From 4d4f12b53abf327e163f32c882825251377843dd Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 4 Dec 2019 16:31:51 +0530
Subject: [PATCH] Fixes #1220 XSS vulnerability is addressed

---
 packages/vtiger/optional/ModComments.zip      | Bin 38880 -> 38785 bytes
 .../modules/ModComments/actions/SaveAjax.php  |   5 -----
 2 files changed, 5 deletions(-)

diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index fa0dae5f586572ffd459bf257c38c66c33c6f761..4dd6cf47a20001315c969f5234c1331e089382a0 100644
GIT binary patch
delta 1480
zcmYL}dpOg39LMKJ40ETLOSzu89QQ6H(up)fF1b9CW|BQMGnd05<`ScY&2O7RDlyhM
zZjIICQcfuGR7W#e$|cuaRwNP~sq}rG@Avz>U!T|WeExe6)c~nAK<z`Mf_C}^56F+B
z1cN{jAi;hoxQJ9Bk|+~FKW}WjG(<#fQWOH&d>VWO5u<zLlQ^v*wdT8Q-1-Lj=lXEd
z@gh42iU@2<sXw&dn!}|Zrk53~wy!6W%H}xir0@(e%Dx>X++wxhH5z_l`0Wgd{dHZf
zP0bFcphLxW*8_Fp&0|u1c8;eM9aa7&)~I5irHMiJ_v}TWx0?*#@YlCX3)Dh0<x4z`
zOf8p%>qka;L_ew5ISy^}r75&oZ6&zWf4J)Vd}y?coh}qx63K9anw`MU;>yWVW6f{X
zOX|eJbexB#6$j$yqPvGYl`U_{Y**tKFXAIf*^iDs?}(dZEiSxPwTH3{<+l;3hnW_c
zyq3ley-<S>2LkZBm)QitobAzF=D;=)BijB;Ju6?|qcZ<Rppg%}9$HbE%$Q+a!SF}F
zCHToB;tu5uB-}WjBQN)mC`U?vMUM;$oiiB-S)35<q8WR;wpz;wYXEvCHO35MsReUp
zWs$|^{Vxhxj3CtB$^zdJVx9whcQ%zm2yXxMihG7`0IH+!rR!(Mi#YES!Bo373+cu^
z?3^iib;GHJ-OJ?|iLmQ;@?lozQ{UNL6I5F&%+!ZoL00Cr#H~KTEt|_R$eo?-YeDf=
zt%2S6rn+rHoC}d8`M5mm7;9cn$EZy2RIBH6!zdKOccI$l%`O;mc6dzR>A*W|p|a!3
zr7X25v=T2a+=`R+?g9hrW03Pg{5*)(fG<!wU;i~Wb(uren6y5AYbX!)$KwkL9qmJW
z?Y${EFAFgv|3t8m)sGr(x|{XqJ#`M^5h`^o_MniQIMP|iGBU?!u;dK$z9u)h=#cA;
zb0RGffk7y4!uT?=&3AmMj)!<}&n~-<@n0L4A~VHTj_59Xi7x%wk;hM|OMd!*%<WR*
z$gO@DFIBHV%Y0$foptWbS!!(@yqTXwNEwWqq?k>QMrc&|PEEeKtzyvWh6+!vxf^;_
z+DhOM5W>@otmsi$>fO_CH})BO?dF@_<|d7v0&<0r-?>V>ryG`<F;x(`D&^undzzL%
zeCkl(*@L4?(e0iCD5l2)r_j?56R6wD)s6L6`<gPOYa2Xy_Td8Li;V6eqi{=W{q(3y
zHkp(wT&oB*ciD<gi_dqn2{fEKnDzM!TNx|a<klj}v1K%dsERL=OnU6w4n6T4*ijgl
z`@3$JLeFL5*kkRv#4c0sisA7X{;jrP=1WZub5O^7z$E7DP<1Z*`plR&B(1O1{6-O0
zYkx3arZ_j@Q!eHlw%*XS`BB=3<$HAjD>gBX9I8)?8Pg=!_)fB!LQeX0*??#IZ5x3_
zlM@UWn8v%{{EeBF(K%`Kea`+J*O^tkuxHuLd~Gzcs&~d#Ua<>cY3Q~X_=@4yg_eoG
zWknZC;>|`(t4?^~8rEfM63Q&s{MJVhM9svB!F5>wlhm%e&CldCqg2N8=PT=z&S<{u
z|2WDDA+AasbCrOWRB6?kia{XXs)hn*^F5Le%6_Y$UmV0x9HoEu&c+X-$tIwHA`6`K
z04;L2gYzE7U~rx+XiJ3y+@DAijHUVms$QE$4JZNDdg*Lh8u@U5@C!?Nn}EWL@*s5s
z_xWtu5ywq8F%*OYLf<W%<@eoA+Q40bKX4#`L2ntWXd}>@W&|waH__85aj=Mn1W=Jb
zA`FzIy94%7n-Nbx32<Y!#AC6DjioSfCqoN>#BJd~MgTB(elrr2tn&+ufSHu7p-X|6
Q$W^eYz(G8g^sTi22Mpc4L;wH)

