Skip to content
  • Sean Madsen's avatar
    security/core#14 Validate "context" inputs · edc80cda
    Sean Madsen authored and totten's avatar totten committed
    When "context" is passed as a GET parameter, ensure that its values is
    a valid "Alphanumeric" type. This helps prevent XSS when the "context"
    value finds its way into templates that lack HTML output encoding.
    
    Replace...
    
        CRM_Utils_Request::retrieve\((['"])context\1,(\s*)(['"])String\3
    
    ...with...
    
        CRM_Utils_Request::retrieve\($1context$1,$3Alphanumeric$3
    
    Also search for the following and manually fix:
    
        \$_GET\[(['"])context\1\]
        \$_POST\[(['"])context\1\]
        \$_REQUEST\[(['"])context\1\]
    edc80cda