Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
C
Core
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 925
    • Issues 925
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
  • Development
  • Core
  • Issues
  • #1286

Closed
Open
Opened Oct 03, 2019 by Michael McAndrew@michaelmcandrewDeveloper

Do not escape html in report header and footers on API create

ReportInstance.create escapes the HTML when inserting into the DB (and when retreiving, it seems) but other parts of the UI do not.

civicrm_report_instance.header and civicrm_report_instance.footer both contain HTML that (if I am following https://lab.civicrm.org/dev/core/blob/master/CRM/Utils/API/HTMLInputCoder.php correctly - @colemanw - you touched that file recently) should not be escaped.

Adding 'header' and 'footer' to the list of fields that should not be escaped fixes the issue.

Aside: CRM_Utils_API_HTMLInputCoder::getSkipFields() seems flawed in that it does not specify the entity of the field that is to be ignored. Thankfully in this instance, the CiviCRM DB schema 'header' and 'footer' are only used the civicrm_report_instance but it feels like this class could end up inadvertently not escaping html that should be escaped (and maybe that is a potential security issue?)

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
5.23.0
Milestone
5.23.0
Assign milestone
Time tracking
None
Due date
None
Reference: dev/core#1286