subject:"\[MediaWiki\-commits\] \[Gerrit\] wikimedia...civicrm\[master\]\: CRM\-21006 \- Escape all title and alt attributes"

[MediaWiki-commits] [Gerrit] wikimedia...civicrm[master]: CRM-21006 - Escape all title and alt attributes

2017-09-26 Thread jenkins-bot (Code Review)

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/380671 )

Change subject: CRM-21006 - Escape all title and alt attributes
..


CRM-21006 - Escape all title and alt attributes

https://github.com/civicrm/civicrm-core/pull/10990

This commit opportunistically adds HTML output encoding to all Smarty
variables any time they appear within an HTML `title` or `alt`
attribute. Why? Because this helps us prevent XSS and is very very
unlikely to cause any unwanted side effects.

Code locations found by searching the `templates` directory for:

(title|alt)=(['"])((?!\2).)*\{\$((?!(\|(escape|crmDate))|\}).)+\}((?!\2).)*\2

Change-Id: Icffa15ceb585343023a3509f280387d138653e61
---
M templates/CRM/Activity/Form/ActivityLinks.tpl
M templates/CRM/Admin/Page/Admin.tpl
M templates/CRM/Admin/Page/ConfigTaskList.tpl
M templates/CRM/Contact/Form/Edit/Tagtree.tpl
M templates/CRM/Contact/Page/Inline/Actions.tpl
M templates/CRM/Contact/Page/View/Summary.tpl
M templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl
M templates/CRM/Dashlet/Page/Blog.tpl
M templates/CRM/Event/Page/DashBoard.tpl
M templates/CRM/Friend/Form.tpl
M templates/CRM/Report/Form/Contact/Detail.tpl
M templates/CRM/Report/Form/Fields.tpl
M templates/CRM/Report/Form/Layout/Overlay.tpl
M templates/CRM/Report/Page/InstanceList.tpl
M templates/CRM/Tag/Form/Tagtree.tpl
M templates/CRM/common/TabHeader.tpl
16 files changed, 39 insertions(+), 39 deletions(-)

Approvals:
  jenkins-bot: Verified
  Ejegg: Looks good to me, approved



diff --git a/templates/CRM/Activity/Form/ActivityLinks.tpl 
b/templates/CRM/Activity/Form/ActivityLinks.tpl
index d1f2359..a3b2332 100644
--- a/templates/CRM/Activity/Form/ActivityLinks.tpl
+++ b/templates/CRM/Activity/Form/ActivityLinks.tpl
@@ -68,10 +68,10 @@
 {if $hookLinks}
{foreach from=$hookLinks item=link}
 
-
   {if $link.img}
- 
+ 
   {/if}
   {$link.name}
 
diff --git a/templates/CRM/Admin/Page/Admin.tpl 
b/templates/CRM/Admin/Page/Admin.tpl
index 7144059..0a00fa7 100644
--- a/templates/CRM/Admin/Page/Admin.tpl
+++ b/templates/CRM/Admin/Page/Admin.tpl
@@ -72,7 +72,7 @@
 {foreach from=$group.fields item=panelItem  key=panelName 
name=groupLoop}
 
 
-
+
 
 
 {$panelItem.title}
diff --git a/templates/CRM/Admin/Page/ConfigTaskList.tpl 
b/templates/CRM/Admin/Page/ConfigTaskList.tpl
index 752eb04..0c66542 100644
--- a/templates/CRM/Admin/Page/ConfigTaskList.tpl
+++ b/templates/CRM/Admin/Page/ConfigTaskList.tpl
@@ -35,15 +35,15 @@
 {ts}Site Configuration and Registration{/ts}
 
 
-{ts}Localization{/ts}
+{ts}Localization{/ts}
 {ts}Localization settings include user language, default currency 
and available countries for address input.{/ts}
 
 
-{ts}Organization Address and Contact Info{/ts}
+{ts}Organization Address and Contact 
Info{/ts}
 {ts}Organization name, email address for system-generated emails, 
organization address{/ts}
 
