From 820ff1304bbb4ffea25ee3f48af5dc43c4131de8 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Mon, 6 Jul 2020 19:17:33 +0530
Subject: [PATCH] Fixes email fields validation for xss attack

---
 layouts/v7/modules/Emails/resources/MassEdit.js |  5 +++++
 layouts/v7/modules/Vtiger/resources/Utils.js    | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/layouts/v7/modules/Emails/resources/MassEdit.js b/layouts/v7/modules/Emails/resources/MassEdit.js
index 05dc98d19..830481f6d 100644
--- a/layouts/v7/modules/Emails/resources/MassEdit.js
+++ b/layouts/v7/modules/Emails/resources/MassEdit.js
@@ -281,6 +281,11 @@ jQuery.Class("Emails_MassEdit_Js",{},{
 					return { id: term, text: term };
 				}
 			},
+                        escapeMarkup: function(m) {
+                            // Do not escape HTML in the select options text
+                            m = vtUtils.stripTags(String(m),'<i><b>');
+                            return m;
+ 			}
 
 		}).on("change", function (selectedData) {
 			var addedElement = selectedData.added;
diff --git a/layouts/v7/modules/Vtiger/resources/Utils.js b/layouts/v7/modules/Vtiger/resources/Utils.js
index 455e205cd..c51009b48 100644
--- a/layouts/v7/modules/Vtiger/resources/Utils.js
+++ b/layouts/v7/modules/Vtiger/resources/Utils.js
@@ -366,6 +366,14 @@ var vtUtils = {
         jQuery(function () {
             jQuery('[data-toggle="tooltip"]').tooltip(options);
         });
+    },
+    
+    stripTags : function(string,allowed) {
+        //https://stackoverflow.com/questions/5601903/jquery-almost-equivalent-of-phps-strip-tags#answer-46483672
+        allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('');
+        var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi;
+        return string.replace(tags, function ($0, $1) {
+            return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : '';
+        });
     }
-
 }
-- 
GitLab