From 3219957eed68db40944c34755a0ee706133c7a06 Mon Sep 17 00:00:00 2001 From: Molkobain Date: Wed, 19 Dec 2018 11:43:50 +0100 Subject: [PATCH] Internal: Fix regression introduced during XSS protection on tag sets --- js/search/search_form_criteria_enum.js | 2 +- sources/application/search/searchform.class.inc.php | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/js/search/search_form_criteria_enum.js b/js/search/search_form_criteria_enum.js index 0f64ceb6e..abec2c50e 100644 --- a/js/search/search_form_criteria_enum.js +++ b/js/search/search_form_criteria_enum.js @@ -829,7 +829,7 @@ $(function() // - Make a jQuery element for a list item _makeListItemElement: function(sLabel, sValue, bInitChecked, bInitHidden) { - var sEscapedLabel = $('
').text(sLabel).html(); + var sEscapedLabel = sLabel; // Note: We don't escape this anymore as there is an issue with AttributeExternalKey being already escaped. This will be put back in iTop 2.7 with the AttributeDefinition::GetAllowedValues() refactoring. $('
').text(sLabel).html(); var oItemElem = $('
') .addClass('sfc_opc_mc_item') .attr('data-value-code', sValue) diff --git a/sources/application/search/searchform.class.inc.php b/sources/application/search/searchform.class.inc.php index 6f7acd285..536af6ad5 100644 --- a/sources/application/search/searchform.class.inc.php +++ b/sources/application/search/searchform.class.inc.php @@ -28,6 +28,7 @@ use AttributeDefinition; use AttributeExternalField; use AttributeFriendlyName; use AttributeSubItem; +use AttributeTagSet; use CMDBObjectSet; use Combodo\iTop\Application\Search\CriterionConversion\CriterionToSearchForm; use CoreException; @@ -467,6 +468,16 @@ class SearchForm return array('values' => $aAllowedValues); } } + elseif ($oAttrDef instanceof AttributeTagSet) + { + $aAllowedValues = array(); + foreach($oAttrDef->GetAllowedValues() as $sCode => $sRawValue) + { + $aAllowedValues[$sCode] = utils::HtmlEntities($sRawValue); + } + + return array('values' => $aAllowedValues); + } else { if (method_exists($oAttrDef, 'GetAllowedValuesAsObjectSet'))