+++ b/CRM/Core/Session.php
@@ -471,6 +471,10 @@ class CRM_Core_Session {
     $session = self::singleton();
     $session->initialize();
 
+    // Sanitize any HTML we're displaying. This helps prevent reflected XSS in error messages.
+    $text = CRM_Utils_String::purifyHTML($text);
+    $title = CRM_Utils_String::purifyHTML($title);
+
     // default options
     $options += array('unique' => TRUE);
 
-- 
2.25.1