N°8201 - [CVE_Request]_Cross-Site-Script Reflected(XSS Reflected at the name="attr_installed" (Low or Medium)

* security hardening

.github/workflows/action.yml

@@ -0,0 +1,43 @@
+name: Add PRs to Combodo PRs Dashboard
+
+on:
+  pull_request_target:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add PR to Combodo Project
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if author is a member of the organization
+        id: check-membership
+        run: |
+          ORG="Combodo"
+          AUTHOR=$(jq -r .pull_request.user.login "$GITHUB_EVENT_PATH")
+          RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            "https://api.github.com/orgs/$ORG/members/$AUTHOR")
+          if [ "$RESPONSE" == "404" ]; then
+            echo "project_url=https://github.com/orgs/Combodo/projects/5" >> $GITHUB_ENV
+            echo "is_member=false" >> $GITHUB_ENV
+          else
+            echo "project_url=https://github.com/orgs/Combodo/projects/4" >> $GITHUB_ENV
+            echo "is_member=true" >> $GITHUB_ENV
+
+          fi
+
+      - name: Add internal tag if member
+        if: env.is_member == 'true'
+        run: |
+          curl -X POST -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/Combodo/iTop/issues/${{ github.event.pull_request.number }}/labels \
+            -d '{"labels":["internal"]}'
+        env:
+          is_member: ${{ env.is_member }}
+
+      - name: Add PR to the appropriate project
+        uses: actions/add-to-project@v1.0.2
+        with:
+          project-url: ${{ env.project_url }}
+          github-token: ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}

.make/build/commands/setupCssCompiler.php

@@ -27,7 +27,7 @@ $iTopFolder = __DIR__."/../../../";
 require_once("$iTopFolder/approot.inc.php");
 require_once(APPROOT."/application/utils.inc.php");
 
-if (php_sapi_name() !== 'cli')
+if (PHP_SAPI !== 'cli')
 {
 	throw new \Exception('This script can only run from CLI');
 }
@@ -48,4 +48,4 @@ if (!file_exists($sCssFile))
 {
 	fwrite(STDERR, "Failed to compile $sCssFile, exiting.");
 	exit(1);
-}
+}

.make/composer/rmDeniedTestDir.php

@@ -26,7 +26,7 @@ $iTopFolder = __DIR__ . "/../../" ;
 require_once ("$iTopFolder/approot.inc.php");
 require_once (APPROOT."/setup/setuputils.class.inc.php");
 
-if  (php_sapi_name() !== 'cli')
+if  (PHP_SAPI !== 'cli')
 {
 	throw new \Exception('This script can only run from CLI');
 }
@@ -70,4 +70,4 @@ if (false === empty($aMissing)) {
 	echo "Some new tests dirs exists !\n"
 		.'  They must be declared either in the allowed or denied list in '.iTopComposer::class." (see N°2651).\n"
 		.'  List of dirs:'."\n".var_export($aMissing, true);
-}
+}

application/applicationextension.inc.php

@@ -1316,6 +1316,11 @@ interface iRestServiceProvider
 	public function ExecOperation($sVersion, $sVerb, $aParams);
 }
 
+interface iRestInputSanitizer
+{
+	public function SanitizeJsonInput(string $sJsonInput): string;
+}
+
 /**
  * Minimal REST response structure. Derive this structure to add response data and error codes.
  *
@@ -1405,6 +1410,14 @@ class RestResult
 	 * @api
 	 */
 	public $message;
+	
+	/**
+	 * Sanitize the content of this result to hide sensitive information
+	 */
+	public function SanitizeContent()
+	{
+		// The default implementation does nothing
+	}
 }
 
 /**

application/dashboard.class.inc.php

@@ -529,10 +529,7 @@ EOF
 	 */
 	public function Render($oPage, $bEditMode = false, $aExtraParams = array(), $bCanEdit = true)
 	{
-		if (!array_key_exists('dashboard_div_id', $aExtraParams))
-		{
-			$aExtraParams['dashboard_div_id'] = utils::Sanitize($this->GetId(), '', 'element_identifier');
-		}
+		$aExtraParams['dashboard_div_id'] = utils::Sanitize($aExtraParams['dashboard_div_id'] ?? null, $this->GetId(), utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER);
 
 		$oPage->add('<div class="dashboard-title-line"><div class="dashboard-title">'.htmlentities(Dict::S($this->sTitle), ENT_QUOTES, 'UTF-8', false).'</div></div>');
 
@@ -1002,7 +999,7 @@ EOF
 		$sSelectorHtml .= '</div>';
 		$sSelectorHtml = addslashes($sSelectorHtml);
 		$sFile = addslashes($this->GetDefinitionFile());
-		$sReloadURL = $this->GetReloadURL();
+		$sReloadURL = json_encode($this->GetReloadURL());
 
 		$oPage->add_ready_script(
 <<<EOF
@@ -1059,7 +1056,7 @@ EOF
 		$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.iframe-transport.js');
 		$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.fileupload.js');
 		$sEditMenu = "<div id=\"DashboardMenu\"><ul><li><i class=\"top-right-icon icon-additional-arrow fas fa-pencil-alt\"></i><ul>";
-	
+
 		$aActions = array();
 		$sFile = addslashes($this->sDefinitionFile);
 		$sJSExtraParams = json_encode($aExtraParams);
@@ -1091,6 +1088,7 @@ EOF
 	
 EOF
 		);
+        $sReloadURL = json_encode($this->GetReloadURL());
 		$oPage->add_script(
 <<<EOF
 function EditDashboard(sId, sDashboardFile, aExtraParams)
@@ -1188,19 +1186,19 @@ EOF
 		$oPage->add('</div>');
 		$oPage->add('<div id="event_bus"/>'); // For exchanging messages between the panes, same as in the designer
 		$oPage->add('</div>');
-		
+
 		$sDialogTitle = Dict::S('UI:DashboardEdit:Title');
 		$sOkButtonLabel = Dict::S('UI:Button:Save');
 		$sCancelButtonLabel = Dict::S('UI:Button:Cancel');
 		
-		$sId = utils::HtmlEntities($this->sId);
-		$sLayoutClass = utils::HtmlEntities($this->sLayoutClass);
+		$sId = json_encode($this->sId);
+		$sLayoutClass = json_encode($this->sLayoutClass);
 		$sAutoReload = $this->bAutoReload ? 'true' : 'false';
 		$sAutoReloadSec = (string) $this->iAutoReloadSec;
-		$sTitle = utils::HtmlEntities($this->sTitle);
-		$sFile = utils::HtmlEntities($this->GetDefinitionFile());
+		$sTitle = json_encode($this->sTitle);
+		$sFile = json_encode($this->GetDefinitionFile());
 		$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php';
-		$sReloadURL = $this->GetReloadURL();
+		$sReloadURL = json_encode($this->GetReloadURL());
 
 		$sExitConfirmationMessage = addslashes(Dict::S('UI:NavigateAwayConfirmationMessage'));
 		$sCancelConfirmationMessage = addslashes(Dict::S('UI:CancelConfirmationMessage'));
@@ -1250,15 +1248,15 @@ $('#dashboard_editor').dialog({
 });
 
