From aeaf0cad129f98bae615ee2944b2d884ea012910 Mon Sep 17 00:00:00 2001
From: Kevin Cristiano <kcristiano@tadpole.cc>
Date: Thu, 2 Nov 2017 10:09:56 -0400
Subject: [PATCH] civicrm-47: 4.7.26 Security Release
---
civicrm/CRM/Admin/Form/Extensions.php | 4 +-
civicrm/CRM/Admin/Page/MessageTemplates.php | 7 +-
civicrm/CRM/Contact/Form/DedupeRules.php | 9 +-
civicrm/CRM/Report/Page/InstanceList.php | 21 ++--
.../Upgrade/Incremental/sql/4.7.26.mysql.tpl | 1 +
civicrm/CRM/Utils/Rule.php | 11 +++
civicrm/CRM/Utils/Type.php | 6 ++
.../bower_components/jquery-ui/.bower.json | 2 +-
civicrm/civicrm-version.php | 2 +-
civicrm/packages/Smarty/Config_File.class.php | 8 +-
civicrm/packages/Smarty/Smarty.class.php | 24 +++--
.../packages/Smarty/Smarty_Compiler.class.php | 4 +-
.../core.assemble_plugin_filepath.php | 8 +-
.../packages/Smarty/plugins/function.math.php | 98 ++++++++++++-------
civicrm/release-notes.md | 7 ++
civicrm/release-notes/4.7.26.md | 31 ++++++
civicrm/sql/civicrm_data.mysql | 2 +-
civicrm/sql/civicrm_generated.mysql | 2 +-
.../CRM/Activity/Form/ActivityLinks.tpl | 4 +-
civicrm/templates/CRM/Admin/Page/Admin.tpl | 2 +-
.../CRM/Admin/Page/ConfigTaskList.tpl | 34 +++----
.../CRM/Contact/Form/Edit/Tagtree.tpl | 2 +-
.../CRM/Contact/Page/Inline/Actions.tpl | 4 +-
.../CRM/Contact/Page/View/Summary.tpl | 4 +-
.../Form/Contribution/PremiumBlock.tpl | 4 +-
.../Contribute/Form/Contribution/ThankYou.tpl | 4 +-
.../templates/CRM/Contribute/Page/Premium.tpl | 2 +-
civicrm/templates/CRM/Dashlet/Page/Blog.tpl | 4 +-
.../CRM/Event/Form/Registration/ThankYou.tpl | 4 +-
.../templates/CRM/Event/Page/DashBoard.tpl | 4 +-
.../templates/CRM/Event/Page/EventInfo.tpl | 4 +-
.../templates/CRM/Event/Page/ManageEvent.tpl | 4 +-
civicrm/templates/CRM/Friend/Form.tpl | 2 +-
civicrm/templates/CRM/PCP/Page/PCPInfo.tpl | 2 +-
.../CRM/Report/Form/Contact/Detail.tpl | 4 +-
civicrm/templates/CRM/Report/Form/Fields.tpl | 2 +-
.../CRM/Report/Form/Layout/Overlay.tpl | 2 +-
.../CRM/Report/Form/Layout/Table.tpl | 2 +-
.../CRM/Report/Page/InstanceList.tpl | 2 +-
civicrm/templates/CRM/Tag/Form/Tag.tpl | 4 +-
civicrm/templates/CRM/Tag/Form/Tagtree.tpl | 2 +-
civicrm/templates/CRM/common/TabHeader.tpl | 2 +-
.../CRM/common/displaySearchCriteria.tpl | 6 +-
civicrm/templates/CRM/common/version.tpl | 2 +-
civicrm/vendor/autoload.php | 2 +-
civicrm/vendor/composer/autoload_real.php | 14 +--
civicrm/vendor/composer/autoload_static.php | 10 +-
47 files changed, 240 insertions(+), 145 deletions(-)
create mode 100644 civicrm/CRM/Upgrade/Incremental/sql/4.7.26.mysql.tpl
create mode 100644 civicrm/release-notes/4.7.26.md
diff --git a/civicrm/CRM/Admin/Form/Extensions.php b/civicrm/CRM/Admin/Form/Extensions.php
index 2373bcb40d..7f273cb163 100644
--- a/civicrm/CRM/Admin/Form/Extensions.php
+++ b/civicrm/CRM/Admin/Form/Extensions.php
@@ -45,7 +45,9 @@ class CRM_Admin_Form_Extensions extends CRM_Admin_Form {
$this->_key = CRM_Utils_Request::retrieve('key', 'String',
$this, FALSE, 0
);
-
+ if (!CRM_Utils_Type::validate($this->_key, 'ExtensionKey')) {
+ throw new CRM_Core_Exception('Extension Key does not match expected standard');
+ }
$session = CRM_Core_Session::singleton();
$url = CRM_Utils_System::url('civicrm/admin/extensions', 'reset=1&action=browse');
$session->pushUserContext($url);
diff --git a/civicrm/CRM/Admin/Page/MessageTemplates.php b/civicrm/CRM/Admin/Page/MessageTemplates.php
index d94ffc020e..b9b99b4235 100644
--- a/civicrm/CRM/Admin/Page/MessageTemplates.php
+++ b/civicrm/CRM/Admin/Page/MessageTemplates.php
@@ -199,9 +199,10 @@ class CRM_Admin_Page_MessageTemplates extends CRM_Core_Page_Basic {
CRM_Core_BAO_MessageTemplate::revert($id);
}
-
- $this->assign('selectedChild', CRM_Utils_Request::retrieve('selectedChild', 'String', $this));
-
+ $selectedChild = CRM_Utils_Request::retrieve('selectedChild', 'String', $this);
+ if (in_array($selectedChild, array('user', 'workflow'))) {
+ $this->assign('selectedChild', $selectedChild);
+ }
return parent::run($args, $pageArgs, $sort);
}
diff --git a/civicrm/CRM/Contact/Form/DedupeRules.php b/civicrm/CRM/Contact/Form/DedupeRules.php
index ebfde46b91..8e7f2695cc 100644
--- a/civicrm/CRM/Contact/Form/DedupeRules.php
+++ b/civicrm/CRM/Contact/Form/DedupeRules.php
@@ -58,7 +58,14 @@ class CRM_Contact_Form_DedupeRules extends CRM_Admin_Form {
}
$this->_options = CRM_Core_SelectValues::getDedupeRuleTypes();
$this->_rgid = CRM_Utils_Request::retrieve('id', 'Positive', $this, FALSE, 0);
- $this->_contactType = CRM_Utils_Request::retrieve('contact_type', 'String', $this, FALSE, 0);
+ $contactTypes = civicrm_api3('Contact', 'getOptions', array('field' => "contact_type"));
+ $contactType = CRM_Utils_Request::retrieve('contact_type', 'String', $this, FALSE, 0);
+ if (in_array($contactType, $contactTypes['values'])) {
+ $this->_contactType = $contactTypes['values'][$contactType];
+ }
+ elseif (!empty($contactType)) {
+ throw new CRM_Core_Exception('Contact Type is Not valid');
+ }
if ($this->_rgid) {
$rgDao = new CRM_Dedupe_DAO_RuleGroup();
$rgDao->id = $this->_rgid;
diff --git a/civicrm/CRM/Report/Page/InstanceList.php b/civicrm/CRM/Report/Page/InstanceList.php
index f614582022..663baa8afe 100644
--- a/civicrm/CRM/Report/Page/InstanceList.php
+++ b/civicrm/CRM/Report/Page/InstanceList.php
@@ -85,8 +85,11 @@ class CRM_Report_Page_InstanceList extends CRM_Core_Page {
public function info() {
$report = '';
+ $queryParams = array();
+
if ($this->ovID) {
- $report .= " AND v.id = {$this->ovID} ";
+ $report .= " AND v.id = %1 ";
+ $queryParams[1] = array($this->ovID, 'Integer');
}
if ($this->compID) {
@@ -95,7 +98,8 @@ class CRM_Report_Page_InstanceList extends CRM_Core_Page {
$this->_compName = 'Contact';
}
else {
- $report .= " AND v.component_id = {$this->compID} ";
+ $report .= " AND v.component_id = %2 ";
+ $queryParams[2] = array($this->compID, 'Integer');
$cmpName = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Component', $this->compID,
'name', 'id'
);
@@ -106,10 +110,12 @@ class CRM_Report_Page_InstanceList extends CRM_Core_Page {
}
}
elseif ($this->grouping) {
- $report .= " AND v.grouping = '{$this->grouping}' ";
+ $report .= " AND v.grouping = %3 ";
+ $queryParams[3] = array($this->grouping, 'String');
}
