composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°3581 - Dashlet plain text: Fix line returns while keeping XSS protection

Browse Source
This commit is contained in:
Molkobain
2021-03-18 20:22:55 +01:00
parent b3e3a27555
commit f567f581c3
2 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
application/dashlet.class.inc.php
View File

@@ -849,6 +849,7 @@ class DashletPlainText extends Dashlet
public function Render($oPage, $bEditMode = false, $aExtraParams = array())
{
$sText = $this->aProperties['text'];
$sText = utils::EscapeHtml($sText);
$sText = str_replace(array("\r\n", "\n", "\r"), "<br/>", $sText);
$sId = 'plaintext_'.($bEditMode ? 'edit_' : '').$this->sId;

5
templates/base/components/dashlet/dashlet-plain-text.html.twig
View File

@@ -1,5 +1,8 @@
{# @copyright Copyright (C) 2010-2021 Combodo SARL #}
{# @license http://opensource.org/licenses/AGPL-3.0 #}
{% apply spaceless %}
<div id="{{ oUIBlock.GetId() }}" class="ibo-dashlet-text {% if oUIBlock.IsHidden() %}ibo-is-hidden{% endif %}" data-role="ibo-dashlet-text">{{ oUIBlock.GetText() }}</div>
<div id="{{ oUIBlock.GetId() }}" class="ibo-dashlet-text {% if oUIBlock.IsHidden() %}ibo-is-hidden{% endif %}" data-role="ibo-dashlet-text">
{# |raw filter is ok here as the escaping is already done by the \DashletPlainText class itself #}
{{ oUIBlock.GetText()|raw }}
</div>
{% endapply %}