From b2d6df98ed6dbd6d71cc8a6d2f4be6bc087088de Mon Sep 17 00:00:00 2001
From: Denis Flaven <denis.flaven@combodo.com>
Date: Tue, 1 Apr 2014 10:13:58 +0000
Subject: [PATCH] Protect Bulk Modify against XSS injection!

SVN:2.0.2[3118]
---
 application/cmdbabstract.class.inc.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php
index 50eaa173e..cdec28c91 100644
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -2709,7 +2709,7 @@ EOF
 			$aFinalValues[$sAttCode] = $aValues[$sAttCode];
 		}
 		$this->UpdateObjectFromArray($aFinalValues);
-
+		
 		// Invoke extensions after the update of the object from the form
 		foreach (MetaModel::EnumPlugins('iApplicationUIExtension') as $oExtensionInstance)
 		{
@@ -3284,12 +3284,12 @@ EOF
 					{
 						foreach($value as $vKey => $vValue)
 						{
-							$oP->add("<input type=\"hidden\" name=\"{$sKey}[$vKey]\" value=\"$vValue\">\n");
+							$oP->add("<input type=\"hidden\" name=\"{$sKey}[$vKey]\" value=\"".htmlentities($vValue, ENT_QUOTES, 'UTF-8')."\">\n");
 						}
 					}
 					else
 					{
-						$oP->add("<input type=\"hidden\" name=\"$sKey\" value=\"$value\">\n");
+						$oP->add("<input type=\"hidden\" name=\"$sKey\" value=\"".htmlentities($value, ENT_QUOTES, 'UTF-8')."\">\n");
 					}
 				}
 			}