 $('#dashboard_editor .ui-layout-center').runtimedashboard({
-	dashboard_id: '$sId', 
-	layout_class: '$sLayoutClass', 
-	title: '$sTitle',
+	dashboard_id: $sId, 
+	layout_class: $sLayoutClass, 
+	title: $sTitle,
 	auto_reload: $sAutoReload, 
 	auto_reload_sec: $sAutoReloadSec,
 	submit_to: '$sUrl', 
-	submit_parameters: {operation: 'save_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	submit_parameters: {operation: 'save_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	render_to: '$sUrl', 
-	render_parameters: {operation: 'render_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	render_parameters: {operation: 'render_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	new_dashlet_parameters: {operation: 'new_dashlet'}
 });
 

application/utils.inc.php

@@ -199,16 +199,8 @@ class utils
 
 	public static function IsModeCLI()
 	{
-		$sSAPIName = php_sapi_name();
-		$sCleanName = strtolower(trim($sSAPIName));
-		if ($sCleanName == 'cli')
-		{
-			return true;
-		}
-		else
-		{
-			return false;
-		}
+		$sCleanName = strtolower(trim(PHP_SAPI));
+		return ($sCleanName === 'cli');
 	}
 
 	protected static $bPageMode = null;
@@ -316,13 +308,13 @@ class utils
 		}
 		return self::Sanitize($retValue, $defaultValue, $sSanitizationFilter);
 	}
-	
+
 	public static function ReadPostedParam($sName, $defaultValue = '', $sSanitizationFilter = 'parameter')
 	{
 		$retValue = isset($_POST[$sName]) ? $_POST[$sName] : $defaultValue;
 		return self::Sanitize($retValue, $defaultValue, $sSanitizationFilter);
 	}
-	
+
 	public static function Sanitize($value, $defaultValue, $sSanitizationFilter)
 	{
 		if ($value === $defaultValue)
@@ -338,7 +330,7 @@ class utils
 				$retValue = $defaultValue;
 			}
 		}
-		return $retValue;		
+		return $retValue;
 	}
 
 	/**
@@ -440,8 +432,8 @@ class utils
 
 			// For URL
 			case static::ENUM_SANITIZATION_FILTER_URL:
-                // N°6350 - returns only valid URLs
-				$retValue = filter_var($value, FILTER_VALIDATE_URL);
+				$retValue = filter_var($value, FILTER_SANITIZE_URL);
+				$retValue = filter_var($retValue, FILTER_VALIDATE_URL);
 				break;
 
 			default:
@@ -481,11 +473,11 @@ class utils
 					$sMimeType = self::GetFileMimeType($sTmpName);
 					$oDocument = new ormDocument($doc_content, $sMimeType, $sName);
 				break;
-				
+
 				case UPLOAD_ERR_NO_FILE:
 				// no file to load, it's a normal case, just return an empty document
 				break;
-				
+
 				case UPLOAD_ERR_FORM_SIZE:
 				case UPLOAD_ERR_INI_SIZE:
 				throw new FileUploadException(Dict::Format('UI:Error:UploadedFileTooBig', ini_get('upload_max_filesize')));
@@ -494,7 +486,7 @@ class utils
 				case UPLOAD_ERR_PARTIAL:
 				throw new FileUploadException(Dict::S('UI:Error:UploadedFileTruncated.'));
 				break;
-				
+
 				case UPLOAD_ERR_NO_TMP_DIR:
 				throw new FileUploadException(Dict::S('UI:Error:NoTmpDir'));
 				break;
@@ -507,7 +499,7 @@ class utils
 				$sName = is_null($sIndex) ? $aFileInfo['name'] : $aFileInfo['name'][$sIndex];
 				throw new FileUploadException(Dict::Format('UI:Error:UploadStoppedByExtension_FileName', $sName));
 				break;
-				
+
 				default:
 				throw new FileUploadException(Dict::Format('UI:Error:UploadFailedUnknownCause_Code', $sError));
 				break;
@@ -615,17 +607,17 @@ class utils
 
 		return $aSelectedObj;
 	}
-	
+
 	public static function GetNewTransactionId()
 	{
 		return privUITransaction::GetNewTransactionId();
 	}
-	
+
 	public static function IsTransactionValid($sId, $bRemoveTransaction = true)
 	{
 		return privUITransaction::IsTransactionValid($sId, $bRemoveTransaction);
 	}
-	
+
 	public static function RemoveTransaction($sId)
 	{
 		return privUITransaction::RemoveTransaction($sId);
@@ -810,9 +802,9 @@ class utils
 			$aDateTokens = array_keys($aSpec);
 			$aDateRegexps = array_values($aSpec);
 		}
-	   
+
 	   $sDateRegexp = str_replace($aDateTokens, $aDateRegexps, $sFormat);
-	   
+
 	   if (preg_match('!^(?<head>)'.$sDateRegexp.'(?<tail>)$!', $sDate, $aMatches))
 	   {
 			$sYear = isset($aMatches['year']) ? $aMatches['year'] : 0;
@@ -829,7 +821,7 @@ class utils
 	   }
 	   // http://www.spaweditor.com/scripts/regex/index.php
 	}
-	
+
 	/**
 	 * Convert an old date/time format specification (using % placeholders)
 	 * to a format compatible with DateTime::createFromFormat
@@ -1248,7 +1240,7 @@ class utils
 		{
 			$aArguments['param_file'] = $sParamFile;
 		}
-		
+
 		$aArgs = array();
 		foreach($aArguments as $sName => $value)
 		{
@@ -1257,7 +1249,7 @@ class utils
 			$aArgs[] = "--$sName=".escapeshellarg($value);
 		}
 		$sArgs = implode(' ', $aArgs);
-		
+
 		$sScript = realpath(APPROOT.$sScriptName);
 		if (!file_exists($sScript))
 		{
@@ -1348,7 +1340,7 @@ class utils
 	public static function GetPopupMenuItems($oPage, $iMenuId, $param, &$aActions, $sTableId = null, $sDataTableId = null)
 	{
 		// 1st - add standard built-in menu items
-		// 
+		//
 		switch($iMenuId)
 		{
 			case iPopupMenuExtension::MENU_OBJLIST_TOOLKIT:
@@ -1373,7 +1365,7 @@ class utils
 						"mailto:?body=".urlencode($sUrl).' ' // Add an extra space to make it work in Outlook
 				);
 			}
-			
+
 			if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) != UR_ALLOWED_NO)
 			{
 				// Bulk export actions
@@ -1387,7 +1379,7 @@ class utils
 			}
 			$aResult[] = new JSPopupMenuItem('UI:Menu:AddToDashboard', Dict::S('UI:Menu:AddToDashboard'), "DashletCreationDlg('$sOQL', '$sContext')");
 			$aResult[] = new JSPopupMenuItem('UI:Menu:ShortcutList', Dict::S('UI:Menu:ShortcutList'), "ShortcutListDlg('$sOQL', '$sDataTableId', '$sContext')");
-				
+
 			break;
 
 			case iPopupMenuExtension::MENU_OBJDETAILS_ACTIONS:
@@ -1401,7 +1393,7 @@ class utils
 			$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/tabularfieldsselector.js');
 			$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.dragtable.js');
 			$oPage->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/dragtable.css');
-			
+
 			$aResult = array(
 				new SeparatorPopupMenuItem(),
 				// Static menus: Email this page & CSV Export
@@ -1465,7 +1457,7 @@ class utils
 				if (is_object($oMenuItem))
 				{
 					$aActions[$oMenuItem->GetUID()] = $oMenuItem->GetMenuItem();
-					
+
 					foreach($oMenuItem->GetLinkedScripts() as $sLinkedScript)
 					{
 						$oPage->add_linked_script($sLinkedScript);
@@ -1602,7 +1594,7 @@ class utils
 			return $sProposed;
 		}
 	}
-	
+
 	/**
 	 * Some characters cause troubles with jQuery when used inside DOM IDs, so let's replace them by the safe _ (underscore)
 	 * @param string $sId The ID to sanitize
@@ -1612,13 +1604,13 @@ class utils
 	{
 		return str_replace(array(':', '[', ']', '+', '-'), '_', $sId);
 	}
-	
+
 	/**
 	 * Helper to execute an HTTP POST request
 	 * Source: http://netevil.org/blog/2006/nov/http-post-from-php-without-curl
 	 *         originaly named after do_post_request
 	 * Does not require cUrl but requires openssl for performing https POSTs.
-	 * 
+	 *
 	 * @param string $sUrl The URL to POST the data to
 	 * @param array $aData The data to POST as an array('param_name' => value)
 	 * @param string $sOptionnalHeaders Additional HTTP headers as a string with newlines between headers
@@ -1629,11 +1621,11 @@ class utils
 	 *
 	 * @return string The result of the POST request
 	 * @throws Exception with a specific error message depending on the cause
-	 */ 
+	 */
 	public static function DoPostRequest($sUrl, $aData, $sOptionnalHeaders = null, &$aResponseHeaders = null, $aCurlOptions = array())
 	{
 		// $sOptionnalHeaders is a string containing additional HTTP headers that you would like to send in your request.
-	
+
 		if (function_exists('curl_init'))
 		{
 			// If cURL is available, let's use it, since it provides a greater control over the various HTTP/SSL options
@@ -1667,7 +1659,7 @@ class utils
 				CURLOPT_POSTFIELDS		=> http_build_query($aData),
 				CURLOPT_HTTPHEADER		=> $aHTTPHeaders,
 			);
-			
+
 			$aAllOptions = $aCurlOptions + $aOptions;
 			$ch = curl_init($sUrl);
 			curl_setopt_array($ch, $aAllOptions);
@@ -1693,7 +1685,7 @@ class utils
 		else
 		{
 			// cURL is not available let's try with streams and fopen...
-			
+
 			$sData = http_build_query($aData);
 			$aParams = array('http' => array(
 									'method' => 'POST',
@@ -1705,7 +1697,7 @@ class utils
 				$aParams['http']['header'] .= $sOptionnalHeaders;
 			}
 			$ctx = stream_context_create($aParams);
-		
+
 			$fp = @fopen($sUrl, 'rb', false, $ctx);
 			if (!$fp)
 			{
@@ -1746,7 +1738,7 @@ class utils
 