elseif ($this->myReports) {
- $report .= " AND inst.owner_id = " . CRM_Core_Session::getLoggedInContactID();
+ $report .= " AND inst.owner_id = %4 ";
+ $queryParams[4] = array(CRM_Core_Session::getLoggedInContactID(), 'Integer');
}
$sql = "
@@ -129,12 +135,11 @@ class CRM_Report_Page_InstanceList extends CRM_Core_Page {
ON v.component_id = comp.id
WHERE v.is_active = 1 {$report}
- AND inst.domain_id = %1
+ AND inst.domain_id = %9
ORDER BY v.weight ASC, inst.title ASC";
+ $queryParams[9] = array(CRM_Core_Config::domainID(), 'Integer');
- $dao = CRM_Core_DAO::executeQuery($sql, array(
- 1 => array(CRM_Core_Config::domainID(), 'Integer'),
- ));
+ $dao = CRM_Core_DAO::executeQuery($sql, $queryParams);
$config = CRM_Core_Config::singleton();
$rows = array();
diff --git a/civicrm/CRM/Upgrade/Incremental/sql/4.7.26.mysql.tpl b/civicrm/CRM/Upgrade/Incremental/sql/4.7.26.mysql.tpl
new file mode 100644
index 0000000000..5eefccfff8
--- /dev/null
+++ b/civicrm/CRM/Upgrade/Incremental/sql/4.7.26.mysql.tpl
@@ -0,0 +1 @@
+{* file to handle db changes in 4.7.26 during upgrade *}
diff --git a/civicrm/CRM/Utils/Rule.php b/civicrm/CRM/Utils/Rule.php
index 897aa5dbbd..c9a92fa967 100644
--- a/civicrm/CRM/Utils/Rule.php
+++ b/civicrm/CRM/Utils/Rule.php
@@ -911,4 +911,15 @@ class CRM_Utils_Rule {
}
}
+ /**
+ * @param string $key Extension Key to check
+ * @return bool
+ */
+ public static function checkExtesnionKeyIsValid($key = NULL) {
+ if (!empty($key) && !preg_match('/^[0-9a-zA-Z._-]+$/', $key)) {
+ return FALSE;
+ }
+ return TRUE;
+ }
+
}
diff --git a/civicrm/CRM/Utils/Type.php b/civicrm/CRM/Utils/Type.php
index 43b920f8be..fbe1c934e7 100644
--- a/civicrm/CRM/Utils/Type.php
+++ b/civicrm/CRM/Utils/Type.php
@@ -466,6 +466,12 @@ class CRM_Utils_Type {
}
break;
+ case 'ExtensionKey':
+ if (CRM_Utils_Rule::checkExtesnionKeyIsValid($data)) {
+ return $data;
+ }
+ break;
+
default:
CRM_Core_Error::fatal("Cannot recognize $type for $data");
break;
diff --git a/civicrm/bower_components/jquery-ui/.bower.json b/civicrm/bower_components/jquery-ui/.bower.json
index 2373c86bc6..69ba102964 100644
--- a/civicrm/bower_components/jquery-ui/.bower.json
+++ b/civicrm/bower_components/jquery-ui/.bower.json
@@ -16,6 +16,6 @@
"commit": "dec4c50123193d4f7c8ae6cd0bff45478e1ad276"
},
"_source": "https://github.com/components/jqueryui.git",
- "_target": "~1.12",
+ "_target": ">=1.9",
"_originalSource": "jquery-ui"
}
\ No newline at end of file
diff --git a/civicrm/civicrm-version.php b/civicrm/civicrm-version.php
index 1585cb6e40..8e1d894061 100644
--- a/civicrm/civicrm-version.php
+++ b/civicrm/civicrm-version.php
@@ -1,6 +1,6 @@
<?php
function civicrmVersion( ) {
- return array( 'version' => '4.7.25',
+ return array( 'version' => '4.7.26',
'cms' => 'Wordpress',
'revision' => '' );
}
diff --git a/civicrm/packages/Smarty/Config_File.class.php b/civicrm/packages/Smarty/Config_File.class.php
index 5f2913bd71..491fa84081 100644
--- a/civicrm/packages/Smarty/Config_File.class.php
+++ b/civicrm/packages/Smarty/Config_File.class.php
@@ -19,7 +19,7 @@
*
* For questions, help, comments, discussion, etc., please join the
* Smarty mailing list. Send a blank e-mail to
- * smarty-discussion-subscribe@googlegroups.com
+ * smarty-discussion-subscribe@googlegroups.com
*
* @link http://www.smarty.net/
* @version 2.6.25-dev
@@ -29,7 +29,7 @@
* @package Smarty
*/
-/* $Id: Config_File.class.php 3149 2009-05-23 20:59:25Z monte.ohrt $ */
+/* $Id$ */
/**
* Config file reading class
@@ -73,7 +73,7 @@ class Config_File {
*
* @param string $config_path (optional) path to the config files
*/
- function __construct($config_path = NULL)
+ public function __construct($config_path = NULL)
{
if (isset($config_path))
$this->set_path($config_path);
@@ -301,7 +301,7 @@ class Config_File {
$vars = array();
continue;
}
- } else {
+ } else {
$section_name = $match[1];
}
if (!isset($config_data['sections'][$section_name]))
diff --git a/civicrm/packages/Smarty/Smarty.class.php b/civicrm/packages/Smarty/Smarty.class.php
index 7118c5521d..8890c45280 100644
--- a/civicrm/packages/Smarty/Smarty.class.php
+++ b/civicrm/packages/Smarty/Smarty.class.php
@@ -27,10 +27,10 @@
* @author Monte Ohrt <monte at ohrt dot com>
* @author Andrei Zmievski <andrei@php.net>
* @package Smarty
- * @version 2.6.27
+ * @version 2.6.30
*/
-/* $Id: Smarty.class.php 4660 2012-09-24 20:05:15Z uwe.tews@googlemail.com $ */
+/* $Id$ */
/**
* DIR_SEP isn't used anymore, but third party apps might
@@ -465,7 +465,7 @@ class Smarty
*
* @var string
*/
- var $_version = '2.6.27';
+ var $_version = '2.6.30';
/**
* current template inclusion depth
@@ -562,11 +562,17 @@ class Smarty
*/
var $_cache_including = false;
+ /**
+ * plugin filepath cache
+ *
+ * @var array
+ */
+ var $_filepaths_cache = array();
/**#@-*/
/**
* The class constructor.
*/
- function __construct()
+ public function __construct()
{
$this->assign('SCRIPT_NAME', isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME']
: @$GLOBALS['HTTP_SERVER_VARS']['SCRIPT_NAME']);
@@ -1511,10 +1517,8 @@ class Smarty
*/
function _get_compile_path($resource_name)
{
- $compilePath = $this->_get_auto_filename( $this->compile_dir,
- $resource_name,
- $this->_compile_id );
- $compilePath .= '.php';
+ $compilePath = $this->_get_auto_filename($this->compile_dir, $resource_name,
+ $this->_compile_id) . '.php';
//for 'string:' resource smarty might going to fail to create
//compile file, so make sure we should have valid path, CRM-5890
@@ -1542,9 +1546,9 @@ class Smarty
smarty_core_create_dir_structure( array('dir' => $dirname ), $this );
}
- $isValid = false;
+ $isValid = FALSE;
if ( $fd = @fopen( $compilePath, 'wb') ) {
- $isValid = true;
+ $isValid = TRUE;
@fclose( $fd );
@unlink($compilePath);
}
diff --git a/civicrm/packages/Smarty/Smarty_Compiler.class.php b/civicrm/packages/Smarty/Smarty_Compiler.class.php
index fa4e78245e..8eaf758239 100644
--- a/civicrm/packages/Smarty/Smarty_Compiler.class.php
+++ b/civicrm/packages/Smarty/Smarty_Compiler.class.php
@@ -26,7 +26,7 @@
* @package Smarty
*/
-/* $Id: Smarty_Compiler.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */
+/* $Id$ */
/**
* Template compiling class
@@ -78,7 +78,7 @@ class Smarty_Compiler extends Smarty {
/**
* The class constructor.
