diff --git a/civicrm.php b/civicrm.php
index 812edb0a749f5bd1d416103bb72d4945ffe2fe88..c3682390714bb144df260630ddb04df0e514fdfc 100644
--- a/civicrm.php
+++ b/civicrm.php
@@ -2,7 +2,7 @@
/**
* Plugin Name: CiviCRM
* Description: CiviCRM - Growing and Sustaining Relationships
- * Version: 5.35.0
+ * Version: 5.35.1
* Requires at least: 4.9
* Requires PHP: 7.2
* Author: CiviCRM LLC
@@ -54,7 +54,7 @@ if (!defined('ABSPATH')) {
}
// Set version here: when it changes, will force Javascript & CSS to reload.
-define('CIVICRM_PLUGIN_VERSION', '5.35.0');
+define('CIVICRM_PLUGIN_VERSION', '5.35.1');
// Store reference to this file.
if (!defined('CIVICRM_PLUGIN_FILE')) {
diff --git a/civicrm/CRM/Campaign/Form/Task.php b/civicrm/CRM/Campaign/Form/Task.php
index 8765bdcdc4c9e316eae854e89306daf6b133f11a..924e49ed4f29b6d772ff7c4dee7d476521b3e09e 100644
--- a/civicrm/CRM/Campaign/Form/Task.php
+++ b/civicrm/CRM/Campaign/Form/Task.php
@@ -35,7 +35,7 @@ class CRM_Campaign_Form_Task extends CRM_Core_Form_Task {
$this->_task = $values['task'];
- $ids = $form->getSelectedIDs($values);
+ $ids = $this->getSelectedIDs($values);
if (!$ids) {
$qfKey = CRM_Utils_Request::retrieve('qfKey', 'String', $this);
diff --git a/civicrm/CRM/Upgrade/Incremental/php/FiveThirtyOne.php b/civicrm/CRM/Upgrade/Incremental/php/FiveThirtyOne.php
index 42b905011c0dc34ab97c21dfdce1ae4d22da57d4..7a1f2d23a31279c70250e44aa282d7bf9cb97677 100644
--- a/civicrm/CRM/Upgrade/Incremental/php/FiveThirtyOne.php
+++ b/civicrm/CRM/Upgrade/Incremental/php/FiveThirtyOne.php
@@ -58,7 +58,7 @@ class CRM_Upgrade_Incremental_php_FiveThirtyOne extends CRM_Upgrade_Incremental_
* @param string $rev
*/
public function upgrade_5_31_alpha1($rev) {
- $this->addTask('Expand internal civicrm group title field to be 255 in length', 'grouptitlefieldExpand');
+ $this->addTask('Expand internal civicrm group title field to be 255 in length', 'groupTitleRestore');
$this->addTask('Add in optional public title group table', 'addColumn', 'civicrm_group', 'frontend_title', "varchar(255) DEFAULT NULL COMMENT 'Alternative public title for this Group.'", TRUE, '5.31.alpha1', FALSE);
$this->addTask('Add in optional public description group table', 'addColumn', 'civicrm_group', 'frontend_description', "text DEFAULT NULL COMMENT 'Alternative public description of the group.'", TRUE, '5.31.alpha1');
$this->addTask(ts('Upgrade DB to %1: SQL', [1 => $rev]), 'runSql', $rev);
@@ -145,30 +145,6 @@ class CRM_Upgrade_Incremental_php_FiveThirtyOne extends CRM_Upgrade_Incremental_
return TRUE;
}
- /**
- * Expands the length of the civicrm_group.title field in the database to be 255.
