From c94dcdd6f895d549cde4730bed9ebc88c2b15987 Mon Sep 17 00:00:00 2001
From: AdrienClairembault <aclairembault@teclib.com>
Date: Tue, 17 Sep 2024 15:36:28 +0200
Subject: [PATCH] Better HTML encoding for Domain and Dropdown

---
 src/Domain.php   |  7 ++---
 src/Dropdown.php | 72 +++++++++++++++++++++++++-----------------------
 2 files changed, 40 insertions(+), 39 deletions(-)

diff --git a/src/Domain.php b/src/Domain.php
index 264b7ca92f2..0c61be90584 100644
--- a/src/Domain.php
+++ b/src/Domain.php
@@ -845,10 +845,9 @@ public static function getAdditionalMenuLinks()
     {
         $links = [];
         if (static::canManageRecords()) {
-            $rooms = "<i class='fa fa-clipboard-list pointer' title=\"" . DomainRecord::getTypeName(Session::getPluralNumber()) . "\"></i>
-            <span class='d-none d-xxl-block ps-1'>
-               " . DomainRecord::getTypeName(Session::getPluralNumber()) . "
-            </span>";
+            $label = htmlspecialchars(DomainRecord::getTypeName(Session::getPluralNumber()));
+            $rooms = "<i class='fa fa-clipboard-list pointer' title=\"$label\"></i>
+            <span class='d-none d-xxl-block ps-1'>$label</span>";
             $links[$rooms] = DomainRecord::getSearchURL(false);
         }
         if (count($links)) {
diff --git a/src/Dropdown.php b/src/Dropdown.php
index c8cf2b64bc0..b75705b1d28 100644
--- a/src/Dropdown.php
+++ b/src/Dropdown.php
@@ -611,36 +611,36 @@ public static function getDropdownName($table, $id, $withcomment = false, $trans
                             if (!empty($data["phone"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . Phone::getTypeName(1),
-                                    "</span>" . $data['phone']
+                                    "<span class='b'>" . htmlspecialchars(Phone::getTypeName(1)),
+                                    "</span>" . htmlspecialchars($data['phone'])
                                 );
                             }
                             if (!empty($data["phone2"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('Phone 2'),
-                                    "</span>" . $data['phone2']
+                                    "<span class='b'>" . __s('Phone 2'),
+                                    "</span>" . htmlspecialchars($data['phone2'])
                                 );
                             }
                             if (!empty($data["mobile"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('Mobile phone'),
-                                    "</span>" . $data['mobile']
+                                    "<span class='b'>" . __s('Mobile phone'),
+                                    "</span>" . htmlspecialchars($data['mobile'])
                                 );
                             }
                             if (!empty($data["fax"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('Fax'),
-                                    "</span>" . $data['fax']
+                                    "<span class='b'>" . __s('Fax'),
+                                    "</span>" . htmlspecialchars($data['fax'])
                                 );
                             }
                             if (!empty($data["email"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
                                     "<span class='b'>" . _n('Email', 'Emails', 1),
-                                    "</span>" . $data['email']
+                                    "</span>" . htmlspecialchars($data['email'])
                                 );
                             }
                         }
@@ -651,22 +651,22 @@ public static function getDropdownName($table, $id, $withcomment = false, $trans
                             if (!empty($data["phonenumber"])) {
                                  $comment .= "<br>" . sprintf(
                                      __('%1$s: %2$s'),
-                                     "<span class='b'>" . Phone::getTypeName(1),
-                                     "</span>" . $data['phonenumber']
+                                     "<span class='b'>" . htmlspecialchars(Phone::getTypeName(1)),
+                                     "</span>" . htmlspecialchars($data['phonenumber'])
                                  );
                             }
                             if (!empty($data["fax"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('Fax'),
-                                    "</span>" . $data['fax']
+                                    "<span class='b'>" . __s('Fax'),
+                                    "</span>" . htmlspecialchars($data['fax'])
                                 );
                             }
                             if (!empty($data["email"])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . _n('Email', 'Emails', 1),
-                                    "</span>" . $data['email']
+                                    "<span class='b'>" . _sn('Email', 'Emails', 1),
+                                    "</span>" . htmlspecialchars($data['email'])
                                 );
                             }
                         }
@@ -690,7 +690,7 @@ public static function getDropdownName($table, $id, $withcomment = false, $trans
                             if (!empty($data['locations_id'])) {
                                  $comment .= "<br>" . sprintf(
                                      __('%1$s: %2$s'),
-                                     "<span class='b'>" . Location::getTypeName(1) . "</span>",
+                                     "<span class='b'>" . htmlspecialchars(Location::getTypeName(1)) . "</span>",
                                      self::getDropdownName(
                                          "glpi_locations",
                                          $data["locations_id"],
@@ -702,7 +702,7 @@ public static function getDropdownName($table, $id, $withcomment = false, $trans
                             if (!empty($data['budgettypes_id'])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . _n('Type', 'Types', 1) . "</span>",
+                                    "<span class='b'>" . _sn('Type', 'Types', 1) . "</span>",
                                     self::getDropdownName(
                                         "glpi_budgettypes",
                                         $data["budgettypes_id"],
@@ -714,14 +714,14 @@ public static function getDropdownName($table, $id, $withcomment = false, $trans
                             if (!empty($data['begin_date'])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('Start date') . "</span>",
+                                    "<span class='b'>" . __s('Start date') . "</span>",
                                     Html::convDateTime($data["begin_date"])
                                 );
                             }
                             if (!empty($data['end_date'])) {
                                 $comment .= "<br>" . sprintf(
                                     __('%1$s: %2$s'),
-                                    "<span class='b'>" . __('End date') . "</span>",
+                                    "<span class='b'>" . __s('End date') . "</span>",
                                     Html::convDateTime($data["end_date"])
                                 );
                             }
@@ -1359,6 +1359,8 @@ public static function showItemTypeMenu(string $title, array $optgroup, string $
 
         echo "<div class='container-fluid text-start'>";
         echo "<div class='mb-3 row'>";
+
+        $title = htmlspecialchars($title);
         echo "<label class='col-sm-1 col-form-label'>$title</label>";
         $selected = '';
 