*/
- function __construct()
+ public function __construct()
{
// matches double quoted strings:
// "foobar"
diff --git a/civicrm/packages/Smarty/internals/core.assemble_plugin_filepath.php b/civicrm/packages/Smarty/internals/core.assemble_plugin_filepath.php
index 690d3ddbc2..22c02483fc 100644
--- a/civicrm/packages/Smarty/internals/core.assemble_plugin_filepath.php
+++ b/civicrm/packages/Smarty/internals/core.assemble_plugin_filepath.php
@@ -14,11 +14,9 @@
*/
function smarty_core_assemble_plugin_filepath($params, &$smarty)
{
- static $_filepaths_cache = array();
-
$_plugin_filename = $params['type'] . '.' . $params['name'] . '.php';
- if (isset($_filepaths_cache[$_plugin_filename])) {
- return $_filepaths_cache[$_plugin_filename];
+ if (isset($smarty->_filepaths_cache[$_plugin_filename])) {
+ return $smarty->_filepaths_cache[$_plugin_filename];
}
$_return = false;
@@ -58,7 +56,7 @@ function smarty_core_assemble_plugin_filepath($params, &$smarty)
}
}
}
- $_filepaths_cache[$_plugin_filename] = $_return;
+ $smarty->_filepaths_cache[$_plugin_filename] = $_return;
return $_return;
}
diff --git a/civicrm/packages/Smarty/plugins/function.math.php b/civicrm/packages/Smarty/plugins/function.math.php
index 6575e06001..506c050e81 100644
--- a/civicrm/packages/Smarty/plugins/function.math.php
+++ b/civicrm/packages/Smarty/plugins/function.math.php
@@ -1,85 +1,107 @@
<?php
/**
* Smarty plugin
- * @package Smarty
- * @subpackage plugins
+ * This plugin is only for Smarty2 BC
+ *
+ * @package Smarty
+ * @subpackage PluginsFunction
*/
-
/**
* Smarty {math} function plugin
- *
* Type: function<br>
* Name: math<br>
- * Purpose: handle math computations in template<br>
- * @link http://smarty.php.net/manual/en/language.function.math.php {math}
- * (Smarty online manual)
+ * Purpose: handle math computations in template
+ *
+ * @link http://www.smarty.net/manual/en/language.function.math.php {math}
+ * (Smarty online manual)
* @author Monte Ohrt <monte at ohrt dot com>
- * @param array
+ *
+ * @param array $params parameters
* @param Smarty
- * @return string
+ *
+ * @return string|null
*/
function smarty_function_math($params, &$smarty)
{
+ static $_allowed_funcs = array('int' => true, 'abs' => true, 'ceil' => true, 'cos' => true, 'exp' => true, 'floor' => true,
+ 'log' => true, 'log10' => true, 'max' => true, 'min' => true, 'pi' => true, 'pow' => true, 'rand' => true,
+ 'round' => true, 'sin' => true, 'sqrt' => true, 'srand' => true, 'tan' => true);
// be sure equation parameter is present
if (empty($params['equation'])) {
- $smarty->trigger_error("math: missing equation parameter");
+ trigger_error("math: missing equation parameter", E_USER_WARNING);
+
return;
}
- // strip out backticks, not necessary for math
- $equation = str_replace('`','',$params['equation']);
+ $equation = $params['equation'];
// make sure parenthesis are balanced
- if (substr_count($equation,"(") != substr_count($equation,")")) {
- $smarty->trigger_error("math: unbalanced parenthesis");
+ if (substr_count($equation, "(") != substr_count($equation, ")")) {
+ trigger_error("math: unbalanced parenthesis", E_USER_WARNING);
+
return;
}
- // match all vars in equation, make sure all are passed
- preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!",$equation, $match);
- $allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10',
- 'max','min','pi','pow','rand','round','sin','sqrt','srand','tan');
-
- foreach($match[1] as $curr_var) {
- if ($curr_var && !in_array($curr_var, array_keys($params)) && !in_array($curr_var, $allowed_funcs)) {
- $smarty->trigger_error("math: function call $curr_var not allowed");
- return;
- }
+ // disallow backticks
+ if (strpos($equation, '`') !== FALSE) {
+ trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
+
+ return;
+ }
+
+ // also disallow dollar signs
+ if (strpos($equation, '$') !== FALSE) {
+ trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
+
+ return;
}
- foreach($params as $key => $val) {
+ foreach ($params as $key => $val) {
if ($key != "equation" && $key != "format" && $key != "assign") {
// make sure value is not empty
- if (strlen($val)==0) {
- $smarty->trigger_error("math: parameter $key is empty");
+ if (strlen($val) == 0) {
+ trigger_error("math: parameter '{$key}' is empty", E_USER_WARNING);
+
return;
}
if (!is_numeric($val)) {
- $smarty->trigger_error("math: parameter $key: is not numeric");
+ trigger_error("math: parameter '{$key}' is not numeric", E_USER_WARNING);
+
return;
}
- $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation);
+ }
+ }
+ // match all vars in equation, make sure all are passed
+ preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match);
+
+ foreach ($match[1] as $curr_var) {
+ if ($curr_var && !isset($params[$curr_var]) && !isset($_allowed_funcs[$curr_var])) {
+ trigger_error("math: function call '{$curr_var}' not allowed, or missing parameter '{$curr_var}'", E_USER_WARNING);
+
+ return;
}
}
- eval("\$smarty_math_result = ".$equation.";");
+ foreach ($params as $key => $val) {
+ if ($key != "equation" && $key != "format" && $key != "assign") {
+ $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation);
+ }
+ }
+ $smarty_math_result = null;
+ eval("\$smarty_math_result = " . $equation . ";");
if (empty($params['format'])) {
if (empty($params['assign'])) {
return $smarty_math_result;
} else {
- $smarty->assign($params['assign'],$smarty_math_result);
+ $smarty->assign($params['assign'], $smarty_math_result);
}
} else {
- if (empty($params['assign'])){
- printf($params['format'],$smarty_math_result);
+ if (empty($params['assign'])) {
+ printf($params['format'], $smarty_math_result);
} else {
- $smarty->assign($params['assign'],sprintf($params['format'],$smarty_math_result));
+ $smarty->assign($params['assign'], sprintf($params['format'], $smarty_math_result));
}
}
}
-
-/* vim: set expandtab: */
-
-?>
\ No newline at end of file
diff --git a/civicrm/release-notes.md b/civicrm/release-notes.md
index 9df6b2d06f..2750896f39 100644
--- a/civicrm/release-notes.md
+++ b/civicrm/release-notes.md
@@ -14,6 +14,13 @@ Other resources for identifying changes are:
* https://github.com/civicrm/civicrm-joomla
* https://github.com/civicrm/civicrm-wordpress
+## CiviCRM 4.7.26
+
+Released November 1, 2017
+
+- **[Security](release-notes/4.7.26.md#security)**
+- **[Credits](release-notes/4.7.26.md#credits)**
+
## CiviCRM 4.7.25
Released October 4, 2017
diff --git a/civicrm/release-notes/4.7.26.md b/civicrm/release-notes/4.7.26.md
new file mode 100644
index 0000000000..786a2c94d8
--- /dev/null
+++ b/civicrm/release-notes/4.7.26.md
@@ -0,0 +1,31 @@
+# CiviCRM 4.7.26
+
+Released Nov 1, 2017
+
+- **[Security advisories](#security)**
+- **[Credits](#credits)**
+
+## <a name="security"></a>Security advisories
+
+
+- **[CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes)** XSS in HTML link attributes
+- **[CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty)** Shell injection vulerabilty in Smarty
+- **[CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name)** XSS scripting in preimum product name
+- **[CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules)** XSS in dedupe rules
+- **[CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description)** XSS in tag description
+- **[CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message)** SelectedChild URL parameter not properly validated
+- **[CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description)** XSS in Search Critiera Description
+- **[CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or)** Extension key not properly validated
+- **[CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing)** SQL injection risk in CiviReports
+
+## <a name="credits"></a>Credits
+
+This release was developed by the following code authors:
+
+Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen
+
+Most authors also reviewed code for this release; in addition, the following
+reviewers contributed their comments:
+
+CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -
+Eileen McNaughton
diff --git a/civicrm/sql/civicrm_data.mysql b/civicrm/sql/civicrm_data.mysql
index 7baf1714df..68caa369ec 100644
--- a/civicrm/sql/civicrm_data.mysql
+++ b/civicrm/sql/civicrm_data.mysql
@@ -23921,4 +23921,4 @@ INSERT INTO `civicrm_report_instance`
VALUES
( @domainID, 'Survey Details', 'survey/detail', 'Detailed report for canvassing, phone-banking, walk lists or other surveys.', 'access CiviReport', 'a:39:{s:6:"fields";a:2:{s:9:"sort_name";s:1:"1";s:6:"result";s:1:"1";}s:22:"assignee_contact_id_op";s:2:"eq";s:25:"assignee_contact_id_value";s:0:"";s:12:"sort_name_op";s:3:"has";s:15:"sort_name_value";s:0:"";s:17:"street_number_min";s:0:"";s:17:"street_number_max";s:0:"";s:16:"street_number_op";s:3:"lte";s:19:"street_number_value";s:0:"";s:14:"street_name_op";s:3:"has";s:17:"street_name_value";s:0:"";s:15:"postal_code_min";s:0:"";s:15:"postal_code_max";s:0:"";s:14:"postal_code_op";s:3:"lte";s:17:"postal_code_value";s:0:"";s:7:"city_op";s:3:"has";s:10:"city_value";s:0:"";s:20:"state_province_id_op";s:2:"in";s:23:"state_province_id_value";a:0:{}s:13:"country_id_op";s:2:"in";s:16:"country_id_value";a:0:{}s:12:"survey_id_op";s:2:"in";s:15:"survey_id_value";a:0:{}s:12:"status_id_op";s:2:"eq";s:15:"status_id_value";s:1:"1";s:11:"custom_1_op";s:2:"in";s:14:"custom_1_value";a:0:{}s:11:"custom_2_op";s:2:"in";s:14:"custom_2_value";a:0:{}s:17:"custom_3_relative";s:1:"0";s:13:"custom_3_from";s:0:"";s:11:"custom_3_to";s:0:"";s:11:"description";s:75:"Detailed report for canvassing, phone-banking, walk lists or other surveys.";s:13:"email_subject";s:0:"";s:8:"email_to";s:0:"";s:8:"email_cc";s:0:"";s:10:"permission";s:17:"access CiviReport";s:6:"groups";s:0:"";s:9:"domain_id";i:1;}');
-UPDATE civicrm_domain SET version = '4.7.25';
+UPDATE civicrm_domain SET version = '4.7.26';
diff --git a/civicrm/sql/civicrm_generated.mysql b/civicrm/sql/civicrm_generated.mysql
index 6fa8cb37ce..f6f844d528 100644
--- a/civicrm/sql/civicrm_generated.mysql
+++ b/civicrm/sql/civicrm_generated.mysql
@@ -399,7 +399,7 @@ UNLOCK TABLES;
LOCK TABLES `civicrm_domain` WRITE;
/*!40000 ALTER TABLE `civicrm_domain` DISABLE KEYS */;
-INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `config_backend`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,NULL,'4.7.25',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
+INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `config_backend`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,NULL,'4.7.26',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
/*!40000 ALTER TABLE `civicrm_domain` ENABLE KEYS */;
UNLOCK TABLES;
diff --git a/civicrm/templates/CRM/Activity/Form/ActivityLinks.tpl b/civicrm/templates/CRM/Activity/Form/ActivityLinks.tpl
index d1f23594d2..a3b2332d81 100644
--- a/civicrm/templates/CRM/Activity/Form/ActivityLinks.tpl
+++ b/civicrm/templates/CRM/Activity/Form/ActivityLinks.tpl
@@ -68,10 +68,10 @@
{if $hookLinks}
{foreach from=$hookLinks item=link}
<li>
- <a href="{$link.url}" data-tab="activity"{if !empty($link.title)} title="{$link.title}"{/if}
+ <a href="{$link.url}" data-tab="activity"{if !empty($link.title)} title="{$link.title|escape}"{/if}
{if !empty($link.class)} class="{$link.class}"{/if}>
{if $link.img}
- <img src="{$link.img}" alt="{$link.title}" />
+ <img src="{$link.img}" alt="{$link.title|escape}" />
{/if}
{$link.name}
</a>
diff --git a/civicrm/templates/CRM/Admin/Page/Admin.tpl b/civicrm/templates/CRM/Admin/Page/Admin.tpl
index 7144059856..0a00fa7e4e 100644
--- a/civicrm/templates/CRM/Admin/Page/Admin.tpl
+++ b/civicrm/templates/CRM/Admin/Page/Admin.tpl
@@ -72,7 +72,7 @@
{foreach from=$group.fields item=panelItem key=panelName name=groupLoop}
<tr class="{cycle values="odd-row,even-row" name=$groupName}">
<td style="vertical-align: top; width:24px;">
- <a href="{$panelItem.url}"{if $panelItem.extra} {$panelItem.extra}{/if} ><img src="{$config->resourceBase}i/{if $panelItem.icon}{$panelItem.icon}{else}admin/small/option.png{/if}" alt="{$panelItem.title}"/></a>
+ <a href="{$panelItem.url}"{if $panelItem.extra} {$panelItem.extra}{/if} ><img src="{$config->resourceBase}i/{if $panelItem.icon}{$panelItem.icon}{else}admin/small/option.png{/if}" alt="{$panelItem.title|escape}"/></a>
</td>
<td class="report font-size11pt" style="vertical-align: text-top;" width="20%">
<a href="{$panelItem.url}"{if $panelItem.extra} {$panelItem.extra}{/if} id="id_{$panelItem.id}">{$panelItem.title}</a>
diff --git a/civicrm/templates/CRM/Admin/Page/ConfigTaskList.tpl b/civicrm/templates/CRM/Admin/Page/ConfigTaskList.tpl
index 752eb04196..0c665420d3 100644
--- a/civicrm/templates/CRM/Admin/Page/ConfigTaskList.tpl
+++ b/civicrm/templates/CRM/Admin/Page/ConfigTaskList.tpl
@@ -35,15 +35,15 @@
<td colspan="2">{ts}Site Configuration and Registration{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/localization" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Localization{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/localization" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Localization{/ts}</a></td>
<td>{ts}Localization settings include user language, default currency and available countries for address input.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/domain" q="action=update&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Organization Address and Contact Info{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/domain" q="action=update&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Organization Address and Contact Info{/ts}</a></td>
<td>{ts}Organization name, email address for system-generated emails, organization address{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/component" q="action=update&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Enable components{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/component" q="action=update&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Enable components{/ts}</a></td>
<td>{ts}Enable the required CiviCRM components.(CiviContribute, CiviEvent etc.){/ts}</td>
</tr>
<tr class="even">
@@ -55,27 +55,27 @@
<td colspan="2">{ts}Viewing and Editing Contacts{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/preferences/display" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Display Preferences{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/preferences/display" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Display Preferences{/ts}</a></td>
<td>{ts}Configure screen and form elements for Viewing Contacts, Editing Contacts, Advanced Search, Contact Dashboard and WYSIWYG Editor.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/preferences/address" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Address Settings{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/preferences/address" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Address Settings{/ts}</a></td>
<td>{ts}Format addresses in mailing labels, input forms and screen display.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/mapping" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Mapping and Geocoding{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/mapping" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Mapping and Geocoding{/ts}</a></td>