- *
- * @param \CRM_Queue_TaskContext $ctx
- *
- * @return bool
- */
- public static function grouptitlefieldExpand(CRM_Queue_TaskContext $ctx) {
- $locales = CRM_Core_I18n::getMultilingual();
- $queries = [];
- if ($locales) {
- foreach ($locales as $locale) {
- $queries[] = "ALTER TABLE civicrm_group CHANGE `title_{$locale}` `title_{$locale}` varchar(255) NOT NULL COMMENT 'Name of Group.'";
- }
- }
- else {
- $queries[] = "ALTER TABLE civicrm_group CHANGE `title` `title` varchar(255) NOT NULL COMMENT 'Name of Group.'";
- }
- foreach ($queries as $query) {
- CRM_Core_DAO::executeQuery($query, [], TRUE, NULL, FALSE, FALSE);
- }
- return TRUE;
- }
-
/**
* The prior task grouptitlefieldExpand went a bit too far in making the `title` NOT NULL.
*
diff --git a/civicrm/CRM/Upgrade/Incremental/sql/5.35.1.mysql.tpl b/civicrm/CRM/Upgrade/Incremental/sql/5.35.1.mysql.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..3c31ebf5ebf5d2693343c28f5b48d59eab11e66f
--- /dev/null
+++ b/civicrm/CRM/Upgrade/Incremental/sql/5.35.1.mysql.tpl
@@ -0,0 +1 @@
+{* file to handle db changes in 5.35.1 during upgrade *}
diff --git a/civicrm/CRM/Utils/System.php b/civicrm/CRM/Utils/System.php
index 5c27f998d451fb88c75aaf7b1cb3e8b67a14932f..4be0a9588857a8696948b2b4a2d60432b4167959 100644
--- a/civicrm/CRM/Utils/System.php
+++ b/civicrm/CRM/Utils/System.php
@@ -629,7 +629,7 @@ class CRM_Utils_System {
);
}
- if ($key !== $siteKey) {
+ if (!hash_equals($siteKey, $key)) {
return self::authenticateAbort(
"ERROR: Invalid key value sent. " . $docAdd . "\n",
$abort
diff --git a/civicrm/CRM/Utils/System/Joomla.php b/civicrm/CRM/Utils/System/Joomla.php
index 7883e484e0ca858dd83ce24e517004800ffdb4a8..6f446cb8e91e8e61033a094866120f5ef4ff179d 100644
--- a/civicrm/CRM/Utils/System/Joomla.php
+++ b/civicrm/CRM/Utils/System/Joomla.php
@@ -105,9 +105,8 @@ class CRM_Utils_System_Joomla extends CRM_Utils_System_Base {
public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email') {
$config = CRM_Core_Config::singleton();
- $dao = new CRM_Core_DAO();
- $name = $dao->escape(CRM_Utils_Array::value('name', $params));
- $email = $dao->escape(CRM_Utils_Array::value('mail', $params));
+ $name = CRM_Utils_Array::value('name', $params);
+ $email = CRM_Utils_Array::value('mail', $params);
//don't allow the special characters and min. username length is two
//regex \\ to match a single backslash would become '/\\\\/'
$isNotValid = (bool) preg_match('/[\<|\>|\"|\'|\%|\;|\(|\)|\&|\\\\|\/]/im', $name);
@@ -123,7 +122,7 @@ class CRM_Utils_System_Joomla extends CRM_Utils_System_Base {
$query->from($JUserTable->getTableName());
// LOWER in query below roughly translates to 'hurt my database without deriving any benefit' See CRM-19811.
