composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Internal: Fix regression introduced during XSS protection on tag sets

Browse Source
This commit is contained in:
Molkobain
2018-12-19 11:43:50 +01:00
parent 44671a5085
commit 3219957eed
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
js/search/search_form_criteria_enum.js
View File

@@ -829,7 +829,7 @@ $(function()
// - Make a jQuery element for a list item
_makeListItemElement: function(sLabel, sValue, bInitChecked, bInitHidden)
{
var sEscapedLabel = $('<div />').text(sLabel).html();
var sEscapedLabel = sLabel; // Note: We don't escape this anymore as there is an issue with AttributeExternalKey being already escaped. This will be put back in iTop 2.7 with the AttributeDefinition::GetAllowedValues() refactoring. $('<div />').text(sLabel).html();
var oItemElem = $('<div></div>')
.addClass('sfc_opc_mc_item')
.attr('data-value-code', sValue)

11
sources/application/search/searchform.class.inc.php
View File

@@ -28,6 +28,7 @@ use AttributeDefinition;
use AttributeExternalField;
use AttributeFriendlyName;
use AttributeSubItem;
use AttributeTagSet;
use CMDBObjectSet;
use Combodo\iTop\Application\Search\CriterionConversion\CriterionToSearchForm;
use CoreException;
@@ -467,6 +468,16 @@ class SearchForm
return array('values' => $aAllowedValues);
}
}
elseif ($oAttrDef instanceof AttributeTagSet)
{
$aAllowedValues = array();
foreach($oAttrDef->GetAllowedValues() as $sCode => $sRawValue)
{
$aAllowedValues[$sCode] = utils::HtmlEntities($sRawValue);
}
return array('values' => $aAllowedValues);
}
else
{
if (method_exists($oAttrDef, 'GetAllowedValuesAsObjectSet'))