<td>{ts}Configure a mapping provider (e.g. Google or Yahoo) to display maps for contact addresses and event locations.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/search" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Search Settings{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/search" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Search Settings{/ts}</a></td>
<td>{ts}Adjust search behaviors including wildcards, and data to include in quick search results. Adjusting search settings can improve performance for larger datasets.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/misc" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.){/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/misc" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.){/ts}</a></td>
<td>{ts}Version reporting and alerts, reCAPTCHA configuration and attachments.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/options/subtype" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Contact Types{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/options/subtype" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Contact Types{/ts}</a></td>
<td>{ts}You can modify the names of the built-in contact types (Individual, Household, Organizations), and you can create or modify "contact subtypes" for more specific uses (e.g. Student, Parent, Team, etc.).{/ts}</td>
</tr>
@@ -83,11 +83,11 @@
<td colspan="2">{ts}Sending Emails (includes contribution receipts and event confirmations){/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/smtp" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Outbound Email{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/setting/smtp" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Outbound Email{/ts}</a></td>
<td>{ts}Settings for outbound email - either SMTP server, port and authentication or Sendmail path and argument.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/options/from_email_address" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}From Email Addresses{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/options/from_email_address" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}From Email Addresses{/ts}</a></td>
<td>{ts}Define general email address(es) that can be used as the FROM address when sending email to contacts from within CiviCRM (e.g. info@example.org){/ts}</td>
</tr>
@@ -95,7 +95,7 @@
<td colspan="2">{ts}Online Contributions / Online Membership Signup / Online Event Registration{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/paymentProcessor" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Payment Processors{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/paymentProcessor" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Payment Processors{/ts}</a></td>
<td>{ts}Select and configure one or more payment processing services for online contributions, events and / or membership fees.{/ts}</td>
</tr>
{if $config->userSystem->is_drupal EQ '1'}
@@ -109,7 +109,7 @@
</tr>
{/if}
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/messageTemplates" q="selectedChild=workflow&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}System Workflow Templates{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/messageTemplates" q="selectedChild=workflow&reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}System Workflow Templates{/ts}</a></td>
<td>{ts}Review and modify the templates used for system-generated emails, including contribution receipts and event registration confirmations.{/ts}</td>
</tr>
</table>
@@ -125,11 +125,11 @@
<td colspan="2">{ts}Organize your contacts{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/tag" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Tags (Categories){/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/tag" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Tags (Categories){/ts}</a></td>
<td>{ts}Tags can be assigned to any contact record, and are a convenient way to find contacts. You can create as many tags as needed to organize and segment your records.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Manage Groups{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Manage Groups{/ts}</a></td>
<td>{ts}Use Groups to organize contacts (e.g. these contacts are part of our 'Steering Committee').{/ts}</td>
</tr>
@@ -137,11 +137,11 @@
<td colspan="2">{ts}Customize Data, Forms and Screens{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/custom/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Custom Fields{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/custom/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Custom Fields{/ts}</a></td>
<td>{ts}Configure custom fields to collect and store custom data which is not included in the standard CiviCRM forms.{/ts}</td>
</tr>
<tr class="even">
- <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/uf/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle}">{ts}Profiles{/ts}</a></td>
+ <td class="tasklist nowrap"><a href="{crmURL p="civicrm/admin/uf/group" q="reset=1&civicrmDestination=`$destination`"}" title="{$linkTitle|escape}">{ts}Profiles{/ts}</a></td>
<td>{ts}Profiles allow you to aggregate groups of fields and include them in your site as input forms, contact display pages, and search and listings features.{/ts}</td>
</tr>
</table>
diff --git a/civicrm/templates/CRM/Contact/Form/Edit/Tagtree.tpl b/civicrm/templates/CRM/Contact/Form/Edit/Tagtree.tpl
index 2f6d1c51b1..cc5a884934 100644
--- a/civicrm/templates/CRM/Contact/Form/Edit/Tagtree.tpl
+++ b/civicrm/templates/CRM/Contact/Form/Edit/Tagtree.tpl
@@ -29,7 +29,7 @@
<li id="tagli_{$id}">
<input name="tag[{$id}]" id="tag_{$id}" class="form-checkbox" type="checkbox" value="1" {if $node.is_selectable EQ 0}disabled=""{/if} {if $form.tag.value.$id EQ 1}checked="checked"{/if}/>
<span>
- <label for="tag_{$id}" id="tagLabel_{$id}" class="crm-tag-item" {if !empty($allTags.$id.color)}style="background-color: {$allTags.$id.color}; color: {$allTags.$id.color|colorContrast};"{/if} title="{$node.description}">{$node.name}</label>
+ <label for="tag_{$id}" id="tagLabel_{$id}" class="crm-tag-item" {if !empty($allTags.$id.color)}style="background-color: {$allTags.$id.color}; color: {$allTags.$id.color|colorContrast};"{/if} title="{$node.description|escape}">{$node.name}</label>
</span>
{if $node.children}
{* Recurse... *}
diff --git a/civicrm/templates/CRM/Contact/Page/Inline/Actions.tpl b/civicrm/templates/CRM/Contact/Page/Inline/Actions.tpl
index d92432b9f9..9dbf7eecce 100644
--- a/civicrm/templates/CRM/Contact/Page/Inline/Actions.tpl
+++ b/civicrm/templates/CRM/Contact/Page/Inline/Actions.tpl
@@ -39,7 +39,7 @@
{foreach from=$actionsMenuList.otherActions item='row'}
{if !empty($row.href) or !empty($row.tab)}
<li class="crm-contact-{$row.ref}">
- <a href="{if !empty($row.href)}{$row.href}&cid={$contactId}{else}#{/if}" title="{$row.title}" data-tab="{$row.tab}" {if !empty($row.class)}class="{$row.class}"{/if}>
+ <a href="{if !empty($row.href)}{$row.href}&cid={$contactId}{else}#{/if}" title="{$row.title|escape}" data-tab="{$row.tab}" {if !empty($row.class)}class="{$row.class}"{/if}>
<span><i {if !empty($row.icon)}class="{$row.icon}"{/if}></i> {$row.title}</span>
</a>
</li>
@@ -52,7 +52,7 @@
{foreach from=$actionsMenuList.moreActions item='row'}
{if !empty($row.href) or !empty($row.tab)}
<li class="crm-action-{$row.ref}">
- <a href="{if !empty($row.href)}{$row.href}&cid={$contactId}{else}#{/if}" title="{$row.title}" data-tab="{$row.tab}" {if !empty($row.class)}class="{$row.class}"{/if}>{$row.title}</a>
+ <a href="{if !empty($row.href)}{$row.href}&cid={$contactId}{else}#{/if}" title="{$row.title|escape}" data-tab="{$row.tab}" {if !empty($row.class)}class="{$row.class}"{/if}>{$row.title}</a>