 	/**
 	 * Get a standard list of character sets
-	 *	 
+	 *
  	 * @param array $aAdditionalEncodings Additional values
 	 * @return array of iconv code => english label, sorted by label
 	 */
@@ -1776,8 +1768,8 @@ class utils
 	public static function HtmlEntities($sValue)
 	{
 		return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
-	}	
-	
+	}
+
 	/**
 	 * Helper to encapsulation iTop's html_entity_decode
 	 * @param string $sValue
@@ -1806,7 +1798,7 @@ class utils
 			return $e->getMessage();
 		}
 	}
-	
+
 	/**
 	 * Convert (?) plain text to some HTML markup by replacing newlines by <br/> tags
 	 * and escaping HTML entities
@@ -1819,7 +1811,7 @@ class utils
 		$sText = str_replace("\r", "\n", $sText);
 		return str_replace("\n", '<br/>', htmlentities($sText, ENT_QUOTES, 'UTF-8'));
 	}
-	
+
 	/**
 	 * Eventually compiles the SASS (.scss) file into the CSS (.css) file
 	 *
@@ -1882,7 +1874,7 @@ class utils
 
 		return $sCss;
 	}
-	
+
 	public static function GetImageSize($sImageData)
 	{
 		if (function_exists('getimagesizefromstring')) // PHP 5.4.0 or higher
@@ -1939,7 +1931,7 @@ class utils
 			case 'image/png':
 			$img = @imagecreatefromstring($oImage->GetData());
 			break;
-			
+
 			default:
 			// Unsupported image type, return the image as-is
 			//throw new Exception("Unsupported image type: '".$oImage->GetMimeType()."'. Cannot resize the image, original image will be used.");
@@ -1953,14 +1945,14 @@ class utils
 		else
 		{
 			// Let's scale the image, preserving the transparency for GIFs and PNGs
-			
+
 			$fScale = min($iMaxImageWidth / $iWidth, $iMaxImageHeight / $iHeight);
 
 			$iNewWidth = $iWidth * $fScale;
 			$iNewHeight = $iHeight * $fScale;
-			
+
 			$new = imagecreatetruecolor($iNewWidth, $iNewHeight);
-			
+
 			// Preserve transparency
 			if(($oImage->GetMimeType() == "image/gif") || ($oImage->GetMimeType() == "image/png"))
 			{
@@ -1968,38 +1960,38 @@ class utils
 				imagealphablending($new, false);
 				imagesavealpha($new, true);
 			}
-			
+
 			imagecopyresampled($new, $img, 0, 0, 0, 0, $iNewWidth, $iNewHeight, $iWidth, $iHeight);
-			
+
 			ob_start();
 			switch ($oImage->GetMimeType())
 			{
 				case 'image/gif':
 				imagegif($new); // send image to output buffer
 				break;
-				
+
 				case 'image/jpeg':
 				imagejpeg($new, null, 80); // null = send image to output buffer, 80 = good quality
 				break;
-				 
+
 				case 'image/png':
 				imagepng($new, null, 5); // null = send image to output buffer, 5 = medium compression
 				break;
 			}
 			$oResampledImage = new ormDocument(ob_get_contents(), $oImage->GetMimeType(), $oImage->GetFileName());
 			@ob_end_clean();
-			
+
 			imagedestroy($img);
 			imagedestroy($new);
-							
+
 			return $oResampledImage;
 		}
-				
+
 	}
-	
+
 	/**
 	 * Create a 128 bit UUID in the format: {########-####-####-####-############}
-	 * 
+	 *
 	 * Note: this method can be run from the command line as well as from the web server.
 	 * Note2: this method is not cryptographically secure! If you need a cryptographically secure value
 	 * consider using open_ssl or PHP 7 methods.
@@ -2037,7 +2029,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCurrentModuleName($iCallDepth + 1);
 	}
-	
+
 	/**
 	 * **Warning** : returned result can be invalid as we're using backtrace to find the module dir name
 	 *
@@ -2068,7 +2060,7 @@ class utils
 	{
 		return ModuleService::GetInstance()->GetCurrentModuleUrl(1);
 	}
-	
+
 	/**
 	 * @param string $sProperty The name of the property to retrieve
 	 * @param mixed $defaultvalue
@@ -2078,7 +2070,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCurrentModuleSetting($sProperty, $defaultvalue);
 	}
-	
+
 	/**
 	 * @param string $sModuleName
 	 * @return string|NULL compiled version of a given module, as it was seen by the compiler
@@ -2087,7 +2079,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCompiledModuleVersion($sModuleName);
 	}
-	
+
 	/**
 	 * Check if the given path/url is an http(s) URL
 	 * @param string $sPath
@@ -2102,7 +2094,7 @@ class utils
 		}
 		return $bRet;
 	}
-	
+
 	/**
 	 * Check if the given URL is a link to download a document/image on the CURRENT iTop
 	 * In such a case we can read the content of the file directly in the database (if the users rights allow) and return the ormDocument
@@ -2151,7 +2143,7 @@ class utils
 		}
 		return $result;
 	}
-	
+
 	/**
 	 * Read the content of a file (and retrieve its MIME type) from either:
 	 * - an URL pointing to a blob (image/document) on the current iTop server
@@ -2195,7 +2187,7 @@ class utils
 			'html' => 'text/html',
 			'exe' => 'application/octet-stream',
 		);
-	
+
 		$sData = null;
 		$sMimeType = 'text/plain'; // Default MIME Type: treat the file as a bunch a characters...
 		$sFileName = 'uploaded-file'; // Default name for downloaded-files
@@ -2251,7 +2243,7 @@ class utils
 			}
 			$sExtension = strtolower(pathinfo($sPath, PATHINFO_EXTENSION));
 			$sFileName = basename($sPath);
-				
+
 			if (array_key_exists($sExtension, $aKnownExtensions))
 			{
 				$sMimeType = $aKnownExtensions[$sExtension];
@@ -2265,7 +2257,7 @@ class utils
 		}
 		return $oUploadedDoc;
 	}
-	
+
 	protected static function ParseHeaders($aHeaders)
 	{
 		$aCleanHeaders = array();
@@ -2290,7 +2282,7 @@ class utils
 		}
 		return $aCleanHeaders;
 	}
-	
+
 	/**
 	 * @return string a string based on compilation time or (if not available because the datamodel has not been loaded)
 	 * the version of iTop. This string is useful to prevent browser side caching of content that may vary at each
@@ -2445,7 +2437,7 @@ class utils
 		{
 			return false;
 		}
-		
+
 		return substr_compare($haystack, $needle, -strlen($needle)) === 0;
 	}
 

approot.inc.php

@@ -14,7 +14,7 @@ define('APPCONF', APPROOT.'conf/');
  * @used-by utils::GetItopVersionWikiSyntax()
  * @used-by iTopModulesPhpVersionIntegrationTest
  */
-define('ITOP_CORE_VERSION', '2.7.10');
+define('ITOP_CORE_VERSION', '2.7.12');
 
 
 require_once APPROOT.'bootstrap.inc.php';

bootstrap.inc.php

@@ -48,7 +48,7 @@ if (file_exists(MAINTENANCE_MODE_FILE) && !$bBypassMaintenance)
 	http_response_code(503);
 	// Display message depending on the request
 	include(APPROOT.'application/maintenancemsg.php');
-	$sSAPIName = strtoupper(trim(php_sapi_name()));
+	$sSAPIName = strtoupper(trim(PHP_SAPI));
 
 	switch (true)
 	{

core/attributedef.class.inc.php

@@ -138,7 +138,7 @@ abstract class AttributeDefinition
 
 	protected $aCSSClasses;
 
-	public function GetType()
+    public function GetType()
 	{
 		return Dict::S('Core:'.get_class($this));
 	}
@@ -3775,7 +3775,7 @@ class AttributeFinalClass extends AttributeString
  */
 class AttributePassword extends AttributeString implements iAttributeNoGroupBy
 {
-	const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
+    const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
 
 	/**
 	 * Useless constructor, but if not present PHP 7.4.0/7.4.1 is crashing :( (N°2329)
@@ -3851,7 +3851,7 @@ class AttributePassword extends AttributeString implements iAttributeNoGroupBy
  */
 class AttributeEncryptedString extends AttributeString implements iAttributeNoGroupBy
 {
-	const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
+    const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
 
 	static $sKey = null; // Encryption key used for all encrypted fields
 	static $sLibrary = null; // Encryption library used for all encrypted fields
@@ -9243,7 +9243,7 @@ class AttributeSubItem extends AttributeDefinition
  */
 class AttributeOneWayPassword extends AttributeDefinition implements iAttributeNoGroupBy
 {
-	const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
+    const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
 
 	/**
 	 * Useless constructor, but if not present PHP 7.4.0/7.4.1 is crashing :( (N°2329)

core/cmdbsource.class.inc.php

@@ -95,7 +95,7 @@ class MySQLHasGoneAwayException extends MySQLException
 	{
 		return array(
 			2006,
-			2013
+			2013,
 		);
 	}
 
@@ -1296,8 +1296,8 @@ class CMDBSource
 	 */
 	public static function IsSameFieldTypes($sItopGeneratedFieldType, $sDbFieldType)
 	{
-		list($sItopFieldDataType, $sItopFieldTypeOptions, $sItopFieldOtherOptions) = static::GetFieldDataTypeAndOptions($sItopGeneratedFieldType);
-		list($sDbFieldDataType, $sDbFieldTypeOptions, $sDbFieldOtherOptions) = static::GetFieldDataTypeAndOptions($sDbFieldType);
+		[$sItopFieldDataType, $sItopFieldTypeOptions, $sItopFieldOtherOptions] = static::GetFieldDataTypeAndOptions($sItopGeneratedFieldType);
+		[$sDbFieldDataType, $sDbFieldTypeOptions, $sDbFieldOtherOptions] = static::GetFieldDataTypeAndOptions($sDbFieldType);
 
 		if (strcasecmp($sItopFieldDataType, $sDbFieldDataType) !== 0)
 		{
@@ -1734,8 +1734,20 @@ class CMDBSource
 		return false;
 	}
 
-	/**
-	 * @return string query to upgrade database charset and collation if needed, null if not
+    public static function GetClusterNb()
+    {
+        $result = 0;
+        $sSql = "SHOW STATUS LIKE 'wsrep_cluster_size';";
+        $aRows = self::QueryToArray($sSql);
+        if (count($aRows) > 0)
+        {
+            $result = $aRows[0]['Value'];
+        }
+        return intval($result);
+    }
+
+    /**
+     * @return string query to upgrade database charset and collation if needed, null if not
 	 * @throws \MySQLException
 	 *
 	 * @since 2.5.0 N°1001 switch to utf8mb4

core/restservices.class.inc.php

@@ -34,7 +34,9 @@
  */
 class ObjectResult
 {
-	public $code;
+    use SanitizeTrait;
+
+    public $code;
 	public $message;
 	public $class;
 	public $key;
@@ -122,6 +124,19 @@ class ObjectResult
 	{
 		$this->fields[$sAttCode] = $this->MakeResultValue($oObject, $sAttCode, $bExtendedOutput);
 	}
+	
+public function SanitizeContent()
+	{
+		foreach($this->fields as $sFieldAttCode => $fieldValue)
+		{
+            try {
+			$oAttDef = MetaModel::GetAttributeDef($this->class, $sFieldAttCode);
+            } catch (Exception $e) { // for special cases like ID
+                continue;
+            }
+                $this->SanitizeFieldIfSensitive($this->fields, $sFieldAttCode, $fieldValue, $oAttDef);
+		}
+	}
 }
 
 
@@ -181,6 +196,16 @@ class RestResultWithObjects extends RestResult
 		$sObjKey = get_class($oObject).'::'.$oObject->GetKey();
 		$this->objects[$sObjKey] = $oObjRes;
 	}
+	
+public function SanitizeContent()
+	{
+		parent::SanitizeContent();
+		
+		foreach($this->objects as $sObjKey => $oObjRes)
+		{
+			$oObjRes->SanitizeContent();
+		}
+	}
 }
 
 class RestResultWithRelations extends RestResultWithObjects
@@ -247,9 +272,10 @@ class RestDelete
  *
  * @package     Core
  */
-class CoreServices implements iRestServiceProvider
+class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 {
-	/**
+    use SanitizeTrait;
+    /**
 	 * Enumerate services delivered by this class
 	 * 	 
 	 * @param string $sVersion The version (e.g. 1.0) supported by the services
@@ -663,6 +689,33 @@ class CoreServices implements iRestServiceProvider
 		}
 		return $oResult;
 	}
+	
+	public function SanitizeJsonInput(string $sJsonInput): string
+	{
+        $sSanitizedJsonInput = $sJsonInput;
+        $aJsonData = json_decode($sSanitizedJsonInput, true);
+        $sOperation = $aJsonData['operation'];
+
+        switch ($sOperation) {
+            case 'core/check_credentials':
+                if (isset($aJsonData['password'])) {
+                    $aJsonData['password'] = '*****';
+                }
+                break;
+            case 'core/update':
+            case 'core/create':
+            default :
+            $sClass = $aJsonData['class'];
+            if (isset($aJsonData['fields'])) {
+                foreach ($aJsonData['fields'] as $sFieldAttCode => $fieldValue) {
+                    $oAttDef = MetaModel::GetAttributeDef($sClass, $sFieldAttCode);
+                    $this->SanitizeFieldIfSensitive($aJsonData['fields'], $sFieldAttCode, $fieldValue, $oAttDef);
+                }
+            }
+            break;
+        }
+		return json_encode($aJsonData, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE);
+	}
 