- $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) OR (LOWER(email) = LOWER(\'' . $email . '\'))');
+ $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) OR (LOWER(email) = LOWER(' . $db->quote($email) . '))');
$db->setQuery($query, 0, 10);
$users = $db->loadAssocList();
@@ -343,7 +342,7 @@ class CRM_Utils_System_Joomla extends CRM_Utils_System_Base {
$query = $db->getQuery(TRUE);
$query->select('id, name, username, email, password');
$query->from($JUserTable->getTableName());
- $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) AND (block = 0)');
+ $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) AND (block = 0)');
$db->setQuery($query, 0, 0);
$users = $db->loadObjectList();
diff --git a/civicrm/Civi/Core/AssetBuilder.php b/civicrm/Civi/Core/AssetBuilder.php
index 155c32c77970df4d7c2462c046c23770009e2010..3e8a1fe5e8708b1150d870b7a6a391d9d8e2e783 100644
--- a/civicrm/Civi/Core/AssetBuilder.php
+++ b/civicrm/Civi/Core/AssetBuilder.php
@@ -189,9 +189,15 @@ class AssetBuilder {
mkdir($this->getCachePath());
}
- $rendered = $this->render($name, $params);
- file_put_contents($this->getCachePath($fileName), $rendered['content']);
- return $fileName;
+ try {
+ $rendered = $this->render($name, $params);
+ file_put_contents($this->getCachePath($fileName), $rendered['content']);
+ return $fileName;
+ }
+ catch (UnknownAssetException $e) {
+ // unexpected error, log and continue
+ \Civi::log()->error('Unexpected error while rendering a file in the AssetBuilder: ' . $e->getMessage(), ['exception' => $e]);
+ }
}
return $fileName;
}
diff --git a/civicrm/ang/api4Explorer/Explorer.js b/civicrm/ang/api4Explorer/Explorer.js
index 82bce1904513f48cc5606e58a8553a8474a51e70..654c43f4d1dc435f8ce83dfbdf367b078e68028b 100644
--- a/civicrm/ang/api4Explorer/Explorer.js
+++ b/civicrm/ang/api4Explorer/Explorer.js
@@ -702,7 +702,7 @@
}
_.each($scope.code, function(vals) {
_.each(vals, function(style) {
- style.code = code[style.name] ? prettyPrintOne(code[style.name]) : '';
+ style.code = code[style.name] ? prettyPrintOne(_.escape(code[style.name])) : '';
});
});
}
diff --git a/civicrm/civicrm-version.php b/civicrm/civicrm-version.php
index ddefd88ce6b90df6b1a9f4a5d83297306b085921..35d8638feb4df3147ac5348b07bcf5786f9f2926 100644
--- a/civicrm/civicrm-version.php
+++ b/civicrm/civicrm-version.php
@@ -1,7 +1,7 @@
<?php
/** @deprecated */
function civicrmVersion( ) {
- return array( 'version' => '5.35.0',
+ return array( 'version' => '5.35.1',
'cms' => 'Wordpress',
'revision' => '' );
}
diff --git a/civicrm/release-notes.md b/civicrm/release-notes.md
index 220e60bd81b25fa6252d69f60ac8828d76305bbb..9a38911cf9e9cd5a20a17ab595ebb3f09dc10532 100644
--- a/civicrm/release-notes.md
+++ b/civicrm/release-notes.md
@@ -15,6 +15,16 @@ Other resources for identifying changes are:
* https://github.com/civicrm/civicrm-joomla
* https://github.com/civicrm/civicrm-wordpress
+## CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](release-notes/5.35.1.md#synopsis)**
+- **[Security advisories](release-notes/5.35.1.md#security)**
+- **[Bugs resolved](release-notes/5.35.1.md#bugs)**
+- **[Credits](release-notes/5.35.1.md#credits)**
+- **[Feedback](release-notes/5.35.1.md#feedback)**
+
## CiviCRM 5.35.0
Released March 3, 2021
diff --git a/civicrm/release-notes/5.35.1.md b/civicrm/release-notes/5.35.1.md
new file mode 100644
index 0000000000000000000000000000000000000000..f539638e09e0f46d00e7d19468070de709875701
--- /dev/null
+++ b/civicrm/release-notes/5.35.1.md
@@ -0,0 +1,58 @@
+# CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](#synopsis)**
+- **[Bugs resolved](#bugs)**
+- **[Credits](#credits)**
+- **[Feedback](#feedback)**
+
+## <a name="synopsis"></a>Synopsis
+
+| *Does this version...?* | |
+| --------------------------------------------------------------- | -------- |
+| Change the database schema? | no |
+| Alter the API? | no |
+| Require attention to configuration options? | no |
+| **Fix problems installing or upgrading to a previous version?** | **yes** |
+| Introduce features? | no |
+| **Fix bugs?** | **yes** |
+
+## <a name="security"></a>Security advisories
+
+- **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs
+- **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts
+- **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions"
+- **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer
+- **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages
+- **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key
+- **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration
+
+## <a name="bugs"></a>Bugs resolved
+
+* **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))**
+* **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))**
+* **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))**
+
+ A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable.
