N°7514 - hardening code

(cherry picked from commit b8b9423aa85c65b25f7fb3d9c5ba0933317474d7)

datamodels/2.x/itop-portal-base/portal/public/js/portal_form_field.js

@@ -35,7 +35,8 @@ $(function()
 					me.element.addClass('has-error');
 					for(var i in oResult.error_messages)
 					{
-						me.element.find('.help-block').append($('<p>' + oResult.error_messages[i] + '</p>'));
+						// transform error message in pure text to avoid XSS
+						me.element.find('.help-block').append($('<p>').text(oResult.error_messages[i]));
 					}
 				}
 			}	

datamodels/2.x/itop-portal-base/portal/public/js/portal_form_handler.js

@@ -252,7 +252,8 @@ $(function()
 										}
 										else
 										{
-											oHelpBlock.append($('<p>' + sMessageContent + '</p>'));
+											// transform error message in pure text (to avoid XSS)
+											oHelpBlock.append($('<p>').text(sMessageContent));
 										}
 									}
 								}

sources/Form/Validator/MultipleChoicesValidator.php

@@ -53,7 +53,6 @@ class MultipleChoicesValidator extends AbstractValidator
     private function CheckValueAgainstChoices(string $sValue, array &$aErrorMessages): void
     {
         if (false === array_key_exists($sValue, $this->aChoices)) {
-	        $sValue = utils::HtmlEntities($sValue);
 	        $aErrorMessages[] = "Value ({$sValue}) is not part of the field possible values list";
         }
     }

sources/Form/Validator/SelectObjectValidator.php

@@ -37,7 +37,6 @@ class SelectObjectValidator extends AbstractValidator
         $iObjectsCount = $oSetForExistingCurrentValue->CountWithLimit(1);
 
         if ($iObjectsCount === 0) {
-			$value = utils::HtmlEntities($value);
             return ["Value $value does not match the corresponding filter set"];
         }