diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 48c315e1c18e92b913f975e9c04341d255a47ddb..8ddf0ec62d89af05853f8742b03e9606a85ddefd 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -724,11 +724,19 @@ function purifyHtmlEventAttributes($value,$replaceAll = false){
// remove malicious html attributes with its value.
if ($replaceAll) {
- //Handled to address multiple html entity encoding for '=' character
- $regex = '\s*(=|=|=|=|=)\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+ $regex = '\s*[=&%#]\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
$value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+
+ /**
+ * #131224556::if anchor tag having 'javascript:' string then remove the tag contents.
+ * Right now, we fixed this for anchor tag as we don't see any other such things right now.
+ * All other event attributes are already handled above. Need to update this if any thing new found
+ */
+ $javaScriptRegex = '/<a [^>]*(j[\s]?a[\s]?v[\s]?a[\s]?s[\s]?c[\s]?r[\s]?i[\s]?p[\s]?t[\s]*[=&%#:])[^>]*?>/i';
+ $value = preg_replace($javaScriptRegex,'<a>',$value);
+
} else {
- if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*(=|=|&#61;|&#x26;#61;|&#61;)/i", $value)) {
+ if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
$value = str_replace("=", "=", $value);
}
}
diff --git a/layouts/v7/modules/Vtiger/uitypes/Text.tpl b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
index 1c75e18b9b443b2a74b412da06538a59608f8e06..53b1d0f055ffe7744cad12e1de8954405d0271b2 100644
--- a/layouts/v7/modules/Vtiger/uitypes/Text.tpl
+++ b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
@@ -22,7 +22,8 @@
data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
{/if}
>
- {$FIELD_MODEL->get('fieldvalue')}</textarea>
+ {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\ (?=\w)/":" "}
+ </textarea>
{else}
<textarea rows="5" id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" {if !empty($SPECIAL_VALIDATOR)}data-validator='{Zend_Json::encode($SPECIAL_VALIDATOR)}'{/if}
{if $FIELD_INFO["mandatory"] eq true} data-rule-required="true" {/if}
@@ -30,6 +31,7 @@
data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
{/if}
>
- {$FIELD_MODEL->get('fieldvalue')}</textarea>
+ {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\ (?=\w)/":" "}
+ </textarea>
{/if}
{/strip}
diff --git a/modules/Vtiger/uitypes/Text.php b/modules/Vtiger/uitypes/Text.php
index 074f19d29550e961d1ea61f30beb9c5934a6191f..054024feaf65d0df6407e816200055fbeb023bea 100644
--- a/modules/Vtiger/uitypes/Text.php
+++ b/modules/Vtiger/uitypes/Text.php
@@ -15,8 +15,15 @@ class Vtiger_Text_UIType extends Vtiger_Base_UIType {
* @param <Object> $value
* @return <Object>
*/
- public function getDisplayValue($value, $record=false, $recordInstance=false) {
- return nl2br($value);
+ public function getDisplayValue($value, $record=false, $recordInstance = false,$removeTags = false) {
+ //This API replaces newlines to html br tags, and spaces with
+ // It should not replace spaces within html tags
+ $value = decode_html(preg_replace('/\r\n|\r|\n|
|&NewLine;/','<br>',$value));
+ if($removeTags){
+ $value = strip_tags($value,'<br>');
+ }
+ $value = purifyHtmlEventAttributes($value, true);
+ return $value;
}
/**