 
-{ts}Enable components{/ts}
+{ts}Enable components{/ts}
 {ts}Enable the required CiviCRM components.(CiviContribute, 
CiviEvent etc.){/ts}
 
 
@@ -55,27 +55,27 @@
 {ts}Viewing and Editing Contacts{/ts}
 
 
-{ts}Display Preferences{/ts}
+{ts}Display Preferences{/ts}
 {ts}Configure screen and form elements for Viewing Contacts, 
Editing Contacts, Advanced Search, Contact Dashboard and WYSIWYG 
Editor.{/ts}
 
 
-{ts}Address Settings{/ts}
+{ts}Address Settings{/ts}
 {ts}Format addresses in mailing labels, input forms and screen 
display.{/ts}
 
 
-{ts}Mapping and Geocoding{/ts}
+{ts}Mapping and Geocoding{/ts}
 {ts}Configure a mapping provider (e.g. Google or Yahoo) to display 
maps for contact addresses and event locations.{/ts}
 
 
-{ts}Search 
Settings{/ts}
+{ts}Search Settings{/ts}
 {ts}Adjust search behaviors including wildcards, and data to 
include in quick search results. Adjusting search settings can improve 
performance for larger datasets.{/ts}
 
 
-{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, 
etc.){/ts}
+{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, 
etc.){/ts}
 {ts}Version reporting and alerts, reCAPTCHA configuration and 
attachments.{/ts}
 
 
-{ts}Contact Types{/ts}
+{ts}Contact Types{/ts}
 {ts}You can modify the names of the built-in contact types 
(Individual, Household, Organizations), and you can create or modify "contact 
subtypes" for more specific uses (e.g. Student, Parent, Team, etc.).{/ts}
 
 
@@ -83,11 +83,11 @@
 {ts}Sending Emails (includ

[MediaWiki-commits] [Gerrit] wikimedia...civicrm[master]: CRM-21006 - Escape all title and alt attributes

2017-09-25 Thread Eileen (Code Review)

Eileen has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/380671 )

Change subject: CRM-21006 - Escape all title and alt attributes
..

CRM-21006 - Escape all title and alt attributes

https://github.com/civicrm/civicrm-core/pull/10990

This commit opportunistically adds HTML output encoding to all Smarty
variables any time they appear within an HTML `title` or `alt`
attribute. Why? Because this helps us prevent XSS and is very very
unlikely to cause any unwanted side effects.

Code locations found by searching the `templates` directory for:

(title|alt)=(['"])((?!\2).)*\{\$((?!(\|(escape|crmDate))|\}).)+\}((?!\2).)*\2

Change-Id: Icffa15ceb585343023a3509f280387d138653e61
---
M templates/CRM/Activity/Form/ActivityLinks.tpl
M templates/CRM/Admin/Page/Admin.tpl
M templates/CRM/Admin/Page/ConfigTaskList.tpl
M templates/CRM/Contact/Form/Edit/Tagtree.tpl
M templates/CRM/Contact/Page/Inline/Actions.tpl
M templates/CRM/Contact/Page/View/Summary.tpl
M templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl
M templates/CRM/Dashlet/Page/Blog.tpl
M templates/CRM/Event/Page/DashBoard.tpl
M templates/CRM/Friend/Form.tpl
M templates/CRM/Report/Form/Contact/Detail.tpl
M templates/CRM/Report/Form/Fields.tpl
M templates/CRM/Report/Form/Layout/Overlay.tpl
M templates/CRM/Report/Page/InstanceList.tpl
M templates/CRM/Tag/Form/Tagtree.tpl
M templates/CRM/common/TabHeader.tpl
16 files changed, 39 insertions(+), 39 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/fundraising/crm/civicrm 
refs/changes/71/380671/1

diff --git a/templates/CRM/Activity/Form/ActivityLinks.tpl 
b/templates/CRM/Activity/Form/ActivityLinks.tpl
index d1f2359..a3b2332 100644
--- a/templates/CRM/Activity/Form/ActivityLinks.tpl
+++ b/templates/CRM/Activity/Form/ActivityLinks.tpl
@@ -68,10 +68,10 @@
 {if $hookLinks}
{foreach from=$hookLinks item=link}
 