+
+## <a name="credits"></a>Credits
+
+Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit
+GmbH contributed significantly to this release and other contemporaneous
+security improvements.
+
+This release was developed by the following authors and reviewers:
+
+Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin
+Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology
+Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA
+Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D;
+CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly
+Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt
+
+## <a name="feedback"></a>Feedback
+
+These release notes are edited by Tim Otten and Andrew Hunt. If you'd like to
+provide feedback on them, please login to https://chat.civicrm.org/civicrm and
+contact `@agh1`.
diff --git a/civicrm/sql/civicrm_data.mysql b/civicrm/sql/civicrm_data.mysql
index 893462d83369fd871fe2fe8ff6da6dd15dcce19e..60e0865d55eb37ce213a31b9c01a8fd5989ead88 100644
--- a/civicrm/sql/civicrm_data.mysql
+++ b/civicrm/sql/civicrm_data.mysql
@@ -23873,4 +23873,4 @@ INSERT INTO `civicrm_report_instance`
( `domain_id`, `title`, `report_id`, `description`, `permission`, `form_values`)
VALUES
( @domainID, 'Survey Details', 'survey/detail', 'Detailed report for canvassing, phone-banking, walk lists or other surveys.', 'access CiviReport', 'a:39:{s:6:"fields";a:2:{s:9:"sort_name";s:1:"1";s:6:"result";s:1:"1";}s:22:"assignee_contact_id_op";s:2:"eq";s:25:"assignee_contact_id_value";s:0:"";s:12:"sort_name_op";s:3:"has";s:15:"sort_name_value";s:0:"";s:17:"street_number_min";s:0:"";s:17:"street_number_max";s:0:"";s:16:"street_number_op";s:3:"lte";s:19:"street_number_value";s:0:"";s:14:"street_name_op";s:3:"has";s:17:"street_name_value";s:0:"";s:15:"postal_code_min";s:0:"";s:15:"postal_code_max";s:0:"";s:14:"postal_code_op";s:3:"lte";s:17:"postal_code_value";s:0:"";s:7:"city_op";s:3:"has";s:10:"city_value";s:0:"";s:20:"state_province_id_op";s:2:"in";s:23:"state_province_id_value";a:0:{}s:13:"country_id_op";s:2:"in";s:16:"country_id_value";a:0:{}s:12:"survey_id_op";s:2:"in";s:15:"survey_id_value";a:0:{}s:12:"status_id_op";s:2:"eq";s:15:"status_id_value";s:1:"1";s:11:"custom_1_op";s:2:"in";s:14:"custom_1_value";a:0:{}s:11:"custom_2_op";s:2:"in";s:14:"custom_2_value";a:0:{}s:17:"custom_3_relative";s:1:"0";s:13:"custom_3_from";s:0:"";s:11:"custom_3_to";s:0:"";s:11:"description";s:75:"Detailed report for canvassing, phone-banking, walk lists or other surveys.";s:13:"email_subject";s:0:"";s:8:"email_to";s:0:"";s:8:"email_cc";s:0:"";s:10:"permission";s:17:"access CiviReport";s:6:"groups";s:0:"";s:9:"domain_id";i:1;}');
-UPDATE civicrm_domain SET version = '5.35.0';
+UPDATE civicrm_domain SET version = '5.35.1';
diff --git a/civicrm/sql/civicrm_generated.mysql b/civicrm/sql/civicrm_generated.mysql
index 9f200477aad68c62dae3d7ac45df83f9ee50cadb..a5af44b94d2e84fd0c187b165c9e630c650a22e6 100644
--- a/civicrm/sql/civicrm_generated.mysql
+++ b/civicrm/sql/civicrm_generated.mysql
@@ -399,7 +399,7 @@ UNLOCK TABLES;
LOCK TABLES `civicrm_domain` WRITE;
/*!40000 ALTER TABLE `civicrm_domain` DISABLE KEYS */;
-INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,'5.35.0',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
+INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,'5.35.1',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
/*!40000 ALTER TABLE `civicrm_domain` ENABLE KEYS */;
UNLOCK TABLES;
diff --git a/civicrm/templates/CRM/Activity/Import/Form/MapTable.tpl b/civicrm/templates/CRM/Activity/Import/Form/MapTable.tpl
index 626a37948fc0f40d208a61097273cf952249b144..6ecd9c181db092e5b394f6c83f98a176d1b3aafe 100644
--- a/civicrm/templates/CRM/Activity/Import/Form/MapTable.tpl
+++ b/civicrm/templates/CRM/Activity/Import/Form/MapTable.tpl
@@ -39,7 +39,7 @@
{section name=rows loop=$rowDisplayCount}
{assign var="j" value=$smarty.section.rows.index}
- <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+ <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
{/section}
{* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/civicrm/templates/CRM/Admin/Page/ExtensionDetails.tpl b/civicrm/templates/CRM/Admin/Page/ExtensionDetails.tpl
index a7535309e882b75167b12d9bd406f65d12a40230..9c7eeac18a39fad030c3aeb84e1d417dfafdb230 100644
--- a/civicrm/templates/CRM/Admin/Page/ExtensionDetails.tpl
+++ b/civicrm/templates/CRM/Admin/Page/ExtensionDetails.tpl
@@ -1,24 +1,24 @@
<table class="crm-info-panel">
{foreach from=$extension.urls key=label item=url}
- <tr><td class="label">{$label}</td><td><a href="{$url}">{$url}</a></td></tr>
+ <tr><td class="label">{$label|escape}</td><td><a href="{$url|escape}">{$url|escape}</a></td></tr>
{/foreach}
<tr>
- <td class="label">{ts}Author{/ts}</td><td>{$extension.maintainer.author} (<a href="mailto:{$extension.maintainer.email}">{$extension.maintainer.email}</a>)</td>
+ <td class="label">{ts}Author{/ts}</td><td>{$extension.maintainer.author|escape} (<a href="mailto:{$extension.maintainer.email|escape}">{$extension.maintainer.email|escape}</a>)</td>
</tr>
<tr>
- <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments}</td>
+ <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments|escape}</td>
</tr>
<tr>
- <td class="label">{ts}Version{/ts}</td><td>{$extension.version}</td>
+ <td class="label">{ts}Version{/ts}</td><td>{$extension.version|escape}</td>
</tr>
<tr>
- <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate}</td>
+ <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate|escape}</td>
</tr>
<tr>
- <td class="label">{ts}License{/ts}</td><td>{$extension.license}</td>
+ <td class="label">{ts}License{/ts}</td><td>{$extension.license|escape}</td>
</tr>
<tr>
- <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage}</td>
+ <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage|escape}</td>
</tr>
<tr>
<td class="label">{ts}Requires{/ts}</td>
@@ -39,17 +39,17 @@
<td class="label">{ts}Compatible with{/ts}</td>
<td>
{foreach from=$extension.compatibility.ver item=ver}
- {$ver}
+ {$ver|escape}
{/foreach}
</td>
</tr>
<tr>
- <td class="label">{ts}Local path{/ts}</td><td>{$extension.path}</td>
+ <td class="label">{ts}Local path{/ts}</td><td>{$extension.path|escape}</td>
</tr>
<tr>
- <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl}</td>
+ <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl|escape}</td>
</tr>
<tr>
- <td class="label">{ts}Key{/ts}</td><td>{$extension.key}</td>
+ <td class="label">{ts}Key{/ts}</td><td>{$extension.key|escape}</td>
</tr>
</table>
diff --git a/civicrm/templates/CRM/Admin/Page/Extensions/Main.tpl b/civicrm/templates/CRM/Admin/Page/Extensions/Main.tpl
