From cb71ee0e6939c3ac80c1374268b0d68ad7f513b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be> Date: Mon, 13 Aug 2018 17:34:34 +0200 Subject: [PATCH] :ambulance: fix(departments) Escape HTML code set in department descriptions issue #5868 --- include/class_baseSelector.inc | 12 ++++++------ .../admin/departments/class_departmentManagement.inc | 5 ++--- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/include/class_baseSelector.inc b/include/class_baseSelector.inc index 7fac5d877..344776ee7 100644 --- a/include/class_baseSelector.inc +++ b/include/class_baseSelector.inc @@ -238,9 +238,9 @@ class baseSelector $this->tree .= "<li><a$selected $link>". '<img class="center" '. 'src="'.htmlentities($config->department_info[$base]['img'], ENT_COMPAT, 'UTF-8').'" '. - 'alt="'.$config->department_info[$base]['name'].'"/> '. - $this->gennonbreaks($config->department_info[$base]['name']). - ($config->department_info[$base]['description'] == '' ? '' : ' <span class="informal">['.$this->gennonbreaks($config->department_info[$base]['description']).']</span>'). + 'alt="'.htmlentities($config->department_info[$base]['name'], ENT_COMPAT, 'UTF-8').'"/> '. + $this->escape($config->department_info[$base]['name']). + (($config->department_info[$base]['description'] == '') ? '' : ' <span class="informal">['.$this->escape($config->department_info[$base]['description']).']</span>'). '</a>'; $last_indent = $indent; @@ -267,13 +267,13 @@ class baseSelector /*! - * \brief Replace all space of the string by non-breaking space + * \brief Replace all space of the string by non-breaking space and escapes HTML * * \param String $string The string which his space will be replaced */ - function gennonbreaks($string) + function escape($string) { - return str_replace('-', '‑', str_replace(' ', ' ', $string)); + return str_replace(' ', ' ', htmlentities($string, ENT_COMPAT, 'UTF-8')); } /*! diff --git a/plugins/admin/departments/class_departmentManagement.inc b/plugins/admin/departments/class_departmentManagement.inc index 38d5c44de..9594925a1 100644 --- a/plugins/admin/departments/class_departmentManagement.inc +++ b/plugins/admin/departments/class_departmentManagement.inc @@ -93,10 +93,9 @@ class departmentManagement extends simpleManagement { $ou = $ou[0]; if ($dn == $base) { - $ou = "."; + $ou = '.'; } - $dn = func_get_arg(1); - return "<a href='?plug=".$_GET['plug']."&PID=$pid&act=listing_open_$row' title='$dn'>$ou</a>"; + return '<a href="?plug='.$_GET['plug'].'&PID='.$pid.'&act=listing_open_'.$row.'" title="'.htmlentities($dn, ENT_COMPAT, 'UTF-8').'">'.htmlentities($ou, ENT_COMPAT, 'UTF-8').'</a>'; } // Finally remove departments and update departmnet browsers -- GitLab