From cd5e1afb2b3567a9c27f930f21839d201f5b6341 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Mon, 22 Oct 2018 15:44:03 +0200
Subject: [PATCH] DBSearch: Fix serialization rework, use htmlentities

---
 application/cmdbabstract.class.inc.php | 3 ++-
 pages/UI.php                           | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php
index 320ab80f4..03201b8b0 100644
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -4583,7 +4583,8 @@ EOF
 				}
 				$oP->add("<input type=\"hidden\" name=\"transaction_id\" value=\"".utils::GetNewTransactionId()."\">\n");
 				$oP->add("<input type=\"hidden\" name=\"operation\" value=\"$sCustomOperation\">\n");
-				$oP->add("<input type=\"hidden\" name=\"filter\" value=\"".rawurlencode($oFilter->Serialize())."\">\n");
+				$oP->add("<input type=\"hidden\" name=\"filter\" value=\"".htmlentities($oFilter->Serialize(), ENT_QUOTES,
+						'UTF-8')."\">\n");
 				$oP->add("<input type=\"hidden\" name=\"class\" value=\"$sClass\">\n");
 				foreach($aObjects as $oObj)
 				{
diff --git a/pages/UI.php b/pages/UI.php
index 1a4b43ccc..0d798da23 100644
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -277,7 +277,7 @@ function DisplayMultipleSelectionForm($oP, $oFilter, $sNextOperation, $oChecker,
 		$oP->add("<form method=\"post\" action=\"./UI.php\">\n");
 		$oP->add("<input type=\"hidden\" name=\"operation\" value=\"$sNextOperation\">\n");
 		$oP->add("<input type=\"hidden\" name=\"class\" value=\"".$oFilter->GetClass()."\">\n");
-		$oP->add("<input type=\"hidden\" name=\"filter\" value=\"".rawurlencode($oFilter->Serialize())."\">\n");
+	$oP->add("<input type=\"hidden\" name=\"filter\" value=\"".htmlentities($oFilter->Serialize(), ENT_QUOTES, 'UTF-8')."\">\n");
 		$oP->add("<input type=\"hidden\" name=\"transaction_id\" value=\"".utils::GetNewTransactionId()."\">\n");
 		foreach($aExtraFormParams as $sName => $sValue)
 		{