fix(departments) Escape HTML code set in department descriptions

issue #5868

fix(departments) Escape HTML code set in department descriptions
issue #5868
71a226e1 · Côme Chilliet · 561201eb · 71a226e1
Commit 71a226e1 authored 6 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 6 additions and 6 deletions
+6 -6
--- a/include/class_baseSelector.inc
+++ b/include/class_baseSelector.inc
@@ -238,9 +238,9 @@ class baseSelector
      $this->tree .= "<li><a$selected $link>".
                    '<img class="center" '.
                    'src="'.htmlentities($config->department_info[$base]['img'], ENT_COMPAT, 'UTF-8').'" '.
-                    'alt="'.$config->department_info[$base]['name'].'"/>&nbsp;'.
+                    'alt="'.htmlentities($config->department_info[$base]['name'], ENT_COMPAT, 'UTF-8').'"/>&nbsp;'.
-                    $this->gennonbreaks($config->department_info[$base]['name']).
+                    $this->escape($config->department_info[$base]['name']).
-                    ($config->department_info[$base]['description'] == '' ? '' : '&nbsp;<span class="informal">['.$this->gennonbreaks($config->department_info[$base]['description']).']</span>').
+                    (($config->department_info[$base]['description'] == '') ? '' : '&nbsp;<span class="informal">['.$this->escape($config->department_info[$base]['description']).']</span>').
                    '</a>';
      $last_indent  = $indent;
@@ -267,13 +267,13 @@ class baseSelector
  /*!
-   * \brief Replace all space of the string by non-breaking space
+   * \brief Replace all space of the string by non-breaking space and escapes HTML
   *
   * \param String $string The string which his space will be replaced
   */
-  function gennonbreaks($string)
+  function escape($string)
  {
-    return str_replace('-', '&#8209;', str_replace(' ', '&nbsp;', $string));
+    return str_replace(' ', '&nbsp;', htmlentities($string, ENT_COMPAT, 'UTF-8'));
  }
  /*!