N°4127 - Security: Fix XSS vulnerability in object attribute's tooltip

2026-04-23 10:38:45 +02:00 · 2021-07-07 09:27:34 +02:00
parent c76d4f12fd
commit ebbf6e56be
6 changed files with 54 additions and 23 deletions
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -2533,14 +2533,13 @@ EOF
 						$sDisplayValueForHtml = utils::EscapeHtml($sDisplayValue);

 						// Adding tooltip so we can read the whole value when its very long (eg. URL)
-						$sTip = '';
+                        $sTip = '';
 						if (!empty($sDisplayValue)) {
 							$sTip = 'data-tooltip-content="'.$sDisplayValueForHtml.'"';
-							$oPage->add_ready_script(
-								<<<EOF
+							$oPage->add_ready_script(<<<JS
 								$('#{$iId}').on('keyup', function(evt, sFormId){ 
-									var sVal = $('#{$iId}').val();
-									var oTippy = this._tippy;
+									let sVal = $('#{$iId}').val();
+									const oTippy = this._tippy;
 									
 									if(sVal === '')
 									{
@@ -2553,7 +2552,7 @@ EOF
 									}
 									oTippy.setContent(sVal);
 								});
-EOF
+JS
 							);
 						}