(Retrofit from deveop ab1715ed) N°1576 Portal: Security hardening.

datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php

@@ -631,8 +631,9 @@ class BrowseBrickController extends BrickController
                 if ($aLevelsProperties[$key][$sOptionalAttribute] !== null)
                 {
                     $sPropertyName = substr($sOptionalAttribute, 0, -4);
+                    $oAttDef = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute]);
 
-                    $tmpAttValue = $value->Get($aLevelsProperties[$key][$sOptionalAttribute]);
+                    $tmpAttValue = $value->GetAsHTML($aLevelsProperties[$key][$sOptionalAttribute]);
                     if($sOptionalAttribute === 'image_att')
                     {
                         if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -641,7 +642,7 @@ class BrowseBrickController extends BrickController
                         }
                         else
                         {
-                            $tmpAttValue = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute])->Get('default_image');
+                            $tmpAttValue = $oAttDef->Get('default_image');
                         }
                     }
 
@@ -655,7 +656,7 @@ class BrowseBrickController extends BrickController
 				foreach ($aLevelsProperties[$key]['fields'] as $aField)
 				{
 					$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']);
-					$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetValueLabel($value->Get($aField['code']));
+					$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetAsHTML($value->Get($aField['code']));
 				}
 			}
 		}
@@ -723,8 +724,9 @@ class BrowseBrickController extends BrickController
                 if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null)
                 {
                     $sPropertyName = substr($sOptionalAttribute, 0, -4);
+                    $oAttDef = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
 
-                    $tmpAttValue = $aCurrentRowValues[0]->Get($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
+                    $tmpAttValue = $aCurrentRowValues[0]->GetAsHTML($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
                     if($sOptionalAttribute === 'image_att')
                     {
                         if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -733,7 +735,7 @@ class BrowseBrickController extends BrickController
                         }
                         else
                         {
-                            $tmpAttValue = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute])->Get('default_image');
+                            $tmpAttValue = $oAttDef->Get('default_image');
                         }
                     }
 

datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php

@@ -40,6 +40,7 @@ use ListExpression;
 use ScalarExpression;
 use DBObjectSet;
 use AttributeEnum;
+use AttributeImage;
 use AttributeFinalClass;
 use AttributeFriendlyName;
 use UserRights;
@@ -1597,7 +1598,7 @@ class ObjectController extends AbstractController
 
 			if ($oAttDef->IsExternalKey())
 			{
-				$aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname');
+				$aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname');
 
 				// Checking if user can access object's external key
 				if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass()))
@@ -1610,9 +1611,22 @@ class ObjectController extends AbstractController
 				// We skip it
 				continue;
 			}
+			elseif ($oAttDef instanceof AttributeImage)
+            {
+                $oOrmDoc = $oObject->Get($oAttDef->GetCode());
+                if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
+                {
+                    $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400));
+                }
+                else
+                {
+                    $sUrl = $oAttDef->Get('default_image');
+                }
+                $aAttData['value'] = '<img src="' . $sUrl . '" />';
+            }
 			else
 			{
-				$aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode()));
+				$aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode()));
 
 				if ($oAttDef instanceof AttributeFriendlyName)
 				{

sources/form/field/textareafield.class.inc.php

@@ -29,6 +29,8 @@ use \Combodo\iTop\Form\Field\TextField;
  * Description of TextAreaField
  *
  * @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
+ * @package \Combodo\iTop\Form\Field
+ * @since 2.3.0
  */
 class TextAreaField extends TextField
 {
@@ -113,7 +115,7 @@ class TextAreaField extends TextField
 	{
 		if ($this->GetFormat() == TextAreaField::ENUM_FORMAT_TEXT)
 		{
-			$sValue = $this->GetCurrentValue();
+		    $sValue = \Str::pure2html($this->GetCurrentValue());
 			$sValue = AttributeText::RenderWikiHtml($sValue);
 			return "<div>".str_replace("\n", "<br>\n", $sValue).'</div>';			
 		}

sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php

@@ -576,6 +576,7 @@ EOF
 			);
 
 			// Target object others attributes
+            // TODO: Support for AttriubteImage, AttributeBlob
 			foreach ($this->oField->GetAttributesToDisplay(true) as $sAttCode)
 			{
 				if ($sAttCode !== 'id')
@@ -598,7 +599,7 @@ EOF
 					}
 					else
 					{
-						$aAttProperties['value'] = $oAttDef->GetValueLabel($oRemoteItem->Get($sAttCode));
+						$aAttProperties['value'] = $oAttDef->GetAsHTML($oRemoteItem->Get($sAttCode));
 
 						if ($oAttDef instanceof AttributeFriendlyName)
 						{