(Retrofit from deveop ab1715ed) N°1576 Portal: Security hardening.

datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php

@@ -40,6 +40,7 @@ use ListExpression;
 use ScalarExpression;
 use DBObjectSet;
 use AttributeEnum;
+use AttributeImage;
 use AttributeFinalClass;
 use AttributeFriendlyName;
 use UserRights;
@@ -1597,7 +1598,7 @@ class ObjectController extends AbstractController
 
 			if ($oAttDef->IsExternalKey())
 			{
-				$aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname');
+				$aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname');
 
 				// Checking if user can access object's external key
 				if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass()))
@@ -1610,9 +1611,22 @@ class ObjectController extends AbstractController
 				// We skip it
 				continue;
 			}
+			elseif ($oAttDef instanceof AttributeImage)
+            {
+                $oOrmDoc = $oObject->Get($oAttDef->GetCode());
+                if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
+                {
+                    $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400));
+                }
+                else
+                {
+                    $sUrl = $oAttDef->Get('default_image');
+                }
+                $aAttData['value'] = '<img src="' . $sUrl . '" />';
+            }
 			else
 			{
-				$aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode()));
+				$aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode()));
 
 				if ($oAttDef instanceof AttributeFriendlyName)
 				{