From bdf11e32a76be70252e3d42d5223f91009dcf70e Mon Sep 17 00:00:00 2001
From: Molkobain <lajarige.guillaume@free.fr>
Date: Wed, 24 Aug 2022 10:47:40 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B05318=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/cmdbchangeop.class.inc.php                          | 2 +-
 .../Component/FieldBadge/FieldBadgeUIBlockFactory.php    | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/cmdbchangeop.class.inc.php b/core/cmdbchangeop.class.inc.php
index 537ca8d005..6dbcf3f752 100644
--- a/core/cmdbchangeop.class.inc.php
+++ b/core/cmdbchangeop.class.inc.php
@@ -78,7 +78,7 @@ class CMDBChangeOp extends DBObject implements iCMDBChangeOp
 	}
 
 	/**
-	 * Describe (as a text string) the modifications corresponding to this change
+	 * @inheritDoc
 	 */
 	public function GetDescription()
 	{
diff --git a/sources/application/UI/Base/Component/FieldBadge/FieldBadgeUIBlockFactory.php b/sources/application/UI/Base/Component/FieldBadge/FieldBadgeUIBlockFactory.php
index 353254153f..e8cd1c94e1 100644
--- a/sources/application/UI/Base/Component/FieldBadge/FieldBadgeUIBlockFactory.php
+++ b/sources/application/UI/Base/Component/FieldBadge/FieldBadgeUIBlockFactory.php
@@ -10,6 +10,7 @@ namespace Combodo\iTop\Application\UI\Base\Component\FieldBadge;
 
 use Combodo\iTop\Application\UI\Base\AbstractUIBlockFactory;
 use ormStyle;
+use utils;
 
 /**
  * Class FieldBadgeUIBlockFactory
@@ -36,6 +37,10 @@ class FieldBadgeUIBlockFactory extends AbstractUIBlockFactory
 	{
 		$oBadge = null;
 		$sHtml = '';
+
+		// N°5318 - Sanitize value manually as this UIBlock is not using a proper TWIG template 😥
+		$sValueForHtml = utils::EscapeHtml($sValue);
+
 		if ($oStyle) {
 			$sStyleClass = $oStyle->GetStyleClass();
 			$sPrimaryColor = $oStyle->GetMainColor();
@@ -47,12 +52,12 @@ class FieldBadgeUIBlockFactory extends AbstractUIBlockFactory
 				if (!is_null($sDecorationClasses) && !empty($sDecorationClasses)) {
 					$sHtml .= "<span class=\"ibo-field-badge--decoration\"><i class=\"$sDecorationClasses\"></i></span>";
 				}
-				$sHtml .= "<span class=\"ibo-field-badge--label\">$sValue</span>";
+				$sHtml .= "<span class=\"ibo-field-badge--label\">$sValueForHtml</span>";
 			}
 		}
 		if (!$oBadge) {
 			$oBadge = new FieldBadge();
-			$sHtml .= "<span>$sValue</span>";
+			$sHtml .= "<span>$sValueForHtml</span>";
 		}
 		$oBadge->AddHtml($sHtml);
 		return $oBadge;