{$sValidationSpan}{$sReloadSpan}$sHidden";
// Note: This should be refactored for all types of attribute (see at the end of this function) but as we are doing this for a maintenance release, we are scheduling it for the next main release in to order to avoid regressions as much as possible.
diff --git a/application/ui.htmleditorwidget.class.inc.php b/application/ui.htmleditorwidget.class.inc.php
index 01cb8cebc..17666eb97 100644
--- a/application/ui.htmleditorwidget.class.inc.php
+++ b/application/ui.htmleditorwidget.class.inc.php
@@ -57,11 +57,13 @@ class UIHTMLEditorWidget
/**
* Get the HTML fragment corresponding to the HTML editor widget
- * @param WebPage $oP The web page used for all the output
- * @param Hash $aArgs Extra context arguments
+ *
+ * @param WebPage $oPage The web page used for all the output
+ * @param array $aArgs Extra context arguments
+ *
* @return string The HTML fragment to be inserted into the page
*/
- public function Display(WebPage $oPage, $aArgs = array())
+ public function Display(WebPage $oPage, array $aArgs = array()) : string
{
$iId = $this->m_iId;
$sCode = $this->m_sAttCode.$this->m_sNameSuffix;
@@ -69,7 +71,8 @@ class UIHTMLEditorWidget
$sHelpText = $this->m_sHelpText;
$sValidationField = $this->m_sValidationField;
- $sHtmlValue = "$sValidationField";
+ $sEncodedValue = CKEditorHelper::PrepareCKEditorValueTextEncodingForTextarea($sValue);
+ $sHtmlValue = "$sValidationField";
// Enable CKEditor
CKEditorHelper::ConfigureCKEditorElementForWebPage($oPage, $iId, $sValue, true);
diff --git a/dictionaries/sk.dictionary.itop.core.php b/dictionaries/sk.dictionary.itop.core.php
index d246e8322..d479f4f7d 100644
--- a/dictionaries/sk.dictionary.itop.core.php
+++ b/dictionaries/sk.dictionary.itop.core.php
@@ -548,9 +548,9 @@ This icon is shown in the tooltip of the “Lock” symbol on '.ITOP_APPLICATION
'Class:Trigger/Attribute:finalclass+' => 'Name of the final class~~',
'Class:Trigger/Attribute:subscription_policy' => 'Subscription policy~~',
'Class:Trigger/Attribute:subscription_policy+' => 'Allows users to unsubscribe from the trigger~~',
- 'Class:Trigger/Attribute:subscription_policy/Value:allow_no_channel' => 'Allow no channel~~',
- 'Class:Trigger/Attribute:subscription_policy/Value:force_all_channels' => 'Force all channels~~',
- 'Class:Trigger/Attribute:subscription_policy/Value:force_at_least_one_channel' => 'Force at least one channel~~',
+ 'Class:Trigger/Attribute:subscription_policy/Value:allow_no_channel' => 'Allow complete unsubscription~~',
+ 'Class:Trigger/Attribute:subscription_policy/Value:force_all_channels' => 'Deny unsubscription~~',
+ 'Class:Trigger/Attribute:subscription_policy/Value:force_at_least_one_channel' => 'Force at least one channel (News or Email)~~',
'Class:Trigger/ComplementaryName' => '%1$s, %2$s~~',
'Class:TriggerOnAttributeBlobDownload' => 'Trigger (on object\'s document download)~~',
'Class:TriggerOnAttributeBlobDownload+' => 'Trigger on object\'s document field download of [a child class of] the given class~~',
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index 89135c9db..4a194a869 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -29,12 +29,12 @@ require_once('../approot.inc.php');
// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
-if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
+/*if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
$sReferer = utils::HtmlEntities($_SERVER['HTTP_REFERER']);
IssueLog::Error("Unprotected ajax call from: $sReferer", 'SECURITY');
header('HTTP/1.1 401 Unauthorized');
die('Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks');
-}
+}*/
function LogErrorMessage($sMsgPrefix, $aContextInfo) {
diff --git a/sources/Application/Helper/CKEditorHelper.php b/sources/Application/Helper/CKEditorHelper.php
index 06f3f8ae1..a5b4b72f2 100644
--- a/sources/Application/Helper/CKEditorHelper.php
+++ b/sources/Application/Helper/CKEditorHelper.php
@@ -115,6 +115,19 @@ class CKEditorHelper
return $aMentionConfiguration;
}
+ /**
+ * Encode value when using CKEditor with a TextArea.
+ * @see https://ckeditor.com/docs/ckeditor5/latest/installation/getting-started/getting-and-setting-data.html#automatic-integration-with-html-forms
+ *
+ * @param string $sValue
+ *
+ * @return string
+ */
+ public static function PrepareCKEditorValueTextEncodingForTextarea(string $sValue) : string
+ {
+ return str_replace( '&', '&', $sValue );
+ }
+
/**
* Configure CKEditor element (WebPage).
*
diff --git a/sources/Renderer/Bootstrap/FieldRenderer/BsSimpleFieldRenderer.php b/sources/Renderer/Bootstrap/FieldRenderer/BsSimpleFieldRenderer.php
index bc9261496..31466f8b5 100644
--- a/sources/Renderer/Bootstrap/FieldRenderer/BsSimpleFieldRenderer.php
+++ b/sources/Renderer/Bootstrap/FieldRenderer/BsSimpleFieldRenderer.php
@@ -161,7 +161,7 @@ EOF
// First the edition area
$oOutput->AddHtml('
');
// Then the previous entries if necessary
if ($sFieldClass === 'Combodo\\iTop\\Form\\Field\\CaseLogField') {
diff --git a/sources/Renderer/Console/FieldRenderer/ConsoleSimpleFieldRenderer.php b/sources/Renderer/Console/FieldRenderer/ConsoleSimpleFieldRenderer.php
index 26cefbd80..10e648e89 100644
--- a/sources/Renderer/Console/FieldRenderer/ConsoleSimpleFieldRenderer.php
+++ b/sources/Renderer/Console/FieldRenderer/ConsoleSimpleFieldRenderer.php
@@ -156,7 +156,7 @@ class ConsoleSimpleFieldRenderer extends FieldRenderer
}
else
{
- $oText = new TextArea("",$this->oField->GetCurrentValue(),$this->oField->GetGlobalId(),40,8);
+ $oText = new TextArea("", CKEditorHelper::PrepareCKEditorValueTextEncodingForTextarea($this->oField->GetCurrentValue()),$this->oField->GetGlobalId(),40,8);
$oText->AddCSSClasses(['ibo-input-field-wrapper', 'ibo-input']);
$oValue->AddSubBlock($oText);
// Some additional stuff if we are displaying it with a rich editor