composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-23 18:48:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

XSS: Correctly escape the name of an object when it is displayed within an hyperlink

Browse Source 
SVN:trunk[3994]
This commit is contained in:
Romain Quetiez
2016-04-11 11:51:59 +00:00
parent e877ec431f
commit 25287a8c04
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/dbobject.class.php
View File

@@ -812,7 +812,7 @@ abstract class DBObject implements iDisplay
$oTmpObj = MetaModel::GetObject($sObjClass, $sObjKey, false);
if (is_object($oTmpObj))
{
$sLabel = $oTmpObj->GetName();
$sLabel = htmlentities($oTmpObj->GetName(), ENT_QUOTES, 'UTF-8');
}
else
{
@@ -821,6 +821,10 @@ abstract class DBObject implements iDisplay
}
//$sLabel = MetaModel::GetName($sObjClass)." #$sObjKey";
}
else
{
$sLabel = htmlentities($sLabel, ENT_QUOTES, 'UTF-8');
}
$sHint = MetaModel::GetName($sObjClass)."::$sObjKey";
$sUrl = ApplicationContext::MakeObjectUrl($sObjClass, $sObjKey, $sUrlMakerClass, $bWithNavigationContext);
if (strlen($sUrl) > 0)
@@ -3410,7 +3414,7 @@ abstract class DBObject implements iDisplay
{
throw new Exception("Unknown method ".get_class($this)."::".$sMethod.'()');
}
// Note: $oObjectToRead has been preserved when adding $aSourceObjects, so as to remain backward compatible with methods having only 1 parameter ($oObjectToReadà
// Note: $oObjectToRead has been preserved when adding $aSourceObjects, so as to remain backward compatible with methods having only 1 parameter ($oObjectToRead<EFBFBD>
call_user_func($aCallSpec, $oObjectToRead, $aSourceObjects);
break;