composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°3623 new \utils::EscapeHtml method

Browse Source
This commit is contained in:
Pierre Goiffon
2021-01-13 15:49:39 +01:00
parent 958566da61
commit 09e531f11c
3 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
application/utils.inc.php
View File

@@ -1638,19 +1638,47 @@ class utils
} }
/** /**
* Helper to encapsulation iTop's htmlentities * @see utils::EscapeHtml to escape only characters with special meaning in HTML
*
* @param string $sValue * @param string $sValue
* @return string *
* @return string ⚠ Warning : will escape any non us-ascii char !
*
* @link https://www.php.net/manual/fr/function.htmlentities.php
* @uses \htmlentities()
*/ */
public static function HtmlEntities($sValue) public static function HtmlEntities($sValue)
{ {
return htmlentities($sValue, ENT_QUOTES, 'UTF-8'); return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
} }
/**
* @param string $sValue
*
* @return string passed value with only characters having a special meaning in HTML escaped as entities
* Since 3.0.0 we were using for this {@link HtmlEntities} but it was overkill and leads to double escaping !
*
* @uses \htmlspecialchars()
* @link https://www.php.net/manual/fr/function.htmlspecialchars.php
* @since 3.0.0 N°3623
*/
public static function EscapeHtml($sValue)
{
return htmlspecialchars(
$sValue,
ENT_QUOTES | ENT_DISALLOWED | ENT_HTML5,
WebPage::PAGES_CHARSET,
false
);
}
/** /**
* Helper to encapsulation iTop's html_entity_decode * Helper to encapsulation iTop's html_entity_decode
*
* @param string $sValue * @param string $sValue
*
* @return string * @return string
* @uses \html_entity_decode()
* @since 2.7.0 * @since 2.7.0
*/ */
public static function HtmlEntityDecode($sValue) public static function HtmlEntityDecode($sValue)

12
pages/run_query.php
View File

@@ -79,8 +79,8 @@ function ShowExamples($oP, $sExpression)
} }
//$aDisplayData[$sTopic][] = array( //$aDisplayData[$sTopic][] = array(
$aDisplayData[Dict::S('UI:RunQuery:QueryExamples')][] = array( $aDisplayData[Dict::S('UI:RunQuery:QueryExamples')][] = array(
'desc' => "<div style=\"$sHighlight\">".htmlentities($sDescription, ENT_QUOTES, 'UTF-8')."</div>", 'desc' => "<div style=\"$sHighlight\">".utils::EscapeHtml($sDescription)."</div>",
'oql' => "<div style=\"$sHighlight\">".htmlentities($sOql, ENT_QUOTES, 'UTF-8')."</div>", 'oql' => "<div style=\"$sHighlight\">".utils::EscapeHtml($sOql)."</div>",
'go' => "<form method=\"get\"><input type=\"hidden\" name=\"expression\" value=\"$sOql\"><input type=\"submit\" value=\"".Dict::S('UI:Button:Test')."\" $sDisable>$sContext</form>\n", 'go' => "<form method=\"get\"><input type=\"hidden\" name=\"expression\" value=\"$sOql\"><input type=\"submit\" value=\"".Dict::S('UI:Button:Test')."\" $sDisable>$sContext</form>\n",
); );
} }
@@ -174,7 +174,7 @@ try
$oQueryTitle = new Html('<h2>'.Dict::S('UI:RunQuery:ExpressionToEvaluate').'</h2>'); $oQueryTitle = new Html('<h2>'.Dict::S('UI:RunQuery:ExpressionToEvaluate').'</h2>');
$oQueryForm->AddSubBlock($oQueryTitle); $oQueryForm->AddSubBlock($oQueryTitle);
$oQueryTextArea = new TextArea(utils::HtmlEntities($sExpression), 'expression', 120, 8); $oQueryTextArea = new TextArea(utils::EscapeHtml($sExpression), 'expression', 120, 8);
$oQueryTextArea->SetName('expression'); $oQueryTextArea->SetName('expression');
$oQueryForm->AddSubBlock($oQueryTextArea); $oQueryForm->AddSubBlock($oQueryTextArea);
@@ -233,11 +233,11 @@ EOF
$aMoreInfoBlocks = []; $aMoreInfoBlocks = [];
$oDevelopedQuerySet = new FieldSet(Dict::S('UI:RunQuery:DevelopedQuery')); $oDevelopedQuerySet = new FieldSet(Dict::S('UI:RunQuery:DevelopedQuery'));
$oDevelopedQuerySet->AddSubBlock(new Html('<pre>'.utils::HtmlEntities($oFilter->ToOQL()).'</pre>')); $oDevelopedQuerySet->AddSubBlock(new Html('<pre>'.utils::EscapeHtml($oFilter->ToOQL()).'</pre>'));
$aMoreInfoBlocks[] = $oDevelopedQuerySet; $aMoreInfoBlocks[] = $oDevelopedQuerySet;
$oSerializedQuerySet = new FieldSet(Dict::S('UI:RunQuery:SerializedFilter')); $oSerializedQuerySet = new FieldSet(Dict::S('UI:RunQuery:SerializedFilter'));
$oSerializedQuerySet->AddSubBlock(new Html('<pre>'.utils::HtmlEntities($oFilter->serialize()).'</pre>')); $oSerializedQuerySet->AddSubBlock(new Html('<pre>'.utils::EscapeHtml($oFilter->serialize()).'</pre>'));
$aMoreInfoBlocks[] = $oSerializedQuerySet; $aMoreInfoBlocks[] = $oSerializedQuerySet;
@@ -302,7 +302,7 @@ EOF
$sFixedExpression = $sBefore.$sSuggestedWord.$sAfter; $sFixedExpression = $sBefore.$sSuggestedWord.$sAfter;
$sFixedExpressionHtml = $sBefore.'<span style="background-color:yellow">'.$sSuggestedWord.'</span>'.$sAfter; $sFixedExpressionHtml = $sBefore.'<span style="background-color:yellow">'.$sSuggestedWord.'</span>'.$sAfter;
$sSyntaxErrorText .= $oP->GetP("Suggesting: $sFixedExpressionHtml"); $sSyntaxErrorText .= $oP->GetP("Suggesting: $sFixedExpressionHtml");
$sEscapedExpression = utils::HtmlEntities(addslashes($sFixedExpression)); $sEscapedExpression = utils::EscapeHtml(addslashes($sFixedExpression));
$sSyntaxErrorText .= $oP->GetP(<<<HTML $sSyntaxErrorText .= $oP->GetP(<<<HTML
<button onClick="$('textarea[name=expression]') <button onClick="$('textarea[name=expression]')
.val('$sEscapedExpression') .val('$sEscapedExpression')

4
sources/application/WebPage/iTopWebPage.php
View File

@@ -630,8 +630,8 @@ JS
$aNewEntry = [ $aNewEntry = [
'id' => $this->sBreadCrumbEntryId, 'id' => $this->sBreadCrumbEntryId,
'url' => $this->sBreadCrumbEntryUrl, 'url' => $this->sBreadCrumbEntryUrl,
'label' => utils::HtmlEntities($this->sBreadCrumbEntryLabel), 'label' => utils::EscapeHtml($this->sBreadCrumbEntryLabel),
'description' => utils::HtmlEntities($this->sBreadCrumbEntryDescription), 'description' => utils::EscapeHtml($this->sBreadCrumbEntryDescription),
'icon' => $this->sBreadCrumbEntryIcon, 'icon' => $this->sBreadCrumbEntryIcon,
'icon_type' => $this->sBreadCrumbEntryIconType, 'icon_type' => $this->sBreadCrumbEntryIconType,
]; ];