SuiteCRM 7.12.10 Release

README.md

@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.9
+# SuiteCRM 7.12.10
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

include/Dashlets/DashletRssFeedTitle.php

@@ -98,9 +98,13 @@ public function readFeed()
     public function getTitle()
     {
         $matches = array();
-        preg_match("/<title>.*?<\/title>/i", $this->contents, $matches);
+        preg_match("/<title>(.*?)<\/title>/i", $this->contents, $matches);
         if (isset($matches[0])) {
-            $this->title = str_replace(array('<![CDATA[', '<title>', '</title>', ']]>'), '', $matches[0]);
+            $match = $matches[0];
+            if (isset($matches[1])) {
+                $match = '<title>' . htmlentities($matches[1] ?? '') . '</title>';
+            }
+            $this->title = str_replace(array('<![CDATA[', '<title>', '</title>', ']]>'), '', $match);
         }
     }
 

include/utils.php

@@ -2654,6 +2654,27 @@ function securexsskey($value, $die = true)
     }
 }
 
+/**
+ * @param string|null $value
+ * @return string
+ */
+function purify_html(?string $value): string {
+
+    if (($value ?? '') === '') {
+        return '';
+    }
+
+    $cleanedValue = htmlentities(SugarCleaner::cleanHtml($value, true));
+    $decoded = html_entity_decode($cleanedValue);
+    $doubleDecoded = html_entity_decode($decoded);
+
+    if (stripos($decoded, '<script>') !== false || stripos($doubleDecoded, '<script>') !== false){
+        $cleanedValue = '';
+    }
+
+    return $cleanedValue;
+}
+
 function preprocess_param($value)
 {
     if (is_string($value)) {
@@ -6051,3 +6072,21 @@ function isAllowedModuleName(string $value): bool {
 
     return false;
 }
+
+/**
+ * @param $endpoint
+ * @return bool
+ */
+function isSelfRequest($endpoint) : bool {
+    $domain = 'localhost';
+    if (isset($_SERVER["HTTP_HOST"])) {
+        $domain = $_SERVER["HTTP_HOST"];
+    }
+
+    $siteUrl = SugarConfig::getInstance()->get('site_url');
+    if (empty($siteUrl)){
+        $siteUrl = '';
+    }
+
+    return stripos($endpoint, $domain) !== false || stripos($endpoint, $siteUrl) !== false;
+}

modules/AOS_PDF_Templates/AOS_PDF_Templates.php

@@ -35,5 +35,11 @@ public function __construct()
         parent::__construct();
     }
 
-
+    public function cleanBean()
+    {
+        parent::cleanBean();
+        $this->pdfheader = purify_html($this->pdfheader);
+        $this->description = purify_html($this->description);
+        $this->pdffooter = purify_html($this->pdffooter);
+    }
 }

modules/Home/Dashlets/RSSDashlet/RSSDashlet.php

@@ -141,9 +141,7 @@ public function displayOptions()
      * @param array $req $_REQUEST
      * @return array filtered options to save
      */
-    public function saveOptions(
-        array $req
-        ) {
+    public function saveOptions($req) {
         $options = array();
         $options['title'] = $req['title'];
         $options['url'] = $req['url'];

modules/Home/Dashlets/iFrameDashlet/iFrameDashlet.php

@@ -76,6 +76,10 @@ public function __construct($id, $options = null)
             $this->url = $options['url'];
         }
 
+        if (isSelfRequest($this->url)) {
+            $this->url = '';
+        }
+
         if (empty($options['height']) || (int)$options['height'] < 1) {
             $this->height = 315;
         } else {

suitecrm_version.php

@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.9';
-$suitecrm_timestamp = '2023-01-25 12:00:00';
+$suitecrm_version = '7.12.10';
+$suitecrm_timestamp = '2023-03-02 12:00:00';