Skip to content

Commit

Permalink
Fix escaping handling in formatUserName() and getUserName()
Browse files Browse the repository at this point in the history
  • Loading branch information
cedric-anne committed Sep 17, 2024
1 parent a347731 commit de33d4e
Show file tree
Hide file tree
Showing 21 changed files with 366 additions and 304 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,8 @@ The present file will list all changes made to the project; according to the
- `js/Forms/FaIconSelector.js` and therefore `window.GLPI.Forms.FaIconSelector` has been deprecated and replaced by `js/modules/Form/WebIconSelector.js`
- `linkuser_types`, `linkgroup_types`, `linkuser_tech_types`, `linkgroup_tech_types` configuration entries have been merged in a unique `assignable_types` configuration entry.
- Usage of the `front/dropdown.common.php` and the `dropdown.common.form.php` files. There is now a generic controller that will serve the search and form pages of any `Dropdown` class.
- Usage of the `$link` parameter in `formatUserName()` and `DbUtils::formatUserName()`. Use `formatUserLink()` or `DbUtils::formatUserLink()` instead.
- Usage of the `$link` parameter in `getUserName()` and `DbUtils::getUserName()`. Use `getUserLink()`, `DbUtils::getUserLink()`, or `User::getInfoCard()` instead.
- `Auth::getErr()`
- `AuthLDAP::dropdownUserDeletedActions()`
- `AuthLDAP::getOptions()`
Expand Down Expand Up @@ -311,6 +313,7 @@ The present file will list all changes made to the project; according to the
- `CommonGLPI::showDislayOptions()`
- `CommonITILActor::showUserNotificationForm()`
- `CommonITILActor::showSupplierNotificationForm()`
- `CommonITILObject::getAssignName()`
- `CommonITILValidation::alreadyExists()`
- `CommonITILValidation::getTicketStatusNumber()`
- `CommonTreeDropdown::sanitizeSeparatorInCompletename()`
Expand Down Expand Up @@ -496,6 +499,7 @@ The present file will list all changes made to the project; according to the
- `ajax/planningcheck.php` script. Use `Planning::showPlanningCheck()` instead.
- `test_ldap` and `test_ldap_replicate` actions in `front/authldap.form.php`. Use `ajax/ldap.php` instead.
- `ajax/ticketsatisfaction.php` and `ajax/changesatisfaction.php` scripts. Access `ajax/commonitilsatisfaction.php` directly instead.
- Usage of the `$cut` parameter in `formatUserName()` and `DbUtils::formatUserName()`.


## [10.0.17] unreleased
Expand Down
24 changes: 10 additions & 14 deletions ajax/comments.php
Original file line number Diff line number Diff line change
Expand Up @@ -60,36 +60,32 @@

switch ($_POST["itemtype"]) {
case User::getType():
$link = null;
$comments = [];
if ($_POST['value'] == 0) {
$tmpname = [
'link' => $CFG_GLPI['root_doc'] . "/front/user.php",
'comment' => "",
];
$link = $CFG_GLPI['root_doc'] . "/front/user.php";
} else {
$user = new \User();
if (is_array($_POST["value"])) {
$comments = [];
foreach ($_POST["value"] as $users_id) {
if ($user->getFromDB($users_id) && $user->canView()) {
$username = getUserName($users_id, 2);
$comments[] = $username['comment'] ?? "";
$comments[] = $user->getInfoCard();
}
}
$tmpname = [
'comment' => implode("<br>", $comments),
];
unset($_POST['withlink']);
} else {
if ($user->getFromDB($_POST['value']) && $user->canView()) {
$tmpname = getUserName($_POST["value"], 2);
$link = $user->getLinkURL();
$comments[] = $user->getInfoCard();
}
}
}
echo($tmpname["comment"] ?? '');

if (isset($_POST['withlink']) && isset($tmpname['link'])) {
echo(implode("<br>", $comments));