</li>
{/if}
{/foreach}
diff --git a/civicrm/templates/CRM/Contact/Page/View/Summary.tpl b/civicrm/templates/CRM/Contact/Page/View/Summary.tpl
index 3e646f2801..2058cc512c 100644
--- a/civicrm/templates/CRM/Contact/Page/View/Summary.tpl
+++ b/civicrm/templates/CRM/Contact/Page/View/Summary.tpl
@@ -125,7 +125,7 @@
<ul class="crm-contact-tabs-list">
{foreach from=$allTabs key=tabName item=tabValue}
<li id="tab_{$tabValue.id}" class="crm-tab-button ui-corner-all crm-count-{$tabValue.count}{if isset($tabValue.class)} {$tabValue.class}{/if}">
- <a href="{$tabValue.url}" title="{$tabValue.title}">
+ <a href="{$tabValue.url}" title="{$tabValue.title|escape}">
{$tabValue.title}
{if empty($tabValue.hideCount)}<em>{$tabValue.count}</em>{/if}
</a>
@@ -166,7 +166,7 @@
</div>
<div class="crm-content" id="tags">
{foreach from=$contactTag item=tagName key=tagId}
- <span class="crm-tag-item" {if !empty($allTags.$tagId.color)}style="background-color: {$allTags.$tagId.color}; color: {$allTags.$tagId.color|colorContrast};"{/if} title="{$allTags.$tagId.description}">
+ <span class="crm-tag-item" {if !empty($allTags.$tagId.color)}style="background-color: {$allTags.$tagId.color}; color: {$allTags.$tagId.color|colorContrast};"{/if} title="{$allTags.$tagId.description|escape}">
{$tagName}
</span>
{/foreach}
diff --git a/civicrm/templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl b/civicrm/templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl
index 89982f7181..2c91853c39 100644
--- a/civicrm/templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl
+++ b/civicrm/templates/CRM/Contribute/Form/Contribution/PremiumBlock.tpl
@@ -67,13 +67,13 @@
{foreach from=$products item=row}
<div class="premium {if $showPremium}premium-selectable{/if}" id="premium_id-{$row.id}" min_contribution="{$row.min_contribution}">
<div class="premium-short">
- {if $row.thumbnail}<div class="premium-short-thumbnail"><img src="{$row.thumbnail}" alt="{$row.name}" /></div>{/if}
+ {if $row.thumbnail}<div class="premium-short-thumbnail"><img src="{$row.thumbnail}" alt="{$row.name|escape}" /></div>{/if}
<div class="premium-short-content">{$row.name}</div>
<div style="clear:both"></div>
</div>
<div class="premium-full">
- <div class="premium-full-image">{if $row.image}<img src="{$row.image}" alt="{$row.name}" />{/if}</div>
+ <div class="premium-full-image">{if $row.image}<img src="{$row.image}" alt="{$row.name|escape}" />{/if}</div>
<div class="premium-full-content">
<div class="premium-full-title">{$row.name}</div>
<div class="premium-full-disabled">
diff --git a/civicrm/templates/CRM/Contribute/Form/Contribution/ThankYou.tpl b/civicrm/templates/CRM/Contribute/Form/Contribution/ThankYou.tpl
index a79b990c35..04c48c5831 100644
--- a/civicrm/templates/CRM/Contribute/Form/Contribution/ThankYou.tpl
+++ b/civicrm/templates/CRM/Contribute/Form/Contribution/ThankYou.tpl
@@ -39,13 +39,13 @@
{* Show link to Tell a Friend (CRM-2153) *}
{if $friendText}
<div id="tell-a-friend" class="crm-section friend_link-section">
- <a href="{$friendURL}" title="{$friendText}" class="button"><span>» {$friendText}</span></a>
+ <a href="{$friendURL}" title="{$friendText|escape:'html'}" class="button"><span>» {$friendText}</span></a>
</div>{if !$linkText}<br /><br />{/if}
{/if}
{* Add button for donor to create their own Personal Campaign page *}
{if $linkText}
<div class="crm-section create_pcp_link-section">
- <a href="{$linkTextUrl}" title="{$linkText}" class="button"><span>» {$linkText}</span></a>
+ <a href="{$linkTextUrl}" title="{$linkText|escape:'html'}" class="button"><span>» {$linkText}</span></a>
</div><br /><br />
{/if}
diff --git a/civicrm/templates/CRM/Contribute/Page/Premium.tpl b/civicrm/templates/CRM/Contribute/Page/Premium.tpl
index ce44089498..2e1b9ff50f 100644
--- a/civicrm/templates/CRM/Contribute/Page/Premium.tpl
+++ b/civicrm/templates/CRM/Contribute/Page/Premium.tpl
@@ -37,7 +37,7 @@
<th>{ts}SKU{/ts}</th>
<th>{ts}Market Value{/ts}</th>
<th>{ts}Min Contribution{/ts}</th>
- <th>{ts}Financial Type{/ts}</th>
+ <th>{ts}Financial Type{/ts}</th>
<th>{ts}Order{/ts}</th>
<th></th>
</tr>
diff --git a/civicrm/templates/CRM/Dashlet/Page/Blog.tpl b/civicrm/templates/CRM/Dashlet/Page/Blog.tpl
index 3ee2e1597d..e95fc2941d 100644
--- a/civicrm/templates/CRM/Dashlet/Page/Blog.tpl
+++ b/civicrm/templates/CRM/Dashlet/Page/Blog.tpl
@@ -49,7 +49,7 @@
<div id="civicrm-news-feed">
<ul>
{foreach from=$feeds item="channel"}
- <li class="ui-corner-all crm-tab-button" title="{$channel.description}">
+ <li class="ui-corner-all crm-tab-button" title="{$channel.description|escape}">
<a href="#civicrm-news-feed-{$channel.name}">{$channel.title}</a>
</li>
{/foreach}
@@ -65,7 +65,7 @@
</div>
<div class="crm-accordion-body">
<div>{$article.description}</div>
- <p class="crm-news-feed-item-link"><a target="_blank" href="{$article.link}" title="{$article.title}"><i class="crm-i fa-external-link"></i> {ts}read more{/ts}…</a></p>
+ <p class="crm-news-feed-item-link"><a target="_blank" href="{$article.link}" title="{$article.title|escape}"><i class="crm-i fa-external-link"></i> {ts}read more{/ts}…</a></p>
</div>
</div>
{/foreach}
diff --git a/civicrm/templates/CRM/Event/Form/Registration/ThankYou.tpl b/civicrm/templates/CRM/Event/Form/Registration/ThankYou.tpl
index db1cfd329f..9d0d70fa72 100644
--- a/civicrm/templates/CRM/Event/Form/Registration/ThankYou.tpl
+++ b/civicrm/templates/CRM/Event/Form/Registration/ThankYou.tpl
@@ -42,14 +42,14 @@
{* Show link to Tell a Friend (CRM-2153) *}
{if $friendText}
<div id="tell-a-friend" class="crm-section tell_friend_link-section">
- <a href="{$friendURL}" title="{$friendText}" class="button"><span>» {$friendText}</span></a>
+ <a href="{$friendURL}" title="{$friendText|escape:'html'}" class="button"><span>» {$friendText}</span></a>
</div><br /><br />
{/if}
{* Add button for donor to create their own Personal Campaign page *}
{if $pcpLink}
<div class="crm-section create_pcp_link-section">
- <a href="{$pcpLink}" title="{$pcpLinkText}" class="button"><span>» {$pcpLinkText}</span></a>
+ <a href="{$pcpLink}" title="{$pcpLinkText|escape:'html'}" class="button"><span>» {$pcpLinkText}</span></a>
</div><br /><br />
{/if}
diff --git a/civicrm/templates/CRM/Event/Page/DashBoard.tpl b/civicrm/templates/CRM/Event/Page/DashBoard.tpl
index 181542308a..fd97cba3a8 100644
--- a/civicrm/templates/CRM/Event/Page/DashBoard.tpl
+++ b/civicrm/templates/CRM/Event/Page/DashBoard.tpl
@@ -121,10 +121,10 @@
{if NOT $values.$fld}{assign var="status" value="disabled"}{else}{assign var="status" value="enabled"}{/if}
{* Schedule Reminders requires a different query string. *}
{if $v.url EQ 'civicrm/event/manage/reminder'}
- <li><a title="{$v.title}" class="action-item crm-hover-button no-popup {$status}"
+ <li><a title="{$v.title|escape}" class="action-item crm-hover-button no-popup {$status}"
href="{crmURL p="`$v.url`" q="reset=1&action=browse&setTab=1&id=`$id`"}">{$v.title}</a></li>
{else}
- <li><a title="{$v.title}" class="action-item crm-hover-button no-popup {$status}"
+ <li><a title="{$v.title|escape}" class="action-item crm-hover-button no-popup {$status}"
href="{crmURL p="`$v.url`" q="reset=1&action=update&id=`$id`"}">{$v.title}</a></li>
{/if}
{/foreach}
diff --git a/civicrm/templates/CRM/Event/Page/EventInfo.tpl b/civicrm/templates/CRM/Event/Page/EventInfo.tpl
index fbc3a43a43..d19625cb92 100644
--- a/civicrm/templates/CRM/Event/Page/EventInfo.tpl
+++ b/civicrm/templates/CRM/Event/Page/EventInfo.tpl
@@ -96,7 +96,7 @@
{crmRegion name="event-page-eventinfo-actionlinks-top"}
{if $allowRegistration}
<div class="action-link section register_link-section register_link-top">
- <a href="{$registerURL}" title="{$registerText}" class="button crm-register-button"><span>{$registerText}</span></a>
+ <a href="{$registerURL}" title="{$registerText|escape:'html'}" class="button crm-register-button"><span>{$registerText}</span></a>
</div>
{/if}
{/crmRegion}
@@ -227,7 +227,7 @@
{crmRegion name="event-page-eventinfo-actionlinks-bottom"}
{if $allowRegistration}
<div class="action-link section register_link-section register_link-bottom">
- <a href="{$registerURL}" title="{$registerText}" class="button crm-register-button"><span>{$registerText}</span></a>
+ <a href="{$registerURL}" title="{$registerText|escape:'html'}" class="button crm-register-button"><span>{$registerText}</span></a>
</div>
{/if}
{/crmRegion}
diff --git a/civicrm/templates/CRM/Event/Page/ManageEvent.tpl b/civicrm/templates/CRM/Event/Page/ManageEvent.tpl
index dafc1ae343..eb1295786c 100644
--- a/civicrm/templates/CRM/Event/Page/ManageEvent.tpl
+++ b/civicrm/templates/CRM/Event/Page/ManageEvent.tpl
@@ -98,10 +98,10 @@
{assign var="fld" value=$v.field}
{if NOT $row.$fld}{assign var="status" value="disabled"}{else}{assign var="status" value="enabled"}{/if}
{if $k eq 'reminder'}
- <li><a title="{$v.title}" class="action-item crm-hover-button {$status}"
+ <li><a title="{$v.title|escape:'html'}" class="action-item crm-hover-button {$status}"
href="{crmURL p="`$v.url`" q="reset=1&action=browse&setTab=1&id=`$row.id`"}">{$v.title}</a>
{else}
- <li><a title="{$v.title}" class="action-item crm-hover-button {$status}"
+ <li><a title="{$v.title|escape:'html'}" class="action-item crm-hover-button {$status}"
href="{crmURL p="`$v.url`" q="reset=1&action=update&id=`$row.id`"}">{$v.title}</a></li>
{/if}
{/foreach}
diff --git a/civicrm/templates/CRM/Friend/Form.tpl b/civicrm/templates/CRM/Friend/Form.tpl
index f933c3e49d..f3bbceb723 100644
--- a/civicrm/templates/CRM/Friend/Form.tpl
+++ b/civicrm/templates/CRM/Friend/Form.tpl
@@ -32,7 +32,7 @@
{* Add button for donor to create their own Personal Campaign page *}
{if $linkText}
<div class="crm-section create_pcp_link-section">
- <a href="{$linkTextUrl}" title="{$linkText}" class="button"><span>» {$linkText}</span></a>
+ <a href="{$linkTextUrl}" title="{$linkText|escape}" class="button"><span>» {$linkText}</span></a>
</div><br /><br />
{/if}
diff --git a/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl b/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
index 8cb3f78bb3..bb82ef1b16 100644
--- a/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
+++ b/civicrm/templates/CRM/PCP/Page/PCPInfo.tpl
@@ -41,7 +41,7 @@
{foreach from = $links key = k item = v}
<tr>
<td>
- <a href="{crmURL p=$v.url q=$v.qs|replace:'%%pcpId%%':$replace.id|replace:'%%pageComponent%%':$replace.pageComponent|replace:'%%pcpBlock%%':$replace.block}" title="{$v.title}" {if $v.extra}{$v.extra}{/if}><strong>» {$v.name}</strong></a>
+ <a href="{crmURL p=$v.url q=$v.qs|replace:'%%pcpId%%':$replace.id|replace:'%%pageComponent%%':$replace.pageComponent|replace:'%%pcpBlock%%':$replace.block}" title="{$v.title|escape:'html'}" {if $v.extra}{$v.extra}{/if}><strong>» {$v.name}</strong></a>
</td>
<td> <cite>{$hints.$k}</cite></td>
</tr>
diff --git a/civicrm/templates/CRM/Report/Form/Contact/Detail.tpl b/civicrm/templates/CRM/Report/Form/Contact/Detail.tpl
index fec1d0616d..093c0964d9 100644
--- a/civicrm/templates/CRM/Report/Form/Contact/Detail.tpl
+++ b/civicrm/templates/CRM/Report/Form/Contact/Detail.tpl
@@ -96,7 +96,7 @@
{assign var=fieldLink value=$field|cat:"_link"}
{assign var=fieldHover value=$field|cat:"_hover"}
<td class="report-contents crm-report_{$field}">
- {if $row.$fieldLink}<a title="{$row.$fieldHover}" href="{$row.$fieldLink}">{/if}
+ {if $row.$fieldLink}<a title="{$row.$fieldHover|escape}" href="{$row.$fieldLink}">{/if}
{if $row.$field eq 'Subtotal'}
{$row.$field}
@@ -142,7 +142,7 @@
{assign var=fieldHover value=$field|cat:"_hover"}
<td class="report-contents crm-report_{$field}">
{if $row.$fieldLink}
- <a title="{$row.$fieldHover} "href="{$row.$fieldLink}">
+ <a title="{$row.$fieldHover|escape}" href="{$row.$fieldLink}">
{/if}
{if $row.$field eq 'Sub Total'}
diff --git a/civicrm/templates/CRM/Report/Form/Fields.tpl b/civicrm/templates/CRM/Report/Form/Fields.tpl
index 3a36eeaedf..7b8619b872 100644
--- a/civicrm/templates/CRM/Report/Form/Fields.tpl
+++ b/civicrm/templates/CRM/Report/Form/Fields.tpl
@@ -31,7 +31,7 @@
<ul>
{foreach from=$tabs item='tab'}
<li class="ui-corner-all">
- <a title="{$tab.title}" href="#report-tab-{$tab.div_label}">{$tab.title}</a>
+ <a title="{$tab.title|escape}" href="#report-tab-{$tab.div_label}">{$tab.title}</a>
</li>
{/foreach}
{if $instanceForm OR $instanceFormError}
diff --git a/civicrm/templates/CRM/Report/Form/Layout/Overlay.tpl b/civicrm/templates/CRM/Report/Form/Layout/Overlay.tpl
index 550445b5f6..5e06606d7f 100644
--- a/civicrm/templates/CRM/Report/Form/Layout/Overlay.tpl
+++ b/civicrm/templates/CRM/Report/Form/Layout/Overlay.tpl
@@ -99,7 +99,7 @@
{assign var=fieldClass value=$field|cat:"_class"}
<td class="crm-report-{$field}{if $header.type eq 1024 OR $header.type eq 1} report-contents-right{elseif $row.$field eq 'Subtotal'} report-label{/if}">
{if $row.$fieldLink}
- <a title="{$row.$fieldHover}" href="{$row.$fieldLink}" {$row.$fieldClass}>
+ <a title="{$row.$fieldHover|escape}" href="{$row.$fieldLink}" {$row.$fieldClass}>
{/if}
{if $row.$field eq 'Subtotal'}
diff --git a/civicrm/templates/CRM/Report/Form/Layout/Table.tpl b/civicrm/templates/CRM/Report/Form/Layout/Table.tpl
index b4cf6a7f61..2c2f448a14 100644
--- a/civicrm/templates/CRM/Report/Form/Layout/Table.tpl
+++ b/civicrm/templates/CRM/Report/Form/Layout/Table.tpl
@@ -112,7 +112,7 @@
{assign var=fieldHover value=$field|cat:"_hover"}
<td class="crm-report-{$field}{if $header.type eq 1024 OR $header.type eq 1 OR $header.type eq 512} report-contents-right{elseif $row.$field eq 'Subtotal'} report-label{/if}">
{if $row.$fieldLink}
- <a title="{$row.$fieldHover}" href="{$row.$fieldLink}">
+ <a title="{$row.$fieldHover|escape}" href="{$row.$fieldLink}">
{/if}
{if $row.$field eq 'Subtotal'}
diff --git a/civicrm/templates/CRM/Report/Page/InstanceList.tpl b/civicrm/templates/CRM/Report/Page/InstanceList.tpl
index 12ae9a5e87..b0d470e342 100644
--- a/civicrm/templates/CRM/Report/Page/InstanceList.tpl
+++ b/civicrm/templates/CRM/Report/Page/InstanceList.tpl
@@ -54,7 +54,7 @@
{foreach from=$row.actions item=action key=action_name}
<li><a href="{$action.url}" class="{$action_name} action-item crm-hover-button small-popup"
{if $action.confirm_message}onclick="return window.confirm({$action.confirm_message|json_encode|htmlspecialchars})"{/if}
- title="{$action.label}">{$action.label}</a></li>
+ title="{$action.label|escape}">{$action.label}</a></li>
{/foreach}
</ul>
</span>
diff --git a/civicrm/templates/CRM/Tag/Form/Tag.tpl b/civicrm/templates/CRM/Tag/Form/Tag.tpl
index 64ccc9707e..bad26d491b 100644
--- a/civicrm/templates/CRM/Tag/Form/Tag.tpl
+++ b/civicrm/templates/CRM/Tag/Form/Tag.tpl
@@ -41,11 +41,11 @@
selected = $("#tagtree").jstree(true).get_selected(true);
$.each(selected, function(k, item) {
var $tag = $(item.text);
- tags.push('<span class="crm-tag-item" style="' + $tag.attr('style') + '" title="' + ($tag.attr('title') || '') + '">' + $tag.text() + '</span>');
+ tags.push('<span class="crm-tag-item" style="' + $tag.attr('style') + '" title="' + ($.parseHTML($tag.attr('title')) || '') + '">' + $tag.text() + '</span>');
});
$('input.crm-contact-tagset').each(function() {
$.each($(this).select2('data'), function (i, tag) {
- tags.push('<span class="crm-tag-item" title="' + (tag.description || '') + '"' + (tag.color ? 'style="color: ' + CRM.utils.colorContrast(tag.color) + '; background-color: ' + tag.color + ';"' : '') + '>' + tag.label + '</span>');
+ tags.push('<span class="crm-tag-item" title="' + ($.parseHTML(tag.description.text) || '') + '"' + (tag.color ? 'style="color: ' + CRM.utils.colorContrast(tag.color) + '; background-color: ' + tag.color + ';"' : '') + '>' + tag.label + '</span>');
});
});
// contact summary tabs and search forms both listen for this event
diff --git a/civicrm/templates/CRM/Tag/Form/Tagtree.tpl b/civicrm/templates/CRM/Tag/Form/Tagtree.tpl
index 8f3a1df17e..ff60e77953 100644
--- a/civicrm/templates/CRM/Tag/Form/Tagtree.tpl
+++ b/civicrm/templates/CRM/Tag/Form/Tagtree.tpl
@@ -28,7 +28,7 @@
{foreach from=$tree item="node" key="id"}
<li>
<a id="tag_{$id}" class="{if !$node.is_selectable || $permission neq 'edit'}jstree-disabled{/if} {if $tagged[$id]}jstree-clicked{/if}">
- <span class="crm-tag-item" {if !empty($allTags.$id.color)}style="background-color: {$allTags.$id.color}; color: {$allTags.$id.color|colorContrast};"{/if} title="{$node.description}">
+ <span class="crm-tag-item" {if !empty($allTags.$id.color)}style="background-color: {$allTags.$id.color}; color: {$allTags.$id.color|colorContrast};"{/if} title="{$node.description|escape}">
{$node.name}
</span>
</a>
diff --git a/civicrm/templates/CRM/common/TabHeader.tpl b/civicrm/templates/CRM/common/TabHeader.tpl
index 87d77b5c36..f786ea142b 100644
--- a/civicrm/templates/CRM/common/TabHeader.tpl
+++ b/civicrm/templates/CRM/common/TabHeader.tpl
@@ -31,7 +31,7 @@
{foreach from=$tabHeader key=tabName item=tabValue}
<li id="tab_{$tabName}" class="crm-tab-button ui-corner-all{if !$tabValue.valid} disabled{/if}{if isset($tabValue.class)} {$tabValue.class}{/if}" {$tabValue.extra}>
{if $tabValue.active}
- <a href="{if !empty($tabValue.template)}#panel_{$tabName}{else}{$tabValue.link}{/if}" title="{$tabValue.title}{if !$tabValue.valid} ({ts}disabled{/ts}){/if}">{$tabValue.title}{if isset($tabValue.count)} <em>{$tabValue.count}</em>{/if}</a>
+ <a href="{if !empty($tabValue.template)}#panel_{$tabName}{else}{$tabValue.link}{/if}" title="{$tabValue.title|escape}{if !$tabValue.valid} ({ts}disabled{/ts}){/if}">{$tabValue.title}{if isset($tabValue.count)} <em>{$tabValue.count}</em>{/if}</a>
{else}
<span {if !$tabValue.valid} title="{ts}disabled{/ts}"{/if}>{$tabValue.title}</span>
{/if}
diff --git a/civicrm/templates/CRM/common/displaySearchCriteria.tpl b/civicrm/templates/CRM/common/displaySearchCriteria.tpl
index a8f5065918..2258bfd53b 100644
--- a/civicrm/templates/CRM/common/displaySearchCriteria.tpl
+++ b/civicrm/templates/CRM/common/displaySearchCriteria.tpl
@@ -31,7 +31,7 @@
<ul>
<li>
{foreach from=$orClauses name=criteria item=item}
- {$item}
+ {$item|escape}
{if !$smarty.foreach.criteria.last}
<span class="font-italic">...{ts}AND{/ts}...</span>
{/if}
@@ -52,10 +52,10 @@
{else}
{foreach from=$orClauses name=criteria item=item}
<div class="qill">
- {$item}
+ {$item|escape}
{if !$smarty.foreach.criteria.last}
{if $operator}
- <span class="font-italic">...{$operator}...</span>
+ <span class="font-italic">...{$operator|escape}...</span>
{else}
<span class="font-italic">...{ts}AND{/ts}...</span>
{/if}
diff --git a/civicrm/templates/CRM/common/version.tpl b/civicrm/templates/CRM/common/version.tpl
index b6b64bf821..882e3bb510 100644
--- a/civicrm/templates/CRM/common/version.tpl
+++ b/civicrm/templates/CRM/common/version.tpl
@@ -1 +1 @@
-4.7.25
\ No newline at end of file
+4.7.26
\ No newline at end of file
diff --git a/civicrm/vendor/autoload.php b/civicrm/vendor/autoload.php
index e394db9087..454ff7727c 100644
--- a/civicrm/vendor/autoload.php
+++ b/civicrm/vendor/autoload.php
@@ -4,4 +4,4 @@
require_once __DIR__ . '/composer' . '/autoload_real.php';
-return ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3::getLoader();
+return ComposerAutoloaderInitd91b6ab246f1d54f953335c9553090a2::getLoader();
diff --git a/civicrm/vendor/composer/autoload_real.php b/civicrm/vendor/composer/autoload_real.php
index fb5a16ab0f..26f3a204e0 100644
--- a/civicrm/vendor/composer/autoload_real.php
+++ b/civicrm/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3
+class ComposerAutoloaderInitd91b6ab246f1d54f953335c9553090a2
{
private static $loader;
@@ -19,9 +19,9 @@ class ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3
return self::$loader;
}
- spl_autoload_register(array('ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInitd91b6ab246f1d54f953335c9553090a2', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
- spl_autoload_unregister(array('ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInitd91b6ab246f1d54f953335c9553090a2', 'loadClassLoader'));
$includePaths = require __DIR__ . '/include_paths.php';
array_push($includePaths, get_include_path());
@@ -31,7 +31,7 @@ class ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3
if ($useStaticLoader) {
require_once __DIR__ . '/autoload_static.php';
- call_user_func(\Composer\Autoload\ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::getInitializer($loader));
+ call_user_func(\Composer\Autoload\ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::getInitializer($loader));
} else {
$map = require __DIR__ . '/autoload_namespaces.php';
foreach ($map as $namespace => $path) {
@@ -52,19 +52,19 @@ class ComposerAutoloaderInit427427f4ae594ef73cf117ccf2a7c8a3
$loader->register(true);
if ($useStaticLoader) {
- $includeFiles = Composer\Autoload\ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::$files;
+ $includeFiles = Composer\Autoload\ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::$files;
} else {
$includeFiles = require __DIR__ . '/autoload_files.php';
}
foreach ($includeFiles as $fileIdentifier => $file) {
- composerRequire427427f4ae594ef73cf117ccf2a7c8a3($fileIdentifier, $file);
+ composerRequired91b6ab246f1d54f953335c9553090a2($fileIdentifier, $file);
}
return $loader;
}
}
-function composerRequire427427f4ae594ef73cf117ccf2a7c8a3($fileIdentifier, $file)
+function composerRequired91b6ab246f1d54f953335c9553090a2($fileIdentifier, $file)
{
if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
require $file;
diff --git a/civicrm/vendor/composer/autoload_static.php b/civicrm/vendor/composer/autoload_static.php
index 58252e4b49..57049cd8a3 100644
--- a/civicrm/vendor/composer/autoload_static.php
+++ b/civicrm/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
namespace Composer\Autoload;
-class ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3
+class ComposerStaticInitd91b6ab246f1d54f953335c9553090a2
{
public static $files = array (
'decc78cc4436b1292c6c0d151b19445c' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/bootstrap.php',
@@ -331,10 +331,10 @@ class ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3
public static function getInitializer(ClassLoader $loader)
{
return \Closure::bind(function () use ($loader) {
- $loader->prefixLengthsPsr4 = ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::$prefixLengthsPsr4;
- $loader->prefixDirsPsr4 = ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::$prefixDirsPsr4;
- $loader->prefixesPsr0 = ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::$prefixesPsr0;
- $loader->classMap = ComposerStaticInit427427f4ae594ef73cf117ccf2a7c8a3::$classMap;
+ $loader->prefixLengthsPsr4 = ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::$prefixLengthsPsr4;
+ $loader->prefixDirsPsr4 = ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::$prefixDirsPsr4;
+ $loader->prefixesPsr0 = ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::$prefixesPsr0;
+ $loader->classMap = ComposerStaticInitd91b6ab246f1d54f953335c9553090a2::$classMap;
}, null, ClassLoader::class);
}
--
GitLab