Better HTML encoding for Database, DatabaseInstance and Datacenter

glpi-project · Sep 17, 2024 · 8591aa8 · 8591aa8
1 parent a347731
commit 8591aa8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 16 deletions.
diff --git a/src/Database.php b/src/Database.php
@@ -377,8 +377,8 @@ public static function showForInstance(DatabaseInstance $instance)
 
         if ($canedit) {
             echo "<div class='center firstbloc'>" .
-            "<a class='btn btn-primary' href='" . static::getFormURL() . "?databaseinstances_id=$ID'>";
-            echo __('Add a database');
+            "<a class='btn btn-primary' href='" . htmlspecialchars(static::getFormURL()) . "?databaseinstances_id=$ID'>";
+            echo __s('Add a database');
             echo "</a></div>\n";
         }
 
@@ -406,15 +406,15 @@ public static function showForInstance(DatabaseInstance $instance)
         );
 
         if (empty($databases)) {
-            echo "<tr><th>" . __('No database') . "</th></tr>";
+            echo "<tr><th>" . __s('No database') . "</th></tr>";
         } else {
-            echo "<tr class='noHover'><th colspan='10'>" . self::getTypeName(Session::getPluralNumber()) . "</th></tr>";
+            echo "<tr class='noHover'><th colspan='10'>" . htmlspecialchars(self::getTypeName(Session::getPluralNumber())) . "</th></tr>";
 
-            $header = "<tr><th>" . __('Name') . "</th>";
-            $header .= "<th>" . sprintf(__('%1$s (%2$s)'), __('Size'), __('Mio')) . "</th>";
-            $header .= "<th>" . __('Is active') . "</th>";
-            $header .= "<th>" . __('Has backup') . "</th>";
-            $header .= "<th>" . __('Is dynamic') . "</th>";
+            $header = "<tr><th>" . __s('Name') . "</th>";
+            $header .= "<th>" . sprintf(__('%1$s (%2$s)'), __s('Size'), __s('Mio')) . "</th>";
+            $header .= "<th>" . __s('Is active') . "</th>";
+            $header .= "<th>" . __s('Has backup') . "</th>";
+            $header .= "<th>" . __s('Is dynamic') . "</th>";
             $header .= "</tr>";
             echo $header;
 
@@ -452,9 +452,10 @@ public function prepareInputForAdd($input)
     public static function getAdditionalMenuLinks()
     {
         $links = [];
+        $label = htmlspecialchars(DatabaseInstance::getTypeName(Session::getPluralNumber()));
         if (static::canView()) {
-            $insts = "<i class=\"ti ti-database-import\" title=\"" . DatabaseInstance::getTypeName(Session::getPluralNumber()) .
-            "\"></i><span class='d-none d-xxl-block'>" . DatabaseInstance::getTypeName(Session::getPluralNumber()) . "</span>";
+            $insts = "<i class=\"ti ti-database-import\" title=\"$label\"" .
+            "></i><span class='d-none d-xxl-block'>$label</span>";
             $links[$insts] = DatabaseInstance::getSearchURL(false);
         }
         if (count($links)) {

diff --git a/src/DatabaseInstance.php b/src/DatabaseInstance.php
@@ -314,7 +314,7 @@ public static function getSpecificValueToDisplay($field, $values, array $options
                     if ($values[$field] > 0) {
                         $item = new $itemtype();
                         if ($item->getFromDB($values[$field])) {
-                            return "<a href='" . $item->getLinkURL() . "'>" . $item->fields['name'] . "</a>";
+                            return "<a href='" . htmlspecialchars($item->getLinkURL()) . "'>" . htmlspecialchars($item->fields['name']) . "</a>";
                         } else {
                             return ' ';
                         }

diff --git a/src/Datacenter.php b/src/Datacenter.php
@@ -195,12 +195,11 @@ public static function rawSearchOptionsToAdd($itemtype)
     public static function getAdditionalMenuLinks()
     {
         $links = [];
+        $label = htmlspecialchars(DCRoom::getTypeName(Session::getPluralNumber()));
         if (static::canView()) {
             $rooms = "<i class='ti ti-building pointer'
-                      title=\"" . DCRoom::getTypeName(Session::getPluralNumber()) . "\"></i>
-            <span class='d-none d-xxl-block ps-1'>
-               " . DCRoom::getTypeName(Session::getPluralNumber()) . "
-            </span>";
+                      title=\"$label\"></i>
+            <span class='d-none d-xxl-block ps-1'>$label</span>";
             $links[$rooms] = DCRoom::getSearchURL(false);
         }
         if (count($links)) {