Skip to content
GitLab
Commit ccf68589 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Merge branch '5868-html-is-not-escaped-in-departments-descriptions' into '1.2.1-fixes' 

Resolve "HTML is not escaped in departments descriptions" in 1.2.1-fixes

See merge request fusiondirectory/fd!359
parents e7ab3fcf cb71ee0e
dev 6342-update-the-locales-for-1-5 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock 6378-orcid-test-method-is-wrong-and-break-orcid-saving core-php8 master fusiondirectory-1.5 fusiondirectory-1.4 fusiondirectory-1.3.1 fusiondirectory-1.3 fusiondirectory-1.2.3 fusiondirectory-1.2.2
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 9 deletions
+8 -9
include/class_baseSelector.inc
+ 6
6
View file @ ccf68589
...@@ -238,9 +238,9 @@ class baseSelector ...@@ -238,9 +238,9 @@ class baseSelector
$this->tree .= "<li><a$selected $link>". $this->tree .= "<li><a$selected $link>".
'<img class="center" '. '<img class="center" '.
'src="'.htmlentities($config->department_info[$base]['img'], ENT_COMPAT, 'UTF-8').'" '. 'src="'.htmlentities($config->department_info[$base]['img'], ENT_COMPAT, 'UTF-8').'" '.
'alt="'.$config->department_info[$base]['name'].'"/>&nbsp;'. 'alt="'.htmlentities($config->department_info[$base]['name'], ENT_COMPAT, 'UTF-8').'"/>&nbsp;'.
$this->gennonbreaks($config->department_info[$base]['name']). $this->escape($config->department_info[$base]['name']).
($config->department_info[$base]['description'] == '' ? '' : '&nbsp;<span class="informal">['.$this->gennonbreaks($config->department_info[$base]['description']).']</span>'). (($config->department_info[$base]['description'] == '') ? '' : '&nbsp;<span class="informal">['.$this->escape($config->department_info[$base]['description']).']</span>').
'</a>'; '</a>';
$last_indent = $indent; $last_indent = $indent;
...@@ -267,13 +267,13 @@ class baseSelector ...@@ -267,13 +267,13 @@ class baseSelector
/*! /*!
* \brief Replace all space of the string by non-breaking space * \brief Replace all space of the string by non-breaking space and escapes HTML
* *
* \param String $string The string which his space will be replaced * \param String $string The string which his space will be replaced
*/ */
function gennonbreaks($string) function escape($string)
{ {
return str_replace('-', '&#8209;', str_replace(' ', '&nbsp;', $string)); return str_replace(' ', '&nbsp;', htmlentities($string, ENT_COMPAT, 'UTF-8'));
} }
/*! /*!
......
plugins/admin/departments/class_departmentManagement.inc
+ 2
3
View file @ ccf68589
...@@ -93,10 +93,9 @@ class departmentManagement extends simpleManagement ...@@ -93,10 +93,9 @@ class departmentManagement extends simpleManagement
{ {
$ou = $ou[0]; $ou = $ou[0];
if ($dn == $base) { if ($dn == $base) {
$ou = "."; $ou = '.';
} }
$dn = func_get_arg(1); return '<a href="?plug='.$_GET['plug'].'&amp;PID='.$pid.'&amp;act=listing_open_'.$row.'" title="'.htmlentities($dn, ENT_COMPAT, 'UTF-8').'">'.htmlentities($ou, ENT_COMPAT, 'UTF-8').'</a>';
return "<a href='?plug=".$_GET['plug']."&amp;PID=$pid&amp;act=listing_open_$row' title='$dn'>$ou</a>";
} }
// Finally remove departments and update departmnet browsers // Finally remove departments and update departmnet browsers
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment