Few htmlspecialchar() missing, some typos

src/SavedSearch_User.php

@@ -52,9 +52,9 @@ public static function getSpecificValueToDisplay($field, $values, array $options
         switch ($field) {
             case 'users_id':
                 if (!empty($values[$field])) {
-                    return "<span class='fa fa-star bookmark_default'><span class='sr-only'>" . __('Yes') . "</span></span>";
+                    return "<span class='fa fa-star bookmark_default'><span class='sr-only'>" . __s('Yes') . "</span></span>";
                 } else {
-                    return "<span class='fa fa-star bookmark_record'><span class='sr-only'>" . __('No') . "</span></span>";
+                    return "<span class='fa fa-star bookmark_record'><span class='sr-only'>" . __s('No') . "</span></span>";
                 }
         }
         return parent::getSpecificValueToDisplay($field, $values, $options);

src/Session.php

@@ -1449,7 +1449,7 @@ public static function haveRightsAnd($module, $rights = [])
 
 
     /**
-     * Have I one right of array $rights to module $module (conpare to session variable)
+     * Have I one right of array $rights to module $module (compare to session variable)
      *
      * @param string    $module Module to check
      * @param integer[] $rights Rights to check
@@ -1774,13 +1774,13 @@ public static function checkCSRF($data)
     /**
      * Get new IDOR token
      * This token validates the itemtype used by an ajax request is the one asked by a dropdown.
-     * So, we avoid IDOR request where an attacker asks for an another itemtype
-     * than the originaly intended
+     * So, we avoid IDOR request where an attacker asks for another itemtype
+     * than the originally intended
      *
      * @since 9.5.3
      *
      * @param string $itemtype
-     * @param array  $add_params more criteria to check validy of idor tokens
+     * @param array  $add_params more criteria to check validity of IDOR tokens
      *
      * @return string
      **/
@@ -1845,7 +1845,7 @@ public static function validateIDOR(array $data = []): bool
                 }
             }
 
-           // check all stored data for the idor token are present (and identical) in the posted data
+           // check all stored data for the IDOR token are present (and identical) in the posted data
             $match_expected = function ($expected, $given) use (&$match_expected) {
                 if (is_array($expected)) {
                     if (!is_array($given)) {
@@ -2261,7 +2261,7 @@ public static function authWithToken(
      * Load given entity.
      *
      * @param integer $entities_id  Entity to use
-     * @param boolean $is_recursive Whether to load entities recursivly or not
+     * @param boolean $is_recursive Whether to load entities recursively or not
      *
      * @return void
      */

src/Software.php

@@ -724,7 +724,7 @@ public static function dropdownLicenseToInstall($myname, $entity_restrict)
             $paramsselsoft
         );
 
-        echo "<span id='show_" . $myname . $rand . "'>&nbsp;</span>\n";
+        echo "<span id='show_" . htmlspecialchars($myname . $rand) . "'>&nbsp;</span>\n";
 
         return $rand;
     }

src/Supplier.php

@@ -371,7 +371,7 @@ public function getLinks($withname = false)
         $ret = '    ';
 
         if ($withname) {
-            $ret .= $this->fields["name"];
+            $ret .= htmlspecialchars($this->fields["name"]);
             $ret .= "  ";
         }
 
@@ -412,16 +412,16 @@ public function showInfocoms()
         Html::printPagerForm();
         echo "</th><th colspan='3'>";
         if ($number == 0) {
-            echo __('No associated item');
+            echo __s('No associated item');
         } else {
-            echo _n('Associated item', 'Associated items', $number);
+            echo _sn('Associated item', 'Associated items', $number);
         }
         echo "</th></tr>";
-        echo "<tr><th>" . _n('Type', 'Types', 1) . "</th>";
+        echo "<tr><th>" . _sn('Type', 'Types', 1) . "</th>";
         echo "<th>" . Entity::getTypeName(1) . "</th>";
-        echo "<th>" . __('Name') . "</th>";
-        echo "<th>" . __('Serial number') . "</th>";
-        echo "<th>" . __('Inventory number') . "</th>";
+        echo "<th>" . __s('Name') . "</th>";
+        echo "<th>" . __s('Serial number') . "</th>";
+        echo "<th>" . __s('Inventory number') . "</th>";
         echo "</tr>";
 
         $num = 0;
@@ -514,7 +514,7 @@ public function showInfocoms()
                     if ($nb > 0) {
                         $title = sprintf(__('%1$s: %2$s'), $title, $nb);
                     }
-                    echo "<td class='center'>" . $title . "</td>";
+                    echo "<td class='center'>" . htmlspecialchars($title) . "</td>";
                     echo "<td class='center' colspan='2'>";
                     $opt = ['order'      => 'ASC',
                         'is_deleted' => 0,
@@ -531,7 +531,7 @@ public function showInfocoms()
                     $link .= (strpos($link, '?') ? '&amp;' : '?');
 
                     echo "<a href='$link" .
-                     Toolbox::append_params($opt) . "'>" . __('Device list') . "</a></td>";
+                     Toolbox::append_params($opt) . "'>" . __s('Device list') . "</a></td>";
 
                     echo "<td class='center'>-</td><td class='center'>-</td></tr>";
                 } else if ($nb) {
@@ -542,7 +542,7 @@ public function showInfocoms()
                             $name = sprintf(__('%1$s (%2$s)'), $name, $data["id"]);
                         }
                         $link = $linktype::getFormURLWithID($data[$linkfield]);
-                        $name = "<a href='$link'>" . $name . "</a>";
+                        $name = "<a href='$link'>" . htmlspecialchars($name) . "</a>";
 
                         echo "<tr class='tab_bg_1";
                         if (isset($data['is_template']) && $data['is_template'] == 1) {
@@ -555,7 +555,7 @@ public function showInfocoms()
                             if ($nb > 0) {
                                 $title = sprintf(__('%1$s: %2$s'), $title, $nb);
                             }
-                            echo "<td class='center top' rowspan='$nb'>" . $title . "</td>";
+                            echo "<td class='center top' rowspan='$nb'>" . htmlspecialchars($title) . "</td>";
                         }
                         echo "<td class='center'>" . Dropdown::getDropdownName(
                             "glpi_entities",
@@ -565,17 +565,17 @@ public function showInfocoms()
                         echo ((isset($data['is_deleted']) && $data['is_deleted']) ? " tab_bg_2_2'" : "'") . ">";
                         echo $name . "</td>";
                         echo "<td class='center'>" .
-                           (isset($data["serial"]) ? "" . $data["serial"] . "" : "-") . "</td>";
+                           (isset($data["serial"]) ? htmlspecialchars($data["serial"]) : "-") . "</td>";
                         echo "<td class='center'>" .
-                           (isset($data["otherserial"]) ? "" . $data["otherserial"] . "" : "-") . "</td>";
+                           (isset($data["otherserial"]) ? htmlspecialchars($data["otherserial"]) : "-") . "</td>";
                         echo "</tr>";
                     }
                 }
                 $num += $nb;
             }
         }
         echo "<tr class='tab_bg_2'>";
-        echo "<td class='center'>" . (($num > 0) ? sprintf(__('%1$s = %2$s'), __('Total'), $num)
+        echo "<td class='center'>" . (($num > 0) ? sprintf(__s('%1$s = %2$s'), __s('Total'), $num)
                                              : "&nbsp;") . "</td>";
         echo "<td colspan='4'>&nbsp;</td></tr> ";
         echo "</table></div>";