@@ -2272,21 +2274,21 @@ public static function showFromArray($name, array $elements, $options = [])
         if ($param['readonly']) {
             $to_display = [];
             foreach ($param['values'] as $value) {
-                $output .= "<input type='hidden' name='$field_name' value='$value'>";
+                $output .= "<input type='hidden' name='" . htmlspecialchars($field_name) . "' value='" . htmlspecialchars($value) . "'>";
                 if (isset($elements[$value])) {
-                    $to_display[] = $elements[$value];
+                    $to_display[] = htmlspecialchars($elements[$value]);
                 }
             }
-            $output .= '<span class="form-control" readonly style="width: ' . $param["width"] . '">' . implode(', ', $to_display) . '</span>';
+            $output .= '<span class="form-control" readonly style="width: ' . htmlspecialchars($param["width"]) . '">' . implode(', ', $to_display) . '</span>';
         } else {
             if ($param['multiple']) {
                 // Fix for multiple select not sending any form data when no option is selected
-                $output .= "<input type='hidden' name='$original_field_name' value=''>";
+                $output .= "<input type='hidden' name='" . htmlspecialchars($original_field_name) . "' value=''>";
             }
-            $output  .= "<select name='$field_name' id='$field_id'";
+            $output  .= "<select name='" . htmlspecialchars($field_name) . "' id='" . htmlspecialchars($field_id) . "'";
 
             if ($param['width'] !== '') {
-                $output .= " style='width: " . $param['width'] . "'";
+                $output .= " style='width: " . htmlspecialchars($param['width']) . "'";
             }
 
             if ($param['tooltip']) {
@@ -2298,11 +2300,11 @@ public static function showFromArray($name, array $elements, $options = [])
             }
 
             if (!empty($param["on_change"])) {
-                $output .= " onChange='" . $param["on_change"] . "'";
+                $output .= " onChange='" . htmlspecialchars($param["on_change"]) . "'";
             }
 
             if ((is_int($param["size"])) && ($param["size"] > 0)) {
-                $output .= " size='" . $param["size"] . "'";
+                $output .= " size='" . htmlspecialchars($param["size"]) . "'";
             }
 
             if ($param["multiple"]) {
@@ -2363,7 +2365,7 @@ function ($key, $value) {
 
                     foreach ($val as $key2 => $val2) {
                         if (!isset($param['used'][$key2])) {
-                            $output .= "<option value='" . $key2 . "'";
+                            $output .= "<option value='" . htmlspecialchars($key2) . "'";
                            // Do not use in_array : trouble with 0 and empty value
                             foreach ($param['values'] as $value) {
                                 if (strcmp($key2, $value) === 0) {
@@ -2403,7 +2405,7 @@ function ($key, $value) {
             }
 
             if ($param['other'] !== false) {
-                $output .= "<option value='$other_select_option'";
+                $output .= "<option value='" . htmlspecialchars($other_select_option) . "'";
                 if (is_string($param['other'])) {
                     $output .= " selected";
                 }
@@ -2412,9 +2414,9 @@ function ($key, $value) {
 
             $output .= "</select>";
             if ($param['other'] !== false) {
-                $output .= "<input name='$other_select_option' id='$other_select_option' type='text'";
+                $output .= "<input name='" . htmlspecialchars($other_select_option) . "' id='" . htmlspecialchars($other_select_option) . "' type='text'";
                 if (is_string($param['other'])) {
-                    $output .= " value=\"" . $param['other'] . "\"";
+                    $output .= " value=\"" . htmlspecialchars($param['other']) . "\"";
                 } else {
                     $output .= " style=\"display: none\"";
                 }
@@ -2437,7 +2439,7 @@ function ($key, $value) {
            // Hack for All / None because select2 does not provide it
             $select   = __('All');
             $deselect = __('None');
-            $output  .= "<div class='invisible' id='selectallbuttons_$field_id'>";
+            $output  .= "<div class='invisible' id='selectallbuttons_" . htmlspecialchars($field_id) . "'>";
             $output  .= "<div class='d-flex justify-content-around p-1'>";
             $output  .= "<a class='btn btn-sm' " .
                       "onclick=\"selectAll('$field_id');$('#$field_id').select2('close');\">$select" .
@@ -2575,10 +2577,10 @@ public static function showGlobalSwitch($ID, $attrs = [])
                // Templates edition
                 if (!empty($params['withtemplate'])) {
                     echo "<input type='hidden' name='is_global' value='" .
-                      $params['management_restrict'] . "'>";
-                    echo (!$params['management_restrict'] ? __('Unit management') : __('Global management'));
+                        htmlspecialchars($params['management_restrict']) . "'>";
+                    echo (!$params['management_restrict'] ? __s('Unit management') : __s('Global management'));
                 } else {
-                    echo (!$params['value'] ? __('Unit management') : __('Global management'));
+                    echo (!$params['value'] ? __s('Unit management') : __s('Global management'));
                 }
             }
         }