 	/**
 	 * Helper for object deletion	
@@ -802,3 +855,50 @@ class CoreServices implements iRestServiceProvider
 		return $iLimit * max(0, $iPage - 1);
 	}
 }
+
+trait SanitizeTrait
+{
+    /**
+     * Sanitize a field if it is sensitive.
+     *
+     * @param array $fields The fields array
+     * @param string $sFieldAttCode The attribute code
+     * @param mixed $oAttDef The attribute definition
+     * @throws Exception
+     */
+    private function SanitizeFieldIfSensitive(array &$fields, string $sFieldAttCode, $fieldValue, $oAttDef): void
+    {
+        // for simple attribute
+        if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
+        {
+            $fields[$sFieldAttCode] = '*****';
+            return;
+        }
+        // for 1-n / n-n relation
+        if ($oAttDef instanceof AttributeLinkedSet) {
+            foreach ($fieldValue as $i => $aLnkValues) {
+                foreach ($aLnkValues as $sLnkAttCode => $sLnkValue) {
+                    $oLnkAttDef = MetaModel::GetAttributeDef($oAttDef->GetLinkedClass(), $sLnkAttCode);
+                    if ($oLnkAttDef instanceof iAttributeNoGroupBy) { // 1-n relation
+                        $fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
+                    }
+                    elseif ($oAttDef instanceof AttributeLinkedSetIndirect && $oLnkAttDef instanceof AttributeExternalField) { // for n-n relation
+                        $oExtKeyAttDef = MetaModel::GetAttributeDef($oLnkAttDef->GetTargetClass(), $oLnkAttDef->GetExtAttCode());
+                        if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
+                            $fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
+                        }
+                    }
+                }
+            }
+            return;
+        }
+
+        // for external attribute
+        if ($oAttDef instanceof AttributeExternalField) {
+            $oExtKeyAttDef = MetaModel::GetAttributeDef($oAttDef->GetTargetClass(), $oAttDef->GetExtAttCode());
+            if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
+                $fields[$sFieldAttCode] = '*****';
+            }
+        }
+    }
+}

core/simplegraph.class.inc.php

@@ -537,7 +537,7 @@ EOF
 		}
 		else
 		{
-			throw new Exception('graphviz not found (executable path: '.$sDotExecutable.')');
+            throw new Exception('graphviz not found');
 		}
 		return $sHtml;
 	}
@@ -592,7 +592,7 @@ EOF
 		}
 		else
 		{
-			throw new Exception('graphviz not found (executable path: '.$sDotExecutable.')');
+            throw new Exception('graphviz not found');
 		}
 		return $sHtml;
 	}

css/css-variables.scss

@@ -17,7 +17,7 @@
  */
 
 // Beware the version number MUST be enclosed with quotes otherwise v2.3.0 becomes v2 0.3 .0
-$version: "v2.7.10";
+$version: "v2.7.12";
 $approot-relative: "../../../../../" !default; // relative to env-***/branding/themes/***/main.css
 
 // Base colors

datamodels/2.x/authent-cas/module.authent-cas.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-cas/2.7.10',
+	'authent-cas/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-external/module.authent-external.php

@@ -27,7 +27,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-external/2.7.10',
+	'authent-external/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-ldap/module.authent-ldap.php

@@ -9,7 +9,7 @@ if (function_exists('ldap_connect'))
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-ldap/2.7.10',
+	'authent-ldap/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-local/module.authent-local.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-local/2.7.10',
+	'authent-local/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-db-tools/2.7.10',
+	'combodo-db-tools/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-attachments/module.itop-attachments.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-attachments/2.7.10',
+	'itop-attachments/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-backup/dbrestore.class.inc.php

@@ -53,14 +53,7 @@ class DBRestore extends DBBackup
 		$sUser = self::EscapeShellArg($this->sDBUser);
 		$sPwd = self::EscapeShellArg($this->sDBPwd);
 		$sDBName = self::EscapeShellArg($this->sDBName);
-		if (empty($this->sMySQLBinDir))
-		{
-			$sMySQLExe = 'mysql';
-		}
-		else
-		{
-			$sMySQLExe = '"'.$this->sMySQLBinDir.'/mysql"';
-		}
+		$sMySQLExe = DBBackup::MakeSafeMySQLCommand($this->sMySQLBinDir, 'mysql');
 		if (is_null($this->iDBPort))
 		{
 			$sPortOption = '';

datamodels/2.x/itop-backup/module.itop-backup.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-backup/2.7.10',
+	'itop-backup/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-backup/status.php

@@ -56,15 +56,7 @@ try
 	//
 	$sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', '');
 	$sMySQLBinDir = utils::ReadParam('mysql_bindir', $sMySQLBinDir, true);
-	if (empty($sMySQLBinDir))
-	{
-		$sMySQLDump = 'mysqldump';
-	}
-	else
-	{
-		//echo 'Info - Found mysql_bindir: '.$sMySQLBinDir;
-		$sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"';
-	}
+	$sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');
 	$sCommand = "$sMySQLDump -V 2>&1";
 
 	$aOutput = array();

datamodels/2.x/itop-bridge-virtualization-storage/module.itop-bridge-virtualization-storage.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-virtualization-storage/2.7.10',
+	'itop-bridge-virtualization-storage/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt-itil/module.itop-change-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt-itil/2.7.10',
+	'itop-change-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt/module.itop-change-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt/2.7.10',
+	'itop-change-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-config-mgmt/module.itop-config-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config-mgmt/2.7.10',
+	'itop-config-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-config/module.itop-config.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config/2.7.10',
+	'itop-config/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-core-update/module.itop-core-update.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-core-update/2.7.10',
+	'itop-core-update/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-datacenter-mgmt/module.itop-datacenter-mgmt.php

@@ -18,7 +18,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-datacenter-mgmt/2.7.10',
+	'itop-datacenter-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-endusers-devices/module.itop-endusers-devices.php

@@ -25,7 +25,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-endusers-devices/2.7.10',
+	'itop-endusers-devices/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-files-information/module.itop-files-information.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-files-information/2.7.10',
+	'itop-files-information/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-full-itil/module.itop-full-itil.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-full-itil/2.7.10',
+	'itop-full-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-hub-connector/TokenValidation.php

@@ -0,0 +1,19 @@
+<?php
+
+class TokenValidation
+{
+	// construct function
+	public function __construct()
+	{
+	}
+	public function isSetupTokenValid($sParamToken) : bool
+	{
+		if (!file_exists(APPROOT.'data/.setup')) {
+			return false;
+		}
+		$sSetupToken = trim(file_get_contents(APPROOT.'data/.setup'));
+		unlink(APPROOT.'data/.setup');
+		return $sParamToken === $sSetupToken;
+	}
+
+}

datamodels/2.x/itop-hub-connector/launch.php

@@ -280,6 +280,7 @@ try
 	require_once ('hubconnectorpage.class.inc.php');
 	
 	require_once (APPROOT.'/application/startup.inc.php');
+    require_once('TokenValidation.php');
 	
 	$sTargetRoute = utils::ReadParam('target', ''); // ||browse_extensions|deploy_extensions|
 	
@@ -299,11 +300,20 @@ try
 		case 'inform_after_setup':
 		// Hidden IFRAME at the end of the setup
 		require_once (APPROOT.'/application/ajaxwebpage.class.inc.php');
-		$oPage = new NiceWebPage('');
-		$aDataToPost = MakeDataToPost($sTargetRoute);
-		$oPage->add('<form id="hub_launch_form" action="'.$sHubUrlStateless.'" method="post">');
-		$oPage->add('<input type="hidden" name="json" value="'.htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8').'">');
-		$oPage->add_ready_script('$("#hub_launch_form").submit();');
+
+            $sParamToken = utils::ReadParam('setup_token');
+            $oTokenValidation = new TokenValidation();
+            $bIsTokenValid = $oTokenValidation->isSetupTokenValid($sParamToken);
+            if (UserRights::IsAdministrator() || $bIsTokenValid) {
+                $oPage = new NiceWebPage('');
+                $aDataToPost = MakeDataToPost($sTargetRoute);
+                $oPage->add('<form id="hub_launch_form" action="' . $sHubUrlStateless . '" method="post">');
+                $oPage->add('<input type="hidden" name="json" value="' . htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8') . '">');
+                $oPage->add_ready_script('$("#hub_launch_form").submit();');
+            } else {
+                IssueLog::Error('TokenValidation failed on inform_after_setup page');
+                throw new Exception("Not allowed");
+            }
 		break;
 		
 		default:

datamodels/2.x/itop-hub-connector/module.itop-hub-connector.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-hub-connector/2.7.10',
+	'itop-hub-connector/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-incident-mgmt-itil/module.itop-incident-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-incident-mgmt-itil/2.7.10',
+	'itop-incident-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-knownerror-mgmt/module.itop-knownerror-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-knownerror-mgmt/2.7.10',
+	'itop-knownerror-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-oauth-client/module.itop-oauth-client.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-oauth-client/2.7.10',
+	'itop-oauth-client/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-portal-base/module.itop-portal-base.php

@@ -20,7 +20,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal-base/2.7.10', array(
+	'itop-portal-base/2.7.12', array(
 	// Identification
 	'label' => 'Portal Development Library',
 		'category' => 'Portal',

datamodels/2.x/itop-portal-base/portal/config/routes/user_profile_brick.yaml

@@ -15,6 +15,11 @@
 #  You should have received a copy of the GNU Affero General Public License
 #  along with iTop. If not, see <http://www.gnu.org/licenses/>
 
+p_user_profile_brick_edit_person:
+  path: '/user/edit_person'
+  defaults:
+    _controller: 'Combodo\iTop\Portal\Controller\UserProfileBrickController::EditPerson'
+
 p_user_profile_brick:
   path: '/user/{sBrickId}'
   defaults:

datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php

@@ -1246,7 +1246,12 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-		if ($bIgnoreSilos === true)
+        if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
+        ) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to read ' . $sObjectClass . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+        if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();
 		}

datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php

@@ -35,7 +35,7 @@ use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use UserRights;
 use utils;
-
+use Dict;
 /**
  * Class UserProfileBrickController
  *
@@ -66,34 +66,9 @@ class UserProfileBrickController extends BrickController
 		$oRequestManipulator = $this->get('request_manipulator');
 		/** @var \Combodo\iTop\Portal\Helper\ObjectFormHandlerHelper $ObjectFormHandler */
 		$ObjectFormHandler = $this->get('object_form_handler');
-		/** @var \Combodo\iTop\Portal\Brick\BrickCollection $oBrickCollection */
-		$oBrickCollection = $this->get('brick_collection');
+        $oBrick = $this->GetBrick($sBrickId);
 
-		// If the brick id was not specified, we get the first one registered that is an instance of UserProfileBrick as default
-		if ($sBrickId === null)
-		{
-			/** @var \Combodo\iTop\Portal\Brick\PortalBrick $oTmpBrick */
-			foreach ($oBrickCollection->GetBricks() as $oTmpBrick)
-			{
-				if ($oTmpBrick instanceof UserProfileBrick)
-				{
-					$oBrick = $oTmpBrick;
-				}
-			}
-
-			// We make sure a UserProfileBrick was found
-			if (!isset($oBrick) || $oBrick === null)
-			{
-				$oBrick = new UserProfileBrick();
-				//throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'UserProfileBrick : Brick could not be loaded as there was no UserProfileBrick loaded in the application.');
-			}
-		}
-		else
-		{
-			$oBrick = $oBrickCollection->GetBrickById($sBrickId);
-		}
-
-		$aData = array();
+        $aData = array();
 
 		// Setting form mode regarding the demo mode parameter
 		$bDemoMode = MetaModel::GetConfig()->Get('demo_mode');
@@ -130,11 +105,12 @@ class UserProfileBrickController extends BrickController
 			$oCurContact = UserRights::GetContactObject();
 			$sCurContactClass = get_class($oCurContact);
 			$sCurContactId = $oCurContact->GetKey();
-
+            $aForm = $oBrick->GetForm();
+            $aForm['submit_endpoint'] = $this->generateUrl('p_user_profile_brick_edit_person', ['sBrickId' => $sBrickId]);
 			// Preparing forms
-			$aData['forms']['contact'] = $ObjectFormHandler->HandleForm($oRequest, $sFormMode, $sCurContactClass, $sCurContactId,
-				$oBrick->GetForm());
-			$aData['forms']['preferences'] = $this->HandlePreferencesForm($oRequest, $sFormMode);
+            $aData['forms']['contact'] = $ObjectFormHandler->HandleForm($oRequest, $sFormMode, $sCurContactClass, $sCurContactId,
+                    $aForm);
+            $aData['forms']['preferences'] = $this->HandlePreferencesForm($oRequest, $sFormMode);
 			// - If user can change password, we display the form
 			$aData['forms']['password'] = (UserRights::CanChangePassword()) ? $this->HandlePasswordForm($oRequest, $sFormMode) : null;
 
@@ -150,6 +126,35 @@ class UserProfileBrickController extends BrickController
 		return $oResponse;
 	}
 
+    public function EditPerson(Request $oRequest)
+    {
+        /** @var \Combodo\iTop\Portal\Helper\ObjectFormHandlerHelper $oObjectFormHandler */
+        $oObjectFormHandler = $this->get('object_form_handler');
+        /** @var \Combodo\iTop\Portal\Helper\SecurityHelper $oSecurityHelper */
+        $oSecurityHelper = $this->get('security_helper');
+
+        $oCurContact = UserRights::GetContactObject();
+        $sObjectClass = get_class($oCurContact);
+        $sObjectId = $oCurContact->GetKey();
+
+        // Checking security layers
+        // Warning : This is a dirty quick fix to allow editing its own contact information
+        $bAllowWrite = ($sObjectClass === 'Person' && $sObjectId == UserRights::GetContactId());
+        if (!$oSecurityHelper->IsActionAllowed(UR_ACTION_MODIFY, $sObjectClass, $sObjectId) && !$bAllowWrite) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to modify ' . $sObjectClass . '::' . $sObjectId . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+
+        $aForm = $this->GetBrick()->GetForm();
+        $aForm['submit_endpoint'] = $this->generateUrl('p_user_profile_brick_edit_person');
+
+        $aData = ['sMode' => 'edit'];
+        $aData['form'] = $oObjectFormHandler->HandleForm($oRequest, $aData['sMode'], $sObjectClass, $sObjectId, $aForm);
+
+        return new JsonResponse($aData);
+    }
+
+
 	/**
 	 * @param \Symfony\Component\HttpFoundation\Request $oRequest
 	 * @param string                                    $sFormMode
@@ -388,4 +393,34 @@ class UserProfileBrickController extends BrickController
 		return $aFormData;
 	}
 
+    /**
+     * @param $sBrickId
+     * @return \Combodo\iTop\Portal\Brick\PortalBrick|UserProfileBrick
+     * @throws \Combodo\iTop\Portal\Brick\BrickNotFoundException
+     */
+    public function GetBrick($sBrickId = null)
+    {
+        /** @var \Combodo\iTop\Portal\Brick\BrickCollection $oBrickCollection */
+        $oBrickCollection = $this->get('brick_collection');
+
+        // If the brick id was not specified, we get the first one registered that is an instance of UserProfileBrick as default
+        if ($sBrickId === null) {
+            /** @var \Combodo\iTop\Portal\Brick\PortalBrick $oTmpBrick */
+            foreach ($oBrickCollection->GetBricks() as $oTmpBrick) {
+                if ($oTmpBrick instanceof UserProfileBrick) {
+                    $oBrick = $oTmpBrick;
+                }
+            }
+
+            // We make sure a UserProfileBrick was found
+            if (!isset($oBrick) || $oBrick === null) {
+                $oBrick = new UserProfileBrick();
+                //throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'UserProfileBrick : Brick could not be loaded as there was no UserProfileBrick loaded in the application.');
+            }
+        } else {
+            $oBrick = $oBrickCollection->GetBrickById($sBrickId);
+        }
+        return $oBrick;
+    }
+
 }

datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php

@@ -132,10 +132,8 @@ class ObjectFormHandlerHelper
 		$bModal = ($oRequest->isXmlHttpRequest() && empty($sOperation));
 
 		// - Retrieve form properties
-		if ($aFormProperties === null)
-		{
-			$aFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
-		}
+		$aFormProperties = $aFormProperties ?? ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
+
 		// - Create and
 		if (empty($sOperation))
 		{
@@ -243,13 +241,17 @@ class ObjectFormHandlerHelper
 				case static::ENUM_MODE_CREATE:
 				case static::ENUM_MODE_EDIT:
 				case static::ENUM_MODE_VIEW:
-					$sFormEndpoint = $this->oUrlGenerator->generate(
-						'p_object_'.$sMode,
-						array(
-							'sObjectClass' => $sObjectClass,
-							'sObjectId' => $sObjectId,
-						)
-					);
+                    if(array_key_exists('submit_endpoint', $aFormProperties)) {
+                        $sFormEndpoint = $aFormProperties['submit_endpoint'];
+                    } else {
+                        $sFormEndpoint = $this->oUrlGenerator->generate(
+                                'p_object_' . $sMode,
+                                array(
+                                        'sObjectClass' => $sObjectClass,
+                                        'sObjectId' => $sObjectId,
+                                )
+                        );
+                    }
 					break;
 
 				case static::ENUM_MODE_APPLY_STIMULUS:
@@ -282,7 +284,8 @@ class ObjectFormHandlerHelper
 				->SetActionRulesToken($sActionRulesToken)
 				->SetRenderer($oFormRenderer)
 				->SetFormProperties($aFormProperties);
-
+			$oFormManager->PrepareFormAndHTMLDocument();
+			$oFormManager->PrepareFields();
 			$oFormManager->Build();
 			$aFormData['hidden_fields'] = $oFormManager->GetHiddenFieldsId();
 			// Check the number of editable fields

datamodels/2.x/itop-portal-base/portal/templates/layout.html.twig

@@ -64,12 +64,12 @@
         {% endif %}
 		{# Custom CSS that is supposed to do adjustments to the portal #}
 		{% if app['combodo.portal.instance.conf'].properties.themes.custom is defined %}
-			<link href="{{ app['combodo.portal.instance.conf'].properties.themes.custom|add_itop_version }}" rel="stylesheet">
+			<link href="{{ app['combodo.absolute_url'] ~ app['combodo.portal.instance.conf'].properties.themes.custom|add_itop_version }}" rel="stylesheet">
 		{% endif %}
 		{# Others CSS that will come after the theme/portal/custom, in an undefined order #}
 		{% if app['combodo.portal.instance.conf'].properties.themes.others is defined %}
 			{% for theme in app['combodo.portal.instance.conf'].properties.themes.others %}
-				<link href="{{ theme|add_itop_version }}" rel="stylesheet">
+				<link href="{{ app['combodo.absolute_url'] ~ theme|add_itop_version }}" rel="stylesheet">
 			{% endfor %}
 		{% endif %}
 	{% endblock %}
@@ -464,8 +464,8 @@
                         sBody = '{{ 'Error:XHR:Fail'|dict_format(constant('ITOP_APPLICATION_SHORT'))|escape('js') }}';
 					}
 					var oModalElem = $('#modal-for-alert');
-                    oModalElem.find('.modal-content .modal-header .modal-title').html(sTitle);
-                    oModalElem.find('.modal-content .modal-body .alert').addClass('alert-danger').html(sBody);
+                    oModalElem.find('.modal-content .modal-header .modal-title').text(sTitle);
+                    oModalElem.find('.modal-content .modal-body .alert').addClass('alert-danger').text(sBody);
                     oModalElem.modal('show');
 				};
 			{% endblock %}

datamodels/2.x/itop-portal/module.itop-portal.php

@@ -20,7 +20,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal/2.7.10', array(
+	'itop-portal/2.7.12', array(
 	// Identification
 	'label' => 'Enhanced Customer Portal',
 	'category' => 'Portal',

datamodels/2.x/itop-problem-mgmt/module.itop-problem-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-problem-mgmt/2.7.10',
+	'itop-problem-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-profiles-itil/module.itop-profiles-itil.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-profiles-itil/2.7.10',
+	'itop-profiles-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt-itil/module.itop-request-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt-itil/2.7.10',
+	'itop-request-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt/module.itop-request-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt/2.7.10',
+	'itop-request-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt-provider/module.itop-service-mgmt-provider.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt-provider/2.7.10',
+	'itop-service-mgmt-provider/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt/module.itop-service-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt/2.7.10',
+	'itop-service-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-sla-computation/module.itop-sla-computation.php

@@ -18,7 +18,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-sla-computation/2.7.10',
+	'itop-sla-computation/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-storage-mgmt/module.itop-storage-mgmt.php

@@ -25,7 +25,7 @@
  
  SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	 'itop-storage-mgmt/2.7.10',
+	 'itop-storage-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-tickets/module.itop-tickets.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__,
-	'itop-tickets/2.7.10',
+	'itop-tickets/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-virtualization-mgmt/module.itop-virtualization-mgmt.php

@@ -16,7 +16,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-virtualization-mgmt/2.7.10',
+	'itop-virtualization-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-welcome-itil/module.itop-welcome-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-welcome-itil/2.7.10',
+	'itop-welcome-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/version.xml

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <information>
-  <version>2.7.10</version>
+  <version>2.7.12</version>
 </information>

lib/composer/autoload_classmap.php

@@ -1218,6 +1218,7 @@ return array(
     'SQLQuery' => $baseDir . '/core/sqlquery.class.inc.php',
     'SQLUnionQuery' => $baseDir . '/core/sqlunionquery.class.inc.php',
     'SVGDOMSanitizer' => $baseDir . '/core/htmlsanitizer.class.inc.php',
+    'SanitizeTrait' => $baseDir . '/core/restservices.class.inc.php',
     'ScalarExpression' => $baseDir . '/core/oql/expression.class.inc.php',
     'ScalarOqlExpression' => $baseDir . '/core/oql/oqlquery.class.inc.php',
     'ScssPhp\\ScssPhp\\Base\\Range' => $vendorDir . '/scssphp/scssphp/src/Base/Range.php',
@@ -2732,6 +2733,7 @@ return array(
     'iPreferencesExtension' => $baseDir . '/application/applicationextension.inc.php',
     'iProcess' => $baseDir . '/core/backgroundprocess.inc.php',
     'iQueryModifier' => $baseDir . '/core/querymodifier.class.inc.php',
+    'iRestInputSanitizer' => $baseDir . '/application/applicationextension.inc.php',
     'iRestServiceProvider' => $baseDir . '/application/applicationextension.inc.php',
     'iScheduledProcess' => $baseDir . '/core/backgroundprocess.inc.php',
     'iSelfRegister' => $baseDir . '/core/userrights.class.inc.php',

lib/composer/autoload_static.php

@@ -1586,6 +1586,7 @@ class ComposerStaticInit0018331147de7601e7552f7da8e3bb8b
         'SQLQuery' => __DIR__ . '/../..' . '/core/sqlquery.class.inc.php',
         'SQLUnionQuery' => __DIR__ . '/../..' . '/core/sqlunionquery.class.inc.php',
         'SVGDOMSanitizer' => __DIR__ . '/../..' . '/core/htmlsanitizer.class.inc.php',
+        'SanitizeTrait' => __DIR__ . '/../..' . '/core/restservices.class.inc.php',
         'ScalarExpression' => __DIR__ . '/../..' . '/core/oql/expression.class.inc.php',
         'ScalarOqlExpression' => __DIR__ . '/../..' . '/core/oql/oqlquery.class.inc.php',
         'ScssPhp\\ScssPhp\\Base\\Range' => __DIR__ . '/..' . '/scssphp/scssphp/src/Base/Range.php',
@@ -3100,6 +3101,7 @@ class ComposerStaticInit0018331147de7601e7552f7da8e3bb8b
         'iPreferencesExtension' => __DIR__ . '/../..' . '/application/applicationextension.inc.php',
         'iProcess' => __DIR__ . '/../..' . '/core/backgroundprocess.inc.php',
         'iQueryModifier' => __DIR__ . '/../..' . '/core/querymodifier.class.inc.php',
+        'iRestInputSanitizer' => __DIR__ . '/../..' . '/application/applicationextension.inc.php',
         'iRestServiceProvider' => __DIR__ . '/../..' . '/application/applicationextension.inc.php',
         'iScheduledProcess' => __DIR__ . '/../..' . '/core/backgroundprocess.inc.php',
         'iSelfRegister' => __DIR__ . '/../..' . '/core/userrights.class.inc.php',

pages/UI.php

@@ -1989,7 +1989,7 @@ catch(CoreException $e)
 	{
 		$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");
 	}	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getHtmlDesc()));	
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getHtmlDesc())));
 	$oP->output();
 
 	if (MetaModel::IsLogEnabledIssue())
@@ -2025,7 +2025,7 @@ catch(Exception $e)
 	require_once(APPROOT.'/setup/setuppage.class.inc.php');
 	$oP = new ErrorPage(Dict::S('UI:PageTitle:FatalError'));
 	$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getMessage()));
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getMessage())));
 	$oP->output();
 
 	if (MetaModel::IsLogEnabledIssue())

pages/preferences.php

@@ -81,7 +81,7 @@ function DisplayPreferences($oP)
 	$oP->add('<fieldset><legend>'.Dict::S('UI:FavoriteOtherSettings').'</legend>');
 	$oP->add('<form method="post" onsubmit="return ValidateOtherSettings()">');
 
-	$iDefaultPageSize = appUserPreferences::GetPref('default_page_size', MetaModel::GetConfig()->GetMinDisplayLimit());
+	$iDefaultPageSize = (int)appUserPreferences::GetPref('default_page_size', MetaModel::GetConfig()->GetMinDisplayLimit());
 	$oP->add('<p>'.Dict::Format('UI:Favorites:Default_X_ItemsPerPage', '<input id="default_page_size" name="default_page_size" type="text" size="3" value="'.$iDefaultPageSize.'"/><span id="v_default_page_size"></span>').'</p>');
 
 	$bShow = utils::IsArchiveMode() || appUserPreferences::GetPref('show_obsolete_data', MetaModel::GetConfig()->Get('obsolescence.show_obsolete_data'));

setup/backup.class.inc.php

@@ -104,6 +104,8 @@ class DBBackup
 	/** @var string */
 	protected $sDBName;
 	/** @var string */
+	protected $sMySQLBinDir = '';
+	/** @var string */
 	protected $sDBSubName;
 
 	/**
@@ -131,7 +133,6 @@ class DBBackup
 		$this->sDBSubName = $oConfig->get('db_subname');
 	}
 
-	protected $sMySQLBinDir = '';
 
 	/**
 	 * Create a normalized backup name, depending on the current date/time and Database
@@ -299,8 +300,9 @@ class DBBackup
 		}
 
 		$this->LogInfo("Starting backup of $this->sDBHost/$this->sDBName(suffix:'$this->sDBSubName')");
+		$sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true);
 
-		$sMySQLDump = $this->GetMysqldumpCommand();
+		$sMySQLDump = $this->MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');
 
 		// Store the results in a temporary file
 		$sTmpFileName = self::EscapeShellArg($sBackupFileName);
@@ -557,20 +559,22 @@ EOF;
 
 	/**
 	 * @return string the command to launch mysqldump (without its params)
+	 * @throws \BackupException
 	 */
-	private function GetMysqldumpCommand()
+	public static function MakeSafeMySQLCommand($sMySQLBinDir, string $sCmd)
 	{
-		$sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true);
-		if (empty($sMySQLBinDir))
-		{
-			$sMysqldumpCommand = 'mysqldump';
+		if (empty($sMySQLBinDir)) {
+			$sMySQLCommand = $sCmd;
 		}
-		else
-		{
-			$sMysqldumpCommand = '"'.$sMySQLBinDir.'/mysqldump"';
+		else {
+			$sMySQLBinDir = escapeshellcmd($sMySQLBinDir);
+			$sMySQLCommand = '"'.$sMySQLBinDir.'/$sCmd"';
+			if (!file_exists($sMySQLCommand)) {
+				throw new BackupException("$sCmd not found in $sMySQLBinDir");
+			}
 		}
 
-		return $sMysqldumpCommand;
+		return $sMySQLCommand;
 	}
 }
 

setup/setuputils.class.inc.php

@@ -484,16 +484,15 @@ class SetupUtils
 		{
 			$sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', '');
 		}
-
-		if (empty($sMySQLBinDir))
-		{
-			$sMySQLDump = 'mysqldump';
-		}
-		else
-		{
-			SetupPage::log('Info - Found mysql_bindir: '.$sMySQLBinDir);
-			$sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"';
+		try {
+			$sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');
+		} catch (Exception $e) {
+			$aResult[] = new CheckResult(CheckResult::ERROR, $e->getMessage());
+			return $aResult;
 		}
+        if (!empty($sMySQLBinDir)) {
+            SetupPage::log('Info - Found mysql_bindir: '.$sMySQLBinDir);
+        }
 		$sCommand = "$sMySQLDump -V 2>&1";
 
 		$aOutput = array();
@@ -1230,6 +1229,12 @@ EOF
 				$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections.");
 			}
 
+            $iClusters = $oDBSource->GetClusterNb();
+            if ($iClusters > 0) {
+                SetupLog::Warning('Warning - Using Galera will cause malfunctions and data corruptions. Combodo does not support this type of infrastructure.');
+                $aResult['checks'][] = new CheckResult(CheckResult::WARNING, 'Using Galera will cause malfunctions and data corruptions. Combodo does not support this type of infrastructure.');
+            }
+
 			try {
 				$aResult['databases'] = $oDBSource->ListDB();
 			}

setup/unattended-install/README.md

@@ -2,24 +2,72 @@
 
 This script allows to install and update iTop via CLI.
 
-For more information, see the official Wiki : [Automated installation [iTop Documentation]](https://www.itophub.io/wiki/page?id=latest:advancedtopics:automatic_install) 
+For more information, see the official Wiki : [Automated installation [iTop Documentation]](https://www.itophub.io/wiki/page?id=latest:advancedtopics:automatic_install)
 
+# unattended-install.php
+
+## Usage
+
+Execution of the unattended installation
+> Note:
+> Because the installation runs from the command line, make sure that the current user has enough rights to access the different locations and that the web server will be able to access the files and directories created during the scripted installation. In order to exactly emulate the behavior of
+the interactive installation it may be a good practice to run this installation from the user account used for running the web server process.
+
+Launch the script with the following command:  ```bash php unattended_install.php --param-file=fresh-install.xml ```
+
+Where: `fresh-install.xml` is the response file containing your desired settings for the installation (there are 4 models available in the folder `xml_setup`: fresh-install.xml, itil-fresh-install.xml, itil-upgrade.xml, upgrade.xml)
+
+Fresh installation parameters
+> Important:
+> In the case of a fresh installation (<mode>install</mode>), do not forget to complete below mandatory parameters before:
+
+```xml 
+<database>
+    <server></server>
+    <user></user>
+    <pwd></pwd>
+    <name></name>
+    <db_tls_enabled></db_tls_enabled>
+    <db_tls_ca></db_tls_ca>
+    <prefix></prefix>
+</database>
+<url>
+</url>
+<graphviz_path>/usr/bin/dot</graphviz_path>
+<admin_account>
+<user></user>
+<pwd></pwd>
+<language></language>
+</admin_account>
+<language></language>
+```
+
+## Options
+
+To get all available options of the script, you can perform the following command :
+```php unattended-install.php --help```
+
+# install-itop.sh
+
+## Usage
 
-#install-itop.sh
 You can install your iTop by only using config-itop.php settings and run either
 
 - a non-ITIL iTop fresh installation (use itil-fresh-install.xml to have ITIL modules instead)
+
 ```
 ./install-itop