From 2be27f5eb4fa048997bd38d09d611e65a8603d21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Tue, 16 Jun 2020 14:12:31 +0200
Subject: [PATCH] :ambulance: fix(core) Various fixes with escaping

issue #6071
---
 ihtml/themes/breezy/simpleplugin_section.tpl |  2 +-
 include/class_objects.inc                    |  2 +-
 include/simpleplugin/class_simplePlugin.inc  | 14 ++++----------
 include/simpleplugin/class_simpleTabs.inc    |  3 ---
 plugins/addons/dashboard/groups_stats.tpl    |  2 +-
 plugins/addons/dashboard/pwd_stats.tpl       |  2 +-
 plugins/addons/dashboard/users_accounts.tpl  |  2 +-
 plugins/addons/dashboard/users_stats.tpl     |  2 +-
 plugins/generic/references/contents.tpl      |  2 +-
 setup/setup_checks.tpl                       |  2 +-
 setup/setup_migrate.tpl                      |  2 +-
 11 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/ihtml/themes/breezy/simpleplugin_section.tpl b/ihtml/themes/breezy/simpleplugin_section.tpl
index 03834100b..ce065e76a 100644
--- a/ihtml/themes/breezy/simpleplugin_section.tpl
+++ b/ihtml/themes/breezy/simpleplugin_section.tpl
@@ -1,5 +1,5 @@
 <fieldset id="{$sectionId}" class="plugin-section{$sectionClasses}">
-  <legend><span>{$section|escape}</span></legend>
+  <legend><span>{if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}</span></legend>
   <div>
   <table>
     {foreach from=$attributes item=attribute key=id}
diff --git a/include/class_objects.inc b/include/class_objects.inc
index 590dd34cf..68b1b6795 100644
--- a/include/class_objects.inc
+++ b/include/class_objects.inc
@@ -380,7 +380,7 @@ class objects
     $text = htmlescape($text);
 
     if ($icon && isset($infos['icon'])) {
-      $text = '<img alt="'.$infos['name'].'" title="'.$dn.'" src="'.htmlescape($infos['icon']).'" class="center"/>&nbsp;'.$text;
+      $text = '<img alt="'.htmlescape($infos['name']).'" title="'.htmlescape($dn).'" src="'.htmlescape($infos['icon']).'" class="center"/>&nbsp;'.$text;
     }
 
     if ($link) {
diff --git a/include/simpleplugin/class_simplePlugin.inc b/include/simpleplugin/class_simplePlugin.inc
index 3beb15081..c4b097455 100644
--- a/include/simpleplugin/class_simplePlugin.inc
+++ b/include/simpleplugin/class_simplePlugin.inc
@@ -686,7 +686,7 @@ class simplePlugin implements SimpleTab
         }
       } elseif (!$this->is_account) {
         $plInfo = pluglist::pluginInfos(get_class($this));
-        $this->header = '<img alt="'._('Error').'" src="geticon.php?context=status&amp;icon=dialog-error&amp;size=16" align="middle"/>&nbsp;<b>'.
+        $this->header = '<img alt="'.htmlescape(_('Error')).'" src="geticon.php?context=status&amp;icon=dialog-error&amp;size=16" align="middle"/>&nbsp;<b>'.
                         msgPool::noValidExtension($plInfo['plShortName'])."</b>";
         $this->displayPlugin = FALSE;
         return $this->header.$this->inheritanceDisplay();
@@ -875,15 +875,9 @@ class simplePlugin implements SimpleTab
 