index 881d1a4d0ce90e53e06d99825a22752c063f7a29..e7598bab0442470957c1a2362d973a12bf0ac823 100644
--- a/civicrm/templates/CRM/Admin/Page/Extensions/Main.tpl
+++ b/civicrm/templates/CRM/Admin/Page/Extensions/Main.tpl
@@ -19,19 +19,19 @@ Depends: CRM/common/enableDisableApi.tpl and CRM/common/jsortable.tpl
</thead>
<tbody>
{foreach from=$localExtensionRows key=extKey item=row}
- <tr id="extension-{$row.file}" class="crm-entity crm-extension-{$row.file}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
+ <tr id="extension-{$row.file|escape}" class="crm-entity crm-extension-{$row.file|escape}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
<td class="crm-extensions-label">
- <a class="collapsed" href="#"></a> <strong>{$row.label}</strong><br/>{$row.description}
+ <a class="collapsed" href="#"></a> <strong>{$row.label|escape}</strong><br/>{$row.description|escape}
{if $extAddNewEnabled && $remoteExtensionRows[$extKey] && $remoteExtensionRows[$extKey].upgradelink}
<div class="crm-extensions-upgrade">{$remoteExtensionRows[$extKey].upgradelink}</div>
{/if}
</td>
<td class="crm-extensions-label">{$row.statusLabel} {if $row.upgradable}<br/>({ts}Outdated{/ts}){/if}</td>
- <td class="crm-extensions-label">{$row.version} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
- <td class="crm-extensions-description">{$row.type|capitalize}</td>
+ <td class="crm-extensions-label">{$row.version|escape} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
+ <td class="crm-extensions-description">{$row.type|escape|capitalize}</td>
<td>{$row.action|replace:'xx':$row.id}</td>
</tr>
- <tr class="hiddenElement" id="crm-extensions-details-{$row.file}">
+ <tr class="hiddenElement" id="crm-extensions-details-{$row.file|escape}">
<td>
{include file="CRM/Admin/Page/ExtensionDetails.tpl" extension=$row localExtensionRows=$localExtensionRows remoteExtensionRows=$remoteExtensionRows}
</td>
diff --git a/civicrm/templates/CRM/Contact/Import/Form/MapTable.tpl b/civicrm/templates/CRM/Contact/Import/Form/MapTable.tpl
index 21966b6aa5c7c6cbe1bf27e4a7e3ff4a2c82c05b..6eb7c65346118859e45b50f130ab72728bb61c2f 100644
--- a/civicrm/templates/CRM/Contact/Import/Form/MapTable.tpl
+++ b/civicrm/templates/CRM/Contact/Import/Form/MapTable.tpl
@@ -46,7 +46,7 @@
{section name=rows loop=$rowDisplayCount}
{assign var="j" value=$smarty.section.rows.index}
- <td class="odd-row">{$dataValues[$j][$i]}</td>
+ <td class="odd-row">{$dataValues[$j][$i]|escape}</td>
{/section}
{* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/civicrm/templates/CRM/Contribute/Import/Form/MapTable.tpl b/civicrm/templates/CRM/Contribute/Import/Form/MapTable.tpl
index ad14bd8ae12be4c17c4146b52738d48a5d8c8c4c..4c6909d271af2246ba39ffae96b5b820b400cf6a 100644
--- a/civicrm/templates/CRM/Contribute/Import/Form/MapTable.tpl
+++ b/civicrm/templates/CRM/Contribute/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
{section name=rows loop=$rowDisplayCount}
{assign var="j" value=$smarty.section.rows.index}
- <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+ <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
{/section}
{* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/civicrm/templates/CRM/Event/Import/Form/MapTable.tpl b/civicrm/templates/CRM/Event/Import/Form/MapTable.tpl
