diff --git a/application/utils.inc.php b/application/utils.inc.php
index 204e6b5af..7ee001146 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -1638,19 +1638,47 @@ class utils
}
/**
- * Helper to encapsulation iTop's htmlentities
+ * @see utils::EscapeHtml to escape only characters with special meaning in HTML
+ *
* @param string $sValue
- * @return string
+ *
+ * @return string ⚠ Warning : will escape any non us-ascii char !
+ *
+ * @link https://www.php.net/manual/fr/function.htmlentities.php
+ * @uses \htmlentities()
*/
public static function HtmlEntities($sValue)
{
return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
- }
-
+ }
+
+ /**
+ * @param string $sValue
+ *
+ * @return string passed value with only characters having a special meaning in HTML escaped as entities
+ * Since 3.0.0 we were using for this {@link HtmlEntities} but it was overkill and leads to double escaping !
+ *
+ * @uses \htmlspecialchars()
+ * @link https://www.php.net/manual/fr/function.htmlspecialchars.php
+ * @since 3.0.0 N°3623
+ */
+ public static function EscapeHtml($sValue)
+ {
+ return htmlspecialchars(
+ $sValue,
+ ENT_QUOTES | ENT_DISALLOWED | ENT_HTML5,
+ WebPage::PAGES_CHARSET,
+ false
+ );
+ }
+
/**
* Helper to encapsulation iTop's html_entity_decode
+ *
* @param string $sValue
+ *
* @return string
+ * @uses \html_entity_decode()
* @since 2.7.0
*/
public static function HtmlEntityDecode($sValue)
diff --git a/pages/run_query.php b/pages/run_query.php
index aaa274e1e..f355888e0 100644
--- a/pages/run_query.php
+++ b/pages/run_query.php
@@ -79,8 +79,8 @@ function ShowExamples($oP, $sExpression)
}
//$aDisplayData[$sTopic][] = array(
$aDisplayData[Dict::S('UI:RunQuery:QueryExamples')][] = array(
- 'desc' => "".htmlentities($sDescription, ENT_QUOTES, 'UTF-8')."
",
- 'oql' => "".htmlentities($sOql, ENT_QUOTES, 'UTF-8')."
",
+ 'desc' => "".utils::EscapeHtml($sDescription)."
",
+ 'oql' => "".utils::EscapeHtml($sOql)."
",
'go' => "\n",
);
}
@@ -174,7 +174,7 @@ try
$oQueryTitle = new Html(''.Dict::S('UI:RunQuery:ExpressionToEvaluate').'
');
$oQueryForm->AddSubBlock($oQueryTitle);
- $oQueryTextArea = new TextArea(utils::HtmlEntities($sExpression), 'expression', 120, 8);
+ $oQueryTextArea = new TextArea(utils::EscapeHtml($sExpression), 'expression', 120, 8);
$oQueryTextArea->SetName('expression');
$oQueryForm->AddSubBlock($oQueryTextArea);
@@ -233,11 +233,11 @@ EOF
$aMoreInfoBlocks = [];
$oDevelopedQuerySet = new FieldSet(Dict::S('UI:RunQuery:DevelopedQuery'));
- $oDevelopedQuerySet->AddSubBlock(new Html(''.utils::HtmlEntities($oFilter->ToOQL()).'
'));
+ $oDevelopedQuerySet->AddSubBlock(new Html(''.utils::EscapeHtml($oFilter->ToOQL()).'
'));
$aMoreInfoBlocks[] = $oDevelopedQuerySet;
$oSerializedQuerySet = new FieldSet(Dict::S('UI:RunQuery:SerializedFilter'));
- $oSerializedQuerySet->AddSubBlock(new Html(''.utils::HtmlEntities($oFilter->serialize()).'
'));
+ $oSerializedQuerySet->AddSubBlock(new Html(''.utils::EscapeHtml($oFilter->serialize()).'
'));
$aMoreInfoBlocks[] = $oSerializedQuerySet;
@@ -302,7 +302,7 @@ EOF
$sFixedExpression = $sBefore.$sSuggestedWord.$sAfter;
$sFixedExpressionHtml = $sBefore.''.$sSuggestedWord.''.$sAfter;
$sSyntaxErrorText .= $oP->GetP("Suggesting: $sFixedExpressionHtml");
- $sEscapedExpression = utils::HtmlEntities(addslashes($sFixedExpression));
+ $sEscapedExpression = utils::EscapeHtml(addslashes($sFixedExpression));
$sSyntaxErrorText .= $oP->GetP(<<