CRM: Resolves 3414 - escape output in typeaheads (#35171)

* Patch main typeahead template * Patch invoice typeahead template * Add changelog * Remove pre-DAL3 code * Catch more unescaped output
Automattic · Jan 23, 2024 · 04b03b3 · 04b03b3
1 parent a0263df
commit 04b03b3
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 26 deletions.
diff --git a/projects/plugins/crm/changelog/fix-crm-3414-patch_XSS_in_typeaheads b/projects/plugins/crm/changelog/fix-crm-3414-patch_XSS_in_typeaheads
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Fixed: Escape output in typeaheads.
diff --git a/projects/plugins/crm/js/ZeroBSCRM.admin.global.js b/projects/plugins/crm/js/ZeroBSCRM.admin.global.js
@@ -931,10 +931,10 @@ function zbscrm_JS_Bind_Typeaheads_Customers() {
 							var name = r.name.trim()
 								? r.name
 								: zeroBSCRMJS_globViewLang( 'contact' ) + ' #' + r.id;
-							var email = r.email ? r.email : '<i>no email</i>';
+							var email = r.email ? jpcrm.esc_html(r.email) : '<i>no email</i>';
 							sug =
 								'<div class="sug-wrap"><div class="name">' +
-								name +
+								jpcrm.esc_html(name) +
 								'</div><div class="email">' +
 								email +
 								'</div></div><div class="clear"></div>';

diff --git a/projects/plugins/crm/js/ZeroBSCRM.admin.invoicebuilder.js b/projects/plugins/crm/js/ZeroBSCRM.admin.invoicebuilder.js
@@ -1783,12 +1783,12 @@ function zbscrm_JS_invoice_typeahead_bind() {
 						var name = r.name.trim()
 							? r.name
 							: zeroBSCRMJS_globViewLang( 'contact' ) + ' #' + r.id;
-						var email = r.email ? r.email : '<i>' + zbscrm_JS_invoice_lang( 'noemail' ) + '</i>';
+						var email = r.email ? jpcrm.esc_html(r.email) : '<i>' + zbscrm_JS_invoice_lang( 'noemail' ) + '</i>';
 						sug =
 							'<div class="sug-wrap"><div class="ico">' +
 							ico +
 							'</div><div class="inner"><div class="name">' +
-							name +
+							jpcrm.esc_html(name) +
 							'</div><div class="email">' +
 							email +
 							'</div></div><div class="clear"</div></div>';

diff --git a/projects/plugins/crm/js/ZeroBSCRM.admin.transactioneditor.js b/projects/plugins/crm/js/ZeroBSCRM.admin.transactioneditor.js
@@ -156,29 +156,15 @@ function zbscrmjs_build_custInv_dropdown( custID, preSelectedInvID ) {
 						var invStr = '',
 							invID = -1;
 
-						// 3.0
-						if ( zbscrm_JS_DAL() > 2 ) {
-							// translated from admin.view php
-							invID = ele.id;
+						// translated from admin.view php
+						invID = ele.id;
 
-							// id
-							invStr = '#' + ele.id;
+						// id
+						invStr = '#' + ele.id;
 
-							// if ref, that too
-							if ( typeof ele.id_override !== 'undefined' ) {
-								invStr += ' - ' + ele.id_override;
-							}
-						} else {
-							// <3.0
-							invID = ele.id; //  POST id
-
-							// #TRANSITIONTOMETANO
-							if ( typeof ele.zbsid !== 'undefined' ) {
-								invStr += '#' + ele.zbsid;
-							} else {
-								// forced to show post id as some kind of identifier..
-								invStr += '#PID:' + ele.id;
-							}
+						// if ref, that too
+						if ( typeof ele.id_override !== 'undefined' ) {
+							invStr += ' - ' + ele.id_override;
 						}
 
 						if ( typeof ele.meta !== 'undefined' ) {
@@ -199,7 +185,7 @@ function zbscrmjs_build_custInv_dropdown( custID, preSelectedInvID ) {
 							retHTML += ' selected="selected"';
 						}
 
-						retHTML += '>' + invStr + '</option>';
+						retHTML += '>' + jpcrm.esc_html(invStr) + '</option>';
 					} );
 				} else {
 					// no invs