if (isset($_POST['withlink']) && $link !== null) {
echo "<script type='text/javascript' >\n";
echo Html::jsGetElementbyID($_POST['withlink']) . ".attr('href', '" . $tmpname['link'] . "');";
echo Html::jsGetElementbyID($_POST['withlink']) . ".attr('href', '" . htmlspecialchars($link) . "');";
echo "</script>\n";
}
break;
Expand Down
13 changes: 4 additions & 9 deletions front/stat.graph.php
Original file line number Diff line number Diff line change
Expand Up @@ -88,25 +88,22 @@
$val1 = $_GET["id"];
$val2 = "";
$values = Stat::getItems($_GET["itemtype"], $_GET["date1"], $_GET["date2"], $_GET["type"]);
$link = User::canView() ? 1 : 0;
$name = $item->getAssignName($_GET["id"], 'User', $link);
$title = sprintf(
__s('%1$s: %2$s'),
__s('Technician'),
$link ? $name : htmlspecialchars($name)
getUserLink($_GET["id"])
);
break;

case "suppliers_id_assign":
$val1 = $_GET["id"];
$val2 = "";
$values = Stat::getItems($_GET["itemtype"], $_GET["date1"], $_GET["date2"], $_GET["type"]);
$link = Supplier::canView() ? 1 : 0;
$name = $item->getAssignName($_GET["id"], 'Supplier', $link);
$supplier = Supplier::getById($_GET["id"]);
$title = sprintf(
__s('%1$s: %2$s'),
Supplier::getTypeName(1),
$link ? $name : htmlspecialchars($name)
$supplier !== false ? $supplier->getLink(['comments' => true]) : ''
);
break;

Expand All @@ -115,12 +112,10 @@
$val1 = $_GET["id"];
$val2 = "";
$values = Stat::getItems($_GET["itemtype"], $_GET["date1"], $_GET["date2"], $_GET["type"]);
$link = User::canView() ? 1 : 0;
$name = getUserName($_GET["id"], $link);
$title = sprintf(
__s('%1$s: %2$s'),
User::getTypeName(1),
$link ? $name : htmlspecialchars($name)
getUserLink($_GET["id"])
);
break;

Expand Down
16 changes: 8 additions & 8 deletions src/Change.php
Original file line number Diff line number Diff line change
Expand Up @@ -1224,9 +1224,8 @@ public static function showCentralList($start, $status = "process", $showgroupch
) {
foreach ($change->users[CommonITILActor::REQUESTER] as $d) {
if ($d["users_id"] > 0) {
$userdata = getUserName($d["users_id"], 2);
$name = '<i class="fas fa-sm fa-fw fa-user text-muted me-1"></i>' .
$userdata['name'];
htmlspecialchars(getUserName($d["users_id"]));
$requesters[] = $name;
} else {
$requesters[] = '<i class="fas fa-sm fa-fw fa-envelope text-muted me-1"></i>' .
Expand Down Expand Up @@ -1451,16 +1450,17 @@ public static function showVeryShort($ID, $forcetab = '')
&& count($change->users[CommonITILActor::REQUESTER])
) {
foreach ($change->users[CommonITILActor::REQUESTER] as $d) {
if ($d["users_id"] > 0) {
$userdata = getUserName($d["users_id"], 2);
$name = "<span class='b'>" . $userdata['name'] . "</span>";
$user = new User();
if ($d["users_id"] > 0 && $user->getFromDB($d["users_id"])) {
$name = "<span class='b'>" . htmlspecialchars($user->getName()) . "</span>";
if ($viewusers) {
$name = sprintf(
__('%1$s %2$s'),
__s('%1$s %2$s'),
$name,
Html::showToolTip(
$userdata["comment"],
['link' => $userdata["link"],
$user->getInfoCard(),
[
'link' => $user->getLinkURL(),
'display' => false
]
)
Expand Down
9 changes: 6 additions & 3 deletions src/CommonDBTM.php
Original file line number Diff line number Diff line change
Expand Up @@ -4911,11 +4911,14 @@ public function getValueToDisplay($field_id_or_search_options, $values, $options
return $searchoptions['emptylabel'];
}

$user = new User();
if ($searchoptions['table'] == 'glpi_users') {
if (!$user->getFromDB($value)) {
return '';
}
if ($param['comments']) {
$tmp = getUserName($value, 2);
return $tmp['name'] . '&nbsp;' . Html::showToolTip(
$tmp['comment'],
return $user->getLink() . '&nbsp;' . Html::showToolTip(
$user->getInfoCard(),
['display' => false]
);
}
Expand Down
Loading

0 comments on commit de33d4e

Please sign in to comment.