     $sections = [];
     foreach ($this->attributesInfo as $section => $sectionInfo) {
-      $legend = $sectionInfo['name'];
-      if (isset($sectionInfo['icon'])) {
-        $legend = '<img '.
-                  'src="'.htmlescape($sectionInfo['icon']).'" '.
-                  'alt="" '.
-                  '/>'.$legend;
-      }
-      $smarty->assign("section", $legend);
-      $smarty->assign("sectionId", $section);
+      $smarty->assign('section',      $sectionInfo['name']);
+      $smarty->assign('sectionIcon',  ($sectionInfo['icon'] ?? NULL));
+      $smarty->assign('sectionId',    $section);
       $sectionClasses = '';
       if (isset($sectionInfo['class'])) {
         $sectionClasses .= ' '.join(' ', $sectionInfo['class']);
diff --git a/include/simpleplugin/class_simpleTabs.inc b/include/simpleplugin/class_simpleTabs.inc
index cae6e7148..0a83ea579 100644
--- a/include/simpleplugin/class_simpleTabs.inc
+++ b/include/simpleplugin/class_simpleTabs.inc
@@ -283,9 +283,6 @@ class simpleTabs
         $title = mb_substr($title, 0, 25, 'UTF-8')."...";
       }
 
-      /* nobr causes w3c warnings so we use &nbsp; to keep the tab name in one line */
-      $title = str_replace(' ', '&nbsp;', $title);
-
       $cssClasses = $style[$index];
 
       /* Take care about notifications */
diff --git a/plugins/addons/dashboard/groups_stats.tpl b/plugins/addons/dashboard/groups_stats.tpl
index f4afd8442..f3150102a 100644
--- a/plugins/addons/dashboard/groups_stats.tpl
+++ b/plugins/addons/dashboard/groups_stats.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}"  class="plugin-section">
   <span class="legend">
-    {$section|escape}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     <img src="{$attributes.groups_stats.img|escape}" alt="group icon"/>
diff --git a/plugins/addons/dashboard/pwd_stats.tpl b/plugins/addons/dashboard/pwd_stats.tpl
index a5bc5e843..2beb83ec3 100644
--- a/plugins/addons/dashboard/pwd_stats.tpl
+++ b/plugins/addons/dashboard/pwd_stats.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}"  class="plugin-section">
   <span class="legend">
-    {$section|escape}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     <img src="{$attributes.pwds_stats.img|escape}" alt="user icon"/>
diff --git a/plugins/addons/dashboard/users_accounts.tpl b/plugins/addons/dashboard/users_accounts.tpl
index 8c9463be8..8be66f49e 100644
--- a/plugins/addons/dashboard/users_accounts.tpl
+++ b/plugins/addons/dashboard/users_accounts.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}"  class="plugin-section fullwidth">
   <span class="legend">
-    {$section|escape}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     <h1>
diff --git a/plugins/addons/dashboard/users_stats.tpl b/plugins/addons/dashboard/users_stats.tpl
index 3577f84a8..c6797eef6 100644
--- a/plugins/addons/dashboard/users_stats.tpl
+++ b/plugins/addons/dashboard/users_stats.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}"  class="plugin-section">
   <span class="legend">
-    {$section|escape}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     <img src="{$attributes.users_stats.img|escape}" alt="user icon"/>
diff --git a/plugins/generic/references/contents.tpl b/plugins/generic/references/contents.tpl
index 0a4234c79..eaf31cc3b 100644
--- a/plugins/generic/references/contents.tpl
+++ b/plugins/generic/references/contents.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}" class="plugin-section{$sectionClasses}">
   <span class="legend">
-    {$section|escape}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     {if $attributes.refs}
diff --git a/setup/setup_checks.tpl b/setup/setup_checks.tpl
index 80776db1c..8dccadf0c 100644
--- a/setup/setup_checks.tpl
+++ b/setup/setup_checks.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}" class="plugin-section">
   <span class="legend">
-    {$section}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     {foreach from=$attributes item=infos}
diff --git a/setup/setup_migrate.tpl b/setup/setup_migrate.tpl
index 346595123..8072f33bb 100644
--- a/setup/setup_migrate.tpl
+++ b/setup/setup_migrate.tpl
@@ -1,6 +1,6 @@
 <div id="{$sectionId}" class="plugin-section{$sectionClasses}">
   <span class="legend">
-    {$section}
+    {if $sectionIcon}<img src="{$sectionIcon|escape}" alt=""/>{/if}{$section|escape}
   </span>
   <div>
     {foreach from=$attributes item=checks}
-- 
GitLab