N°2735 - Add new sanitize filter ('element_identifier') for dashboard identifier

application/dashboard.class.inc.php

@@ -842,7 +842,7 @@ class RuntimeDashboard extends Dashboard
 		if (!$bEditMode && !$oPage->IsPrintableVersion())
 		{
 			$sId = $this->GetId();
-			$sDivId = preg_replace('/[^a-zA-Z0-9_]/', '', $sId);
+			$sDivId = utils::Sanitize($sId, '', 'element_identifier');
 			if ($this->GetAutoReload())
 			{
 				$sFile = addslashes($this->GetDefinitionFile());
@@ -905,7 +905,7 @@ EOF
 	protected function RenderSelector($oPage, $aAjaxParams = array())
 	{
 		$sId = $this->GetId();
-		$sDivId = preg_replace('/[^a-zA-Z0-9_]/', '', $sId);
+		$sDivId = utils::Sanitize($sId, '', 'element_identifier');
 		$sExtraParams = json_encode($aAjaxParams);
 
 		$sSelectorHtml = '<div class="dashboard-selector">';

application/menunode.class.inc.php

@@ -1190,7 +1190,7 @@ class DashboardMenuNode extends MenuNode
 		$oDashboard = $this->GetDashboard();
 		if ($oDashboard != null)
 		{
-			$sDivId = preg_replace('/[^a-zA-Z0-9_]/', '', $this->sMenuId);
+			$sDivId = utils::Sanitize($this->sMenuId, '', 'element_identifier');
 			$oPage->add('<div class="dashboard_contents" id="'.$sDivId.'">');
 			$aExtraParams['dashboard_div_id'] = $sDivId;
 			$oDashboard->SetReloadURL($this->GetHyperlink($aExtraParams));

application/utils.inc.php

@@ -275,13 +275,14 @@ class utils
 	/**
 	 * @param string|string[] $value
 	 * @param string $sSanitizationFilter one of : integer, class, string, context_param, parameter, field_name,
-	 *               transaction_id, parameter, raw_data
+	 *               element_identifier, transaction_id, parameter, raw_data
 	 *
 	 * @return string|string[]|bool boolean for :
 	 *   * the 'class' filter (true if valid, false otherwise)
 	 *   * if the filter fails (@see \filter_var())
 	 *
 	 * @since 2.5.2 2.6.0 new 'transaction_id' filter
+	 * @since 2.7.0 new 'element_identifier' filter
 	 */
 	protected static function Sanitize_Internal($value, $sSanitizationFilter)
 	{
@@ -351,6 +352,11 @@ class utils
 				}
 				break;
 
+			// For XML / HTML node identifiers
+			case 'element_identifier':
+				$retValue = preg_replace('/[^a-zA-Z0-9_]/', '', $value);
+				break;
+
 			default:
 			case 'raw_data':
 				$retValue = $value;

pages/ajax.render.php

@@ -1139,7 +1139,7 @@ try
 			$oDashboard->FromParams($aParams);
 			$oDashboard->Save();
 			$sDashboardFile = addslashes(utils::ReadParam('file', '', false, 'raw_data'));
-			$sDivId = preg_replace('/[^a-zA-Z0-9_]/', '', $sDashboardId);
+			$sDivId = utils::Sanitize($sDashboardId, '', 'element_identifier');
 			// trigger a reload of the current page since the dashboard just changed
 			$oPage->add_script(
 <<<EOF
@@ -1162,7 +1162,7 @@ EOF
 			$oDashboard = new RuntimeDashboard($sDashboardId);
 			$oDashboard->Revert();
 			$sFile = addslashes($oDashboard->GetDefinitionFile());
-			$sDivId = preg_replace('/[^a-zA-Z0-9_]/', '', $sDashboardId);
+			$sDivId = utils::Sanitize($sDashboardId, '', 'element_identifier');
 			// trigger a reload of the current page since the dashboard just changed
 			$oPage->add_script(
 <<<EOF
@@ -1199,7 +1199,7 @@ EOF
 		case 'dashboard_editor':
 			$sId = utils::ReadParam('id', '', false, 'raw_data');
 			$aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data');
-			$aExtraParams['dashboard_div_id'] = preg_replace('/[^a-zA-Z0-9_]/', '', $sId);
+			$aExtraParams['dashboard_div_id'] = utils::Sanitize($sId, '', 'element_identifier');
 			$sDashboardFile = utils::ReadParam('file', '', false, 'raw_data');
 			$sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data');
 			$oKPI = new ExecutionKPI();