From e556bcc3c2eca39bfb5c5757f35b21ef340b464c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Mon, 13 Aug 2018 17:34:34 +0200
Subject: [PATCH] :ambulance: fix(departments) Escape HTML code set in
department descriptions
issue #5868
---
include/class_baseSelector.inc | 10 +++++-----
.../admin/departments/class_departmentManagement.inc | 5 ++---
2 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/include/class_baseSelector.inc b/include/class_baseSelector.inc
index 7fac5d877..0c2aa7e5e 100644
--- a/include/class_baseSelector.inc
+++ b/include/class_baseSelector.inc
@@ -238,9 +238,9 @@ class baseSelector
$this->tree .= "<li><a$selected $link>".
'<img class="center" '.
'src="'.htmlentities($config->department_info[$base]['img'], ENT_COMPAT, 'UTF-8').'" '.
- 'alt="'.$config->department_info[$base]['name'].'"/> '.
- $this->gennonbreaks($config->department_info[$base]['name']).
- ($config->department_info[$base]['description'] == '' ? '' : ' <span class="informal">['.$this->gennonbreaks($config->department_info[$base]['description']).']</span>').
+ 'alt="'.htmlentities($config->department_info[$base]['name'], ENT_COMPAT, 'UTF-8').'"/> '.
+ $this->escape($config->department_info[$base]['name']).
+ (($config->department_info[$base]['description'] == '') ? '' : ' <span class="informal">['.$this->escape($config->department_info[$base]['description']).']</span>').
'</a>';
$last_indent = $indent;
@@ -267,13 +267,13 @@ class baseSelector
/*!
- * \brief Replace all space of the string by non-breaking space
+ * \brief Replace all space of the string by non-breaking space and escapes HTML
*
* \param String $string The string which his space will be replaced
*/
function gennonbreaks($string)
{
- return str_replace('-', '‑', str_replace(' ', ' ', $string));
+ return str_replace(' ', ' ', htmlentities($string, ENT_COMPAT, 'UTF-8'));
}
/*!
diff --git a/plugins/admin/departments/class_departmentManagement.inc b/plugins/admin/departments/class_departmentManagement.inc
index 38d5c44de..9594925a1 100644
--- a/plugins/admin/departments/class_departmentManagement.inc
+++ b/plugins/admin/departments/class_departmentManagement.inc
@@ -93,10 +93,9 @@ class departmentManagement extends simpleManagement
{
$ou = $ou[0];
if ($dn == $base) {
- $ou = ".";
+ $ou = '.';
}
- $dn = func_get_arg(1);
- return "<a href='?plug=".$_GET['plug']."&PID=$pid&act=listing_open_$row' title='$dn'>$ou</a>";
+ return '<a href="?plug='.$_GET['plug'].'&PID='.$pid.'&act=listing_open_'.$row.'" title="'.htmlentities($dn, ENT_COMPAT, 'UTF-8').'">'.htmlentities($ou, ENT_COMPAT, 'UTF-8').'</a>';
}
// Finally remove departments and update departmnet browsers
--
GitLab