From eb6f50558b2261ff4371a76d12f305ac17b462eb Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Sat, 27 Oct 2018 15:08:25 +1100
Subject: [PATCH] Also Purify the output of the frozen entity reference and
 that of a select2 output as well

---
 CRM/Core/Form/Renderer.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CRM/Core/Form/Renderer.php b/CRM/Core/Form/Renderer.php
index 0d1bd6cb77..8284722026 100644
--- a/CRM/Core/Form/Renderer.php
+++ b/CRM/Core/Form/Renderer.php
@@ -307,7 +307,7 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
       foreach (explode(',', $val) as $item) {
         $match = CRM_Utils_Array::findInTree($item, $params['data']);
         if (isset($match['text']) && strlen($match['text'])) {
-          $display[] = $match['text'];
+          $display[] = CRM_Utils_String::purifyHTML($match['text']);
         }
       }
       $el['html'] = implode('; ', $display) . '<input type="hidden" value="' . $field->getValue() . '" name="' . $field->getAttribute('name') . '">';
@@ -335,7 +335,7 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
       // Format contact as link
       if ($entity == 'contact' && CRM_Contact_BAO_Contact_Permission::allow($val['id'], CRM_Core_Permission::VIEW)) {
         $url = CRM_Utils_System::url("civicrm/contact/view", array('reset' => 1, 'cid' => $val['id']));
-        $val['label'] = '<a class="view-' . $entity . ' no-popup" href="' . $url . '" title="' . ts('View Contact') . '">' . $val['label'] . '</a>';
+        $val['label'] = '<a class="view-' . $entity . ' no-popup" href="' . $url . '" title="' . ts('View Contact') . '">' . CRM_Utils_String::purifyHTML($val['label']) . '</a>';
       }
       $display[] = $val['label'];
     }
-- 
2.25.1