Skip to content
GitLab
Commit 58c9a401 authored by Cédric Anne's avatar Cédric Anne
Browse files

Fix dropdown name escaping and autonaming from templates; fixes #8818

parent 1ea5c109
Hide whitespace changes
Inline Side-by-side
inc/commondbtm.class.php
View file @ 58c9a401
......@@ -1096,14 +1096,6 @@ class CommonDBTM extends CommonGLPI {
}
}
if (isset($input['name'])) {
$input['name'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['name']));
}
if (isset($input['comments'])) {
$input['comments'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['comments']));
}
// Store input in the object to be available in all sub-method / hook
$this->input = $input;
......@@ -1456,14 +1448,6 @@ class CommonDBTM extends CommonGLPI {
return false;
}
if (isset($input['name'])) {
$input['name'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['name']));
}
if (isset($input['comments'])) {
$input['comments'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['comments']));
}
// Store input in the object to be available in all sub-method / hook
$this->input = $input;
......
inc/dbutils.class.php
View file @ 58c9a401
......@@ -1125,6 +1125,12 @@ final class DbUtils {
} else {
$name = $result['completename'];
}
// Separator is not encoded in DB, and it could not be changed as this is mandatory to be able to split tree
// correctly even if some tree elements are containing ">" char in their name (this one will be encoded).
$separator = ' > ';
$name = implode(Toolbox::clean_cross_side_scripting_deep($separator), explode($separator, $name));
if ($tooltip) {
$comment = sprintf(__('%1$s: %2$s')."<br>",
"<span class='b'>".__('Complete name')."</span>",
......
js/common.js
View file @ 58c9a401
......@@ -976,20 +976,22 @@ var typewatch = (function(){
* Function that renders select2 selections.
*/
var templateSelection = function (selection) {
var text = '';
if (!("element" in selection)) {
return selection.text;
}
// Data generated by ajax containing 'selection_text'
if (Object.prototype.hasOwnProperty.call(selection, 'selection_text')) {
return selection.selection_text;
}
// Data generated with optgroups
if (selection.element.parentElement.nodeName == 'OPTGROUP') {
return selection.element.parentElement.getAttribute('label') + ' - ' + selection.text;
text = selection.text;
} else if (Object.prototype.hasOwnProperty.call(selection, 'selection_text')) {
// Data generated by ajax containing 'selection_text'
text = selection.selection_text;
} else if (selection.element.parentElement.nodeName == 'OPTGROUP') {
// Data generated with optgroups
text = selection.element.parentElement.getAttribute('label') + ' - ' + selection.text;
} else {
// Default text
text = selection.text;
}
// Default text
return selection.text;
var _elt = $('<span></span>');
_elt.html(escapeMarkupText(text));
return _elt;
};
/**
......
tests/functionnal/Dropdown.php
View file @ 58c9a401
......@@ -122,6 +122,8 @@ class Dropdown extends DbTestCase {
public function testGetDropdownName() {
global $CFG_GLPI;
$encoded_sep = \Toolbox::clean_cross_side_scripting_deep(' > ');
$ret = \Dropdown::getDropdownName('not_a_known_table', 1);
$this->string($ret)->isIdenticalTo('&nbsp;');
......@@ -130,20 +132,20 @@ class Dropdown extends DbTestCase {
$subCat = getItemByTypeName('TaskCategory', '_subcat_1');
// basic test returns string only
$expected = $cat->fields['name']." > ".$subCat->fields['name'];
$expected = $cat->fields['name'].$encoded_sep.$subCat->fields['name'];
$ret = \Dropdown::getDropdownName('glpi_taskcategories', $subCat->getID());
$this->string($ret)->isIdenticalTo($expected);
// test of return with comments
$expected = ['name' => $cat->fields['name']." > ".$subCat->fields['name'],
'comment' => "<span class='b'>Complete name</span>: ".$cat->fields['name']." > "
$expected = ['name' => $cat->fields['name'].$encoded_sep.$subCat->fields['name'],
'comment' => "<span class='b'>Complete name</span>: ".$cat->fields['name'].$encoded_sep
.$subCat->fields['name']."<br><span class='b'>&nbsp;Comments&nbsp;</span>"
.$subCat->fields['comment']];
$ret = \Dropdown::getDropdownName( 'glpi_taskcategories', $subCat->getID(), true );
$this->array($ret)->isIdenticalTo($expected);
// test of return without $tooltip
$expected = ['name' => $cat->fields['name']." > ".$subCat->fields['name'],