index 2f602b38b9d6bd74f41a6354da6cac7764252800..00d7072721c9ea1ae6223076c9191c95fd9ac059 100644
--- a/civicrm/templates/CRM/Event/Import/Form/MapTable.tpl
+++ b/civicrm/templates/CRM/Event/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
{section name=rows loop=$rowDisplayCount}
{assign var="j" value=$smarty.section.rows.index}
- <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+ <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
{/section}
{* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/civicrm/templates/CRM/Member/Import/Form/MapTable.tpl b/civicrm/templates/CRM/Member/Import/Form/MapTable.tpl
index 927ba7ceea89b928b7c82fcb32441f21ca01ebb3..0a3dfec5ae28811f506ab057f538d23fd052180b 100644
--- a/civicrm/templates/CRM/Member/Import/Form/MapTable.tpl
+++ b/civicrm/templates/CRM/Member/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
{section name=rows loop=$rowDisplayCount}
{assign var="j" value=$smarty.section.rows.index}
- <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+ <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
{/section}
{* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl b/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
index 866402fbfdb3fceda47cf7fa2a7e70d2cb40b8cd..28857297827529106bfd5471f448a67c45203ea1 100644
--- a/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
+++ b/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
@@ -38,7 +38,7 @@
<div class="campaign">
{crmRegion name="pcp-page-pcpinfo"}
<div class="pcp-intro-text">
- {$pcp.intro_text}
+ {$pcp.intro_text|purify}
</div>
{if $image}
<div class="pcp-image">
diff --git a/civicrm/vendor/autoload.php b/civicrm/vendor/autoload.php
index 72c0ffc70395d4416224d2a07cb8eba8422a8b88..3511cf74396b2cd390a3a31428ab8bd811277f1e 100644
--- a/civicrm/vendor/autoload.php
+++ b/civicrm/vendor/autoload.php
@@ -4,4 +4,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
-return ComposerAutoloaderInit06564f975835efff62ae818524e97a73::getLoader();
+return ComposerAutoloaderInit329aa0035170c6565680995bd6fe05fb::getLoader();
diff --git a/civicrm/vendor/composer/autoload_real.php b/civicrm/vendor/composer/autoload_real.php
index d66d8923f75e34494d58c14fe723578dbe4d959c..600cbe083f62446d1b83383665e0eae3a999dc6a 100644
--- a/civicrm/vendor/composer/autoload_real.php
+++ b/civicrm/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInit06564f975835efff62ae818524e97a73
+class ComposerAutoloaderInit329aa0035170c6565680995bd6fe05fb
{
private static $loader;
@@ -19,9 +19,9 @@ class ComposerAutoloaderInit06564f975835efff62ae818524e97a73
return self::$loader;
}
- spl_autoload_register(array('ComposerAutoloaderInit06564f975835efff62ae818524e97a73', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInit329aa0035170c6565680995bd6fe05fb', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
- spl_autoload_unregister(array('ComposerAutoloaderInit06564f975835efff62ae818524e97a73', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInit329aa0035170c6565680995bd6fe05fb', 'loadClassLoader'));
$includePaths = require __DIR__ . '/include_paths.php';
$includePaths[] = get_include_path();
@@ -31,7 +31,7 @@ class ComposerAutoloaderInit06564f975835efff62ae818524e97a73
if ($useStaticLoader) {
require_once __DIR__ . '/autoload_static.php';
- call_user_func(\Composer\Autoload\ComposerStaticInit06564f975835efff62ae818524e97a73::getInitializer($loader));
+ call_user_func(\Composer\Autoload\ComposerStaticInit329aa0035170c6565680995bd6fe05fb::getInitializer($loader));
} else {
$map = require __DIR__ . '/autoload_namespaces.php';
foreach ($map as $namespace => $path) {
@@ -52,19 +52,19 @@ class ComposerAutoloaderInit06564f975835efff62ae818524e97a73
$loader->register(true);
if ($useStaticLoader) {
- $includeFiles = Composer\Autoload\ComposerStaticInit06564f975835efff62ae818524e97a73::$files;
+ $includeFiles = Composer\Autoload\ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$files;
} else {
$includeFiles = require __DIR__ . '/autoload_files.php';
}
foreach ($includeFiles as $fileIdentifier => $file) {
- composerRequire06564f975835efff62ae818524e97a73($fileIdentifier, $file);
+ composerRequire329aa0035170c6565680995bd6fe05fb($fileIdentifier, $file);
}
return $loader;
}
}
-function composerRequire06564f975835efff62ae818524e97a73($fileIdentifier, $file)
+function composerRequire329aa0035170c6565680995bd6fe05fb($fileIdentifier, $file)
{
if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
require $file;
diff --git a/civicrm/vendor/composer/autoload_static.php b/civicrm/vendor/composer/autoload_static.php
index f95ed2764a10ebff3dd30f7c95c97452676741d2..eeeea18d04999b88972de0e25d64374ca5f2dd25 100644
--- a/civicrm/vendor/composer/autoload_static.php
+++ b/civicrm/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
namespace Composer\Autoload;
-class ComposerStaticInit06564f975835efff62ae818524e97a73
+class ComposerStaticInit329aa0035170c6565680995bd6fe05fb
{
public static $files = array (
'320cde22f66dd4f5d3fd621d3e88b98f' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
@@ -570,11 +570,11 @@ class ComposerStaticInit06564f975835efff62ae818524e97a73
public static function getInitializer(ClassLoader $loader)
{
return \Closure::bind(function () use ($loader) {
- $loader->prefixLengthsPsr4 = ComposerStaticInit06564f975835efff62ae818524e97a73::$prefixLengthsPsr4;
- $loader->prefixDirsPsr4 = ComposerStaticInit06564f975835efff62ae818524e97a73::$prefixDirsPsr4;
- $loader->prefixesPsr0 = ComposerStaticInit06564f975835efff62ae818524e97a73::$prefixesPsr0;
- $loader->fallbackDirsPsr0 = ComposerStaticInit06564f975835efff62ae818524e97a73::$fallbackDirsPsr0;
- $loader->classMap = ComposerStaticInit06564f975835efff62ae818524e97a73::$classMap;
+ $loader->prefixLengthsPsr4 = ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$prefixLengthsPsr4;
+ $loader->prefixDirsPsr4 = ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$prefixDirsPsr4;
+ $loader->prefixesPsr0 = ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$prefixesPsr0;
+ $loader->fallbackDirsPsr0 = ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$fallbackDirsPsr0;
+ $loader->classMap = ComposerStaticInit329aa0035170c6565680995bd6fe05fb::$classMap;
}, null, ClassLoader::class);
}
diff --git a/civicrm/xml/version.xml b/civicrm/xml/version.xml
index ec2c92939c88ac5bbf07eab831e95c5e383d8f4b..aa71d2d12a5055e8ab30de6f1031ec138e490d65 100644
--- a/civicrm/xml/version.xml
+++ b/civicrm/xml/version.xml
@@ -1,4 +1,4 @@
<?xml version="1.0" encoding="iso-8859-1" ?>
<version>
- <version_no>5.35.0</version_no>
+ <version_no>5.35.1</version_no>
</version>