From 9dd9446d473d86c9f1efd837188728662c2ca075 Mon Sep 17 00:00:00 2001 From: AdrienClairembault Date: Tue, 17 Sep 2024 12:21:21 +0200 Subject: [PATCH] Better HTML encoding for DbUtils, DisplayPreference and DocumentType --- src/DbUtils.php | 14 +++++++------- src/DisplayPreference.php | 4 ++-- src/DocumentType.php | 5 +++-- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/DbUtils.php b/src/DbUtils.php index c109724ddef..e3a8e26f2b1 100644 --- a/src/DbUtils.php +++ b/src/DbUtils.php @@ -1476,14 +1476,14 @@ public function getTreeValueCompleteName($table, $ID, $withcomment = false, $tra $alias = $result['alias']; if (!empty($alias)) { $name = $alias; - $comment .= "" . __('Alias:') . " " . $alias . "
"; + $comment .= "" . __s('Alias:') . " " . htmlspecialchars($alias) . "
"; } if (!empty($code)) { $name .= ' - ' . $code; - $comment .= "" . __('Code:') . " " . $code . "
"; + $comment .= "" . __s('Code:') . " " . htmlspecialchars($code) . "
"; } if (!empty($address)) { - $acomment .= $address; + $acomment .= htmlspecialchars($address); } if ( !empty($address) && @@ -1492,19 +1492,19 @@ public function getTreeValueCompleteName($table, $ID, $withcomment = false, $tra $acomment .= '
'; } if (!empty($town)) { - $acomment .= $town; + $acomment .= htmlspecialchars($town); } if (!empty($country)) { if (!empty($town)) { $acomment .= ' - '; } - $acomment .= $country; + $acomment .= htmlspecialchars($country); } if (trim($acomment) != '') { - $comment .= " " . __('Address:') . " " . $acomment . "
"; + $comment .= " " . __s('Address:') . " " . $acomment . "
"; } } - $comment .= " " . __('Comments') . " "; + $comment .= " " . __s('Comments') . " "; } $transcomment = $result['transcomment']; if ($translate && !empty($transcomment)) { diff --git a/src/DisplayPreference.php b/src/DisplayPreference.php index 39d8f880fc3..c4e78969a96 100644 --- a/src/DisplayPreference.php +++ b/src/DisplayPreference.php @@ -80,8 +80,8 @@ public static function showMassiveActionsSubForm(MassiveAction $ma) { switch ($ma->getAction()) { case 'reset_to_default': - $msg = __('This will reset the columns to the defaults for a new installation.'); - $msg2 = __('This will only work for types from GLPI itself or enabled plugins that support this action.'); + $msg = __s('This will reset the columns to the defaults for a new installation.'); + $msg2 = __s('This will only work for types from GLPI itself or enabled plugins that support this action.'); echo '
' . $msg . '
' . $msg2 . '
'; echo Html::submit(_x('button', 'Post'), ['name' => 'massiveaction']); return true; diff --git a/src/DocumentType.php b/src/DocumentType.php index 2c2017e880c..2f9fa9dcd9d 100644 --- a/src/DocumentType.php +++ b/src/DocumentType.php @@ -130,7 +130,7 @@ public static function getSpecificValueToDisplay($field, $values, array $options case 'icon': if (!empty($values[$field])) { return " "; + htmlspecialchars($CFG_GLPI["typedoc_icon_dir"] . "/" . $values[$field]) . "'>"; } } return parent::getSpecificValueToDisplay($field, $values, $options); @@ -191,7 +191,8 @@ public static function showAvailableTypesLink($options = []) $display .= Ajax::createIframeModalWindow( "documenttypelist_{$p['rand']}", $CFG_GLPI["root_doc"] . "/front/documenttype.list.php", - ['title' => static::getTypeName(Session::getPluralNumber()), + [ + 'title' => static::getTypeName(Session::getPluralNumber()), 'display' => false ] );