From 9e295f6b75a1eac024765353f7e9f963eb8e2a1f Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 4 Jul 2018 09:49:35 +1000
Subject: [PATCH] Resolve #9 by purifying label of entity reference values

---
 CRM/Core/Form/Renderer.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CRM/Core/Form/Renderer.php b/CRM/Core/Form/Renderer.php
index 230cfa142fd4..0d1bd6cb7791 100644
--- a/CRM/Core/Form/Renderer.php
+++ b/CRM/Core/Form/Renderer.php
@@ -248,6 +248,14 @@ public static function preProcessEntityRef($field) {
       $params = $field->getAttribute('data-api-params');
       $params = $params ? json_decode($params, TRUE) : array();
       $result = civicrm_api3($entity, 'getlist', array('id' => $val) + $params);
+      // Purify label output of entityreference fields
+      if (!empty($result['values'])) {
+        foreach ($result['values'] as &$res) {
+          if (!empty($res['label'])) {
+            $res['label'] = CRM_Utils_String::purifyHTML($res['label']);
+          }
+        }
+      }
       if ($field->isFrozen()) {
         // Prevent js from treating frozen entityRef as a "live" field
         $field->removeAttribute('class');