From 2804076bf64f42e68430e786f547eea229f5a2bd Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Tue, 18 Jun 2024 17:40:20 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B07514=20-=20hardening=20code?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit b8b9423aa85c65b25f7fb3d9c5ba0933317474d7)
---
 .../2.x/itop-portal-base/portal/public/js/portal_form_field.js | 3 ++-
 .../itop-portal-base/portal/public/js/portal_form_handler.js   | 3 ++-
 sources/Form/Validator/MultipleChoicesValidator.php            | 1 -
 sources/Form/Validator/SelectObjectValidator.php               | 1 -
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_field.js b/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_field.js
index ff1a9dd9a..fc87487af 100644
--- a/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_field.js
+++ b/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_field.js
@@ -35,7 +35,8 @@ $(function()
 					me.element.addClass('has-error');
 					for(var i in oResult.error_messages)
 					{
-						me.element.find('.help-block').append($('<p>' + oResult.error_messages[i] + '</p>'));
+						// transform error message in pure text to avoid XSS
+						me.element.find('.help-block').append($('<p>').text(oResult.error_messages[i]));
 					}
 				}
 			}	
diff --git a/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_handler.js b/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_handler.js
index c65010618..1b1843cf6 100644
--- a/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_handler.js
+++ b/datamodels/2.x/itop-portal-base/portal/public/js/portal_form_handler.js
@@ -252,7 +252,8 @@ $(function()
 										}
 										else
 										{
-											oHelpBlock.append($('<p>' + sMessageContent + '</p>'));
+											// transform error message in pure text (to avoid XSS)
+											oHelpBlock.append($('<p>').text(sMessageContent));
 										}
 									}
 								}
diff --git a/sources/Form/Validator/MultipleChoicesValidator.php b/sources/Form/Validator/MultipleChoicesValidator.php
index 1c34eb6cc..769a45d30 100644
--- a/sources/Form/Validator/MultipleChoicesValidator.php
+++ b/sources/Form/Validator/MultipleChoicesValidator.php
@@ -53,7 +53,6 @@ class MultipleChoicesValidator extends AbstractValidator
     private function CheckValueAgainstChoices(string $sValue, array &$aErrorMessages): void
     {
         if (false === array_key_exists($sValue, $this->aChoices)) {
-	        $sValue = utils::HtmlEntities($sValue);
 	        $aErrorMessages[] = "Value ({$sValue}) is not part of the field possible values list";
         }
     }
diff --git a/sources/Form/Validator/SelectObjectValidator.php b/sources/Form/Validator/SelectObjectValidator.php
index 3794a353e..a4d0c69cd 100644
--- a/sources/Form/Validator/SelectObjectValidator.php
+++ b/sources/Form/Validator/SelectObjectValidator.php
@@ -37,7 +37,6 @@ class SelectObjectValidator extends AbstractValidator
         $iObjectsCount = $oSetForExistingCurrentValue->CountWithLimit(1);
 
         if ($iObjectsCount === 0) {
-			$value = utils::HtmlEntities($value);
             return ["Value $value does not match the corresponding filter set"];
         }