$expected = ['name' => $cat->fields['name'].$encoded_sep.$subCat->fields['name'],
'comment' => $subCat->fields['comment']];
$ret = \Dropdown::getDropdownName( 'glpi_taskcategories', $subCat->getID(), true, true, false );
$this->array($ret)->isIdenticalTo($expected);
......@@ -152,7 +154,7 @@ class Dropdown extends DbTestCase {
$CFG_GLPI['translate_dropdowns'] = 1;
$_SESSION["glpilanguage"] = \Session::loadLanguage( 'fr_FR' );
$_SESSION['glpi_dropdowntranslations'] = \DropdownTranslation::getAvailableTranslations($_SESSION["glpilanguage"]);
$expected = ['name' => 'FR - _cat_1 > FR - _subcat_1',
$expected = ['name' => 'FR - _cat_1' . $encoded_sep . 'FR - _subcat_1',
'comment' => 'FR - Commentaire pour sous-catégorie _subcat_1'];
$ret = \Dropdown::getDropdownName( 'glpi_taskcategories', $subCat->getID(), true, true, false );
// switch back to default language
......@@ -793,6 +795,8 @@ class Dropdown extends DbTestCase {
}
protected function getDropdownConnectProvider() {
$encoded_sep = \Toolbox::clean_cross_side_scripting_deep('>');
return [
[
'params' => [
......@@ -806,7 +810,7 @@ class Dropdown extends DbTestCase {
'text' => '-----',
],
1 => [
'text' => 'Root entity > _test_root_entity',
'text' => "Root entity {$encoded_sep} _test_root_entity",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_all', true),
......@@ -819,7 +823,7 @@ class Dropdown extends DbTestCase {
]
],
2 => [
'text' => 'Root entity > _test_root_entity > _test_child_1',
'text' => "Root entity {$encoded_sep} _test_root_entity {$encoded_sep} _test_child_1",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_ent1', true),
......@@ -828,7 +832,7 @@ class Dropdown extends DbTestCase {
]
],
3 => [
'text' => 'Root entity > _test_root_entity > _test_child_2',
'text' => "Root entity {$encoded_sep} _test_root_entity {$encoded_sep} _test_child_2",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_ent2', true),
......@@ -856,7 +860,7 @@ class Dropdown extends DbTestCase {
'text' => '-----',
],
1 => [
'text' => 'Root entity > _test_root_entity',
'text' => "Root entity {$encoded_sep} _test_root_entity",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_all', true),
......@@ -865,7 +869,7 @@ class Dropdown extends DbTestCase {
]
],
2 => [
'text' => 'Root entity > _test_root_entity > _test_child_1',
'text' => "Root entity {$encoded_sep} _test_root_entity {$encoded_sep} _test_child_1",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_ent1', true),
......@@ -884,7 +888,7 @@ class Dropdown extends DbTestCase {
'expected' => [
'results' => [
0 => [
'text' => 'Root entity > _test_root_entity',
'text' => "Root entity {$encoded_sep} _test_root_entity",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_ent0', true),
......@@ -903,7 +907,7 @@ class Dropdown extends DbTestCase {
'expected' => [
'results' => [
0 => [
'text' => 'Root entity > _test_root_entity',
'text' => "Root entity {$encoded_sep} _test_root_entity",
'children' => [
0 => [
'id' => getItemByTypeName('Printer', '_test_printer_ent0', true),
......
tests/functionnal/NotificationTargetTicket.php
View file @ 58c9a401
......@@ -79,13 +79,14 @@ class NotificationTargetTicket extends DbTestCase {
// advanced test for ##task.categorycomment## and ##task.categoryid## tags
// test of the getDataForObject for default language en_GB
$taskcat = getItemByTypeName('TaskCategory', '_subcat_1');
$encoded_sep = \Toolbox::clean_cross_side_scripting_deep('>');
$expected = [
[
'##task.id##' => 1,
'##task.isprivate##' => 'No',
'##task.author##' => '_test_user',
'##task.categoryid##' => $taskcat->getID(),
'##task.category##' => '_cat_1 > _subcat_1',
'##task.category##' => '_cat_1 ' . $encoded_sep . ' _subcat_1',
'##task.categorycomment##' => 'Comment for sub-category _subcat_1',
'##task.date##' => '2016-10-19 11:50',
'##task.description##' => 'Task to be done',
......@@ -120,7 +121,7 @@ class NotificationTargetTicket extends DbTestCase {
'##task.isprivate##' => 'Non',
'##task.author##' => '_test_user',
'##task.categoryid##' => $taskcat->getID(),
'##task.category##' => 'FR - _cat_1 > FR - _subcat_1',
'##task.category##' => 'FR - _cat_1 ' . $encoded_sep . ' FR - _subcat_1',
'##task.categorycomment##' => 'FR - Commentaire pour sous-catégorie _subcat_1',
'##task.date##' => '2016-10-19 11:50',
'##task.description##' => 'Task to be done',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment