diff --git a/include/utils/ListViewUtils.php b/include/utils/ListViewUtils.php
index 0ef21b7d773caffc5422394f5e4a0f98afbdc746..bfb4b763b0ada34c68208e70300e381dccd4c1f9 100755
--- a/include/utils/ListViewUtils.php
+++ b/include/utils/ListViewUtils.php
@@ -675,9 +675,9 @@ function decode_html($str) {
global $default_charset;
// Direct Popup action or Ajax Popup action should be treated the same.
if ((isset($_REQUEST['action']) && $_REQUEST['action'] == 'Popup') || (isset($_REQUEST['file']) && $_REQUEST['file'] == 'Popup'))
- return html_entity_decode($str);
+ return purifyHtmlEventAttributes(html_entity_decode($str));
else
- return html_entity_decode($str, ENT_QUOTES, $default_charset);
+ return purifyHtmlEventAttributes(html_entity_decode($str, ENT_QUOTES, $default_charset));
}
function popup_decode_html($str) {
diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index 2d2088431c1cfa7983aff4f9992f395453864755..433479214a62bb9435fd1dd12877f31fc6e4f8e9 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -76,12 +76,6 @@ class Users_Save_Action extends Vtiger_Save_Action {
if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
$fieldValue = null;
}
- if($fieldName == 'signature' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if($fieldValue !== null) {
if(!is_array($fieldValue)) {
diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index 86fdfbe4684a8b93a6d67391e7059434d9bad291..5188833bbf57d126b0247fac44e7853ad9f0fc46 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -104,13 +104,6 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
$recordModel->set($fieldName,$existingRecordModel->get($fieldName));
}
}
- if($fieldName == 'signature'){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- $recordModel->set($fieldName,$fieldValue);
- }
return $recordModel;
}
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index 5a7c00d1b16cde1208a7493e8bcedd6305bb39fa..4e3ac8e5ca92a0323d131877b1f8792933d7b071 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -160,12 +160,6 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
if($fieldDataType == 'time' && $fieldValue !== null){
$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
}
- if($fieldName == 'notecontent' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if($fieldValue !== null) {
if(!is_array($fieldValue) && $fieldDataType != 'currency') {
$fieldValue = trim($fieldValue);
diff --git a/modules/Vtiger/actions/SaveAjax.php b/modules/Vtiger/actions/SaveAjax.php
index af467fe726dfe86de38e139dafd9b69c1b13e7e6..49ec727dac8c4cbea38a539dc8272d587e736ca4 100644
--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,12 +106,6 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
if ($fieldDataType == 'time' && $fieldValue !== null) {
$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
}
- if($fieldName == 'notecontent' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if ($fieldValue !== null) {
if (!is_array($fieldValue)) {
$fieldValue = trim($fieldValue);
diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index adafd7048a486f9e73fec17d88fd03a61e34d675..fa0dae5f586572ffd459bf257c38c66c33c6f761 100644
Binary files a/packages/vtiger/optional/ModComments.zip and b/packages/vtiger/optional/ModComments.zip differ
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index bb6126d2ead8236bd6bae1d7f094ebe2e7fce588..402aeb954c59403f5c3a4bbab6022a1ae37a8707 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -74,11 +74,11 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
public function getRecordModelFromRequest(Vtiger_Request $request) {
$recordModel = parent::getRecordModelFromRequest($request);
- $commentContent = $request->getRaw('commentcontent');
- $purifiedContent = vtlib_purify(decode_html($commentContent));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- $recordModel->set('commentcontent', $fieldValue);
+// $commentContent = $request->getRaw('commentcontent');
+// $purifiedContent = vtlib_purify(decode_html($commentContent));
+// // Purify malicious html event attributes
+// $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+ $recordModel->set('commentcontent', $request->getRaw('commentcontent'));
$recordModel->set('is_private', $request->get('is_private'));
return $recordModel;