From dab0e372d07434b90062c2eab8a99bf9159435cc Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Thu, 2 Dec 2021 10:32:29 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B04499=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 webservices/export-v2.php | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/webservices/export-v2.php b/webservices/export-v2.php
index 64c850bfb..97fce9861 100644
--- a/webservices/export-v2.php
+++ b/webservices/export-v2.php
@@ -506,17 +506,17 @@ function CheckParameters($sExpression, $sQueryId, $sFormat)
 	catch(MissingQueryArgument $e)
 	{
 		$oSearch = null;
-		ReportErrorAndUsage("Invalid OQL query: '$sExpression'.\n".$e->getMessage());
+		ReportErrorAndUsage("Invalid OQL query: '".utils::HtmlEntities($sExpression)."'.\n".utils::HtmlEntities($e->getMessage()));
 	}
 	catch(OQLException $e)
 	{
 		$oSearch = null;
-		ReportErrorAndExit("Invalid OQL query: '$sExpression'.\n".$e->getMessage());
+		ReportErrorAndExit("Invalid OQL query: '".utils::HtmlEntities($sExpression)."'.\n".utils::HtmlEntities($e->getMessage()));
 	}
 	catch(Exception $e)
 	{
 		$oSearch = null;
-		ReportErrorAndExit($e->getMessage());
+		ReportErrorAndExit(utils::HtmlEntities($e->getMessage()));
 	}
 	
 	$oExporter->SetFormat($sFormat);
@@ -573,7 +573,7 @@ if (utils::IsModeCLI())
 	}
 	catch(Exception $e)
 	{
-		echo "Error: ".$e->GetMessage()."<br/>\n";
+		echo "Error: ".utils::HtmlEntities($e->getMessage())."<br/>\n";
 		exit(-2);
 	}
 	
@@ -680,15 +680,15 @@ if (utils::IsModeCLI())
 	}
 	catch(MissingQueryArgument $e)
 	{
-		ReportErrorAndUsage("Invalid OQL query: '$sExpression'.\n".$e->getMessage());
+		ReportErrorAndUsage("Invalid OQL query: '$sExpression'.\n".utils::HtmlEntities($e->getMessage()));
 	}
 	catch(OQLException $e)
 	{
-		ReportErrorAndExit("Invalid OQL query: '$sExpression'.\n".$e->getMessage());
+		ReportErrorAndExit("Invalid OQL query: '$sExpression'.\n".utils::HtmlEntities($e->getMessage()));
 	}
 	catch(Exception $e)
 	{
-		ReportErrorAndExit($e->getMessage());
+		ReportErrorAndExit(utils::HtmlEntities($e->getMessage()));
 	}
 	
 	exit;
@@ -753,14 +753,14 @@ try
 catch (BulkExportMissingParameterException $e)
 {
 	$oP = new ajax_page('iTop Export');
-	$oP->add($e->getMessage());
+	$oP->add(utils::HtmlEntities($e->getMessage()));
 	Usage($oP);
 	$oP->output();
 }
 catch (Exception $e) {
 	$oP = new WebPage('iTop Export');
 	$oP->add_xframe_options();
-	$oP->add('Error: '.$e->getMessage());
-	IssueLog::Error($e->getMessage()."\n".$e->getTraceAsString());
+	$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
+	IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
 	$oP->output();
 }
\ No newline at end of file