From 2086052d60a1a5a45b1a873b332c54044c99f600 Mon Sep 17 00:00:00 2001
From: Romain Quetiez <romain.quetiez@combodo.com>
Date: Fri, 13 Jun 2025 09:55:25 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B08440=20Allow=20icon=20file=20ids=20to=20?=
 =?UTF-8?q?contain=20quotes,=20by=20correctly=20escaping=20language=20lite?=
 =?UTF-8?q?rals=20(XPath=20or=20PHP)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/designdocument.class.inc.php | 3 ++-
 setup/compiler.class.inc.php      | 5 +++--
 setup/modelfactory.class.inc.php  | 4 ++++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/core/designdocument.class.inc.php b/core/designdocument.class.inc.php
index 3965c68ec..ceb3fdbf0 100644
--- a/core/designdocument.class.inc.php
+++ b/core/designdocument.class.inc.php
@@ -501,7 +501,8 @@ class DesignElement extends \DOMElement
 			{
 				$sSearchId = $oRefNode->getAttribute('id');
 			}
-			$sXPath = './'.$oRefNode->tagName."[@id='$sSearchId']";
+			$sQuotedId = DesignDocument::XPathQuote($sSearchId);
+			$sXPath = './'.$oRefNode->tagName."[@id=$sQuotedId]";
 
 			$oRes = $oXPath->query($sXPath, $oRoot);
 		}
diff --git a/setup/compiler.class.inc.php b/setup/compiler.class.inc.php
index a9394931a..7013b4072 100644
--- a/setup/compiler.class.inc.php
+++ b/setup/compiler.class.inc.php
@@ -2652,7 +2652,7 @@ EOF
 		if (is_null($sIconRelPath)) {
 			$sIconRelPath = "null";
 		} else {
-			$sIconRelPath = "'$sModuleRelDir/$sIconRelPath'";
+			$sIconRelPath = self::QuoteForPHP("$sModuleRelDir/$sIconRelPath");
 		}
 
 		// CSS classes representing the element (regular and alternative)
@@ -3300,7 +3300,8 @@ EOF;
 			$sFileId = $oFileRef->getAttribute('ref');
 			if ($sFileId !== '')
 			{
-				$oNodes = $this->oFactory->GetNodes("/itop_design/files/file[@id='$sFileId']");
+				$sQuotedFileId = self::QuoteForPHP($sFileId);
+				$oNodes = $this->oFactory->GetNodes("/itop_design/files/file[@id=$sQuotedFileId]");
 				if ($oNodes->length == 0)
 				{
 					throw new DOMFormatException('Could not find the file with ref '.$sFileId);
diff --git a/setup/modelfactory.class.inc.php b/setup/modelfactory.class.inc.php
index 21b49ec58..708adcfc1 100644
--- a/setup/modelfactory.class.inc.php
+++ b/setup/modelfactory.class.inc.php
@@ -2610,6 +2610,10 @@ class MFDocument extends \Combodo\iTop\DesignDocument
 			$oResult = $oXPath->query($sXPath, $oContextNode);
 		}
 
+		if ($oResult === false) {
+			throw new \Exception("Invalid XPath: $sXPath");
+		}
+
 		return $oResult;
 	}