-
   {if $link.img}
- 
+ 
   {/if}
   {$link.name}
 
diff --git a/templates/CRM/Admin/Page/Admin.tpl 
b/templates/CRM/Admin/Page/Admin.tpl
index 7144059..0a00fa7 100644
--- a/templates/CRM/Admin/Page/Admin.tpl
+++ b/templates/CRM/Admin/Page/Admin.tpl
@@ -72,7 +72,7 @@
 {foreach from=$group.fields item=panelItem  key=panelName 
name=groupLoop}
 
 
-
+
 
 
 {$panelItem.title}
diff --git a/templates/CRM/Admin/Page/ConfigTaskList.tpl 
b/templates/CRM/Admin/Page/ConfigTaskList.tpl
index 752eb04..0c66542 100644
--- a/templates/CRM/Admin/Page/ConfigTaskList.tpl
+++ b/templates/CRM/Admin/Page/ConfigTaskList.tpl
@@ -35,15 +35,15 @@
 {ts}Site Configuration and Registration{/ts}
 
 
-{ts}Localization{/ts}
+{ts}Localization{/ts}
 {ts}Localization settings include user language, default currency 
and available countries for address input.{/ts}
 
 
-{ts}Organization Address and Contact Info{/ts}
+{ts}Organization Address and Contact 
Info{/ts}
 {ts}Organization name, email address for system-generated emails, 
organization address{/ts}
 
 
-{ts}Enable components{/ts}
+{ts}Enable components{/ts}
 {ts}Enable the required CiviCRM components.(CiviContribute, 
CiviEvent etc.){/ts}
 
 
@@ -55,27 +55,27 @@
 {ts}Viewing and Editing Contacts{/ts}
 
 
-{ts}Display Preferences{/ts}
+{ts}Display Preferences{/ts}
 {ts}Configure screen and form elements for Viewing Contacts, 
Editing Contacts, Advanced Search, Contact Dashboard and WYSIWYG 
Editor.{/ts}
 
 
-{ts}Address Settings{/ts}
+{ts}Address Settings{/ts}
 {ts}Format addresses in mailing labels, input forms and screen 
display.{/ts}
 
 
-{ts}Mapping and Geocoding{/ts}
+{ts}Mapping and Geocoding{/ts}
 {ts}Configure a mapping provider (e.g. Google or Yahoo) to display 
maps for contact addresses and event locations.{/ts}
 
 
-{ts}Search 
Settings{/ts}
+{ts}Search Settings{/ts}
 {ts}Adjust search behaviors including wildcards, and data to 
include in quick search results. Adjusting search settings can improve 
performance for larger datasets.{/ts}
 
 
-{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, 
etc.){/ts}
+{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, 
etc.){/ts}
 {ts}Version reporting and alerts, reCAPTCHA configuration and 
attachments.{/ts}
 
 
-{ts}Contact Types{/ts}
+{ts}Contact Types{/ts}
 {ts}You can modify the names of the built-in contact types 
(Individual, Household, Organizations), and you can create or modify "contact 
subtypes" for more specific uses (e.g. Student, Parent, Team, etc.).{/ts}
 
 
@@ -83,11 +83,11 @@
 {ts}Sen

[MediaWiki-commits] [Gerrit] wikimedia...civicrm[master]: CRM-21006 - Escape all title and alt attributes

[MediaWiki-commits] [Gerrit] wikimedia...civicrm[master]: CRM-21006 - Escape all title and alt attributes

2 matches

Site Navigation

Mail list logo

Footer information