delta 1515
zcmYL}dpOez7{_OmYc6we)|P7}<dT&`)H;^?WgEsyqHU5Wo6A_jQ0}AI&!rUQxWv>@
zNV%T5%uz0hB3&q|A<}Xyal+|2@AJIx`+Yv|`#j(OzOfbH(F$;7n?3Y#%q1-7ztWWf
zfwX}jlp65W9?H;WemL=~X>@6ji0DTM2(&S3+|N<oTFb9)Z6<}Hc}4#`iSC~8b4BAZ
zEK3Z$jDvYblB*<)OwDlZaJ03?d-c)c!HWe}$v(3^kM<e%GAp8cYL77@7g~oIYg4V;
z4xWReGyENEz*S<66H?C(TAx&~m?&o$!u<Q<4CKRdDLCGMH}6PO%6SQCRT4)&-&xnd
zWl8YkatCLTTSqtf24W;_SEx<I`*qsYhQ(HB_`>P-@@&2LdNNS2y4N0*_+*8N#&Jac
zU08`GdUR4Dmp-%4am;xfd0X+l&hzWz6l!8sr)^(HxL;YN@U=EdqD)7A3!}iY#3*jC
zDU_^$R2t5&z7KB@l$M37@JFvnZ$as1nlm3SugxJAzY`y4#uX=(Xxcdn;%sVLrwpf!
z>tto3?e(+vyL>*Yq3XHzbaoL*;L-9Q-lL|DdCO`4#&y(hL=W<tL-261{zFXL2hR~Z
zHM__SWJw->a)xx*qOsb9@%rOMC;*e%Mzd-tFjw;^m|L<QnmHMy=M@9Rv?K+%8b(go
z3q#3fZPxZ*B4xaYL$LzEot^E9-lJxZd~3@cMa}h(aY&p(6VH{05~{wd!K+KA&CSw*
zzTv{*ZmN$+<fo@^h-jn^8b66hmI%?29Gb<4rfest3?AIWHj!XJF3`{0Ib+S)T2{Cf
zv9_%T?k7*etG8XVaYLu>*9ENoAx(BhQp|{!!m;yb1Xrpb9AK4|<9TYZ1h&*XGxhIs
zG*<*sW6U2qqhD&z?aV50Hyp}2zJtp##j7Gzw04cux7Mil#~<ee@{z8i>7LC_H#Kn8
zAa9cz11--(A&f}ko_A3`yQCU=^?K%D?iFFgCwTR>+lDAYOrkmY^wEn|VZB6HP*(d{
zwb0oB8xssqmo9VaIkN=ui6Mxx-SvGMRKM7waf87BWD392&-SiV>fpOM`gz@|E6S7H
zH*(m6<hGM~t48{}KjLgQ^+$DY-&CiUm#pujW!KMwImYTtQZ9uUvE?Nf#CD!yy7bSc
zoe7xtd-*zhdvUkVH$_j&g_#_tU3QDxwOSzMK2@al56(+*rxVF$IXa%pv;?gp9Mgy|
z@3Ie7nDBOq8nM0b@->*vaIH~tX%D5?R%+Dgi%R8S)qqm#-kat=XBME!9_jt4zJ`#q
z+i>ZA9Sl9JY!Ib%8c9<K#N4m3U$M%4MI^uIb}jBkFUm&NFqf?iZ-7Tll;b5|ISM<6
zBLYUN+eT37RmIsQdNfU8>N`q@?`&^@%-!Uo>L??kGd_3TEV)!BbN590q*C`Vb4;Hk
z-)GG@LTdFevdRk(olYZPI<?jRg@=<^-p~bo#$R~kJQt!-pv~&qJ03uae={y;csD%G
z^w!nS3z~sXyLJt_Pu0_nRSD&FO9NLP_Pz}yf17ScC~LOo+!OR9L}xol!3$rsVEB<r
zL&C=2q1PoY-ocP6-USRGEwOU$@u(X*M?A-+n96<P`d3eRI5c$`b4rBI(nC}kJMykN
zTRh<If1z#`WAnk|{m@GEp3`Xsr*?l8&URvi<{$dh2^Lz*>1Is<w`nH9`wz9pR;+<>
z4&oBBN&MzCQ4nZ7%2@DwbZqpWvg;A|KL<ov7Sg|R?dJw!Q((Z&Bt;;SB@1c9f&eI0
z31DIOurJF3BP=)shWmvi0p*ONBH;if!%w8|=TrqaE_y&EQyxIF;b3DofSREK$hjG8
zpt7F`OV~g<gv~Ei01npi+&}~X59Sd!<aMGh@D<PnyHWx5OkYSjb=?jD6lLNedBK}n
yIqN7GMgyo>fg;|(o2)R1Q`F``D{9lMDjN=Qh}~p@Y!{Ig;9$;Sv4O<(T>lqy@xNOD

diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index 402aeb954..94f853b97 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -73,11 +73,6 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	 */
 	public function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
-		
-//        $commentContent = $request->getRaw('commentcontent');
-//        $purifiedContent = vtlib_purify(decode_html($commentContent));
-//        // Purify malicious html event attributes
-//        $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
 		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
         $recordModel->set('is_private', $request->get('is_private'));
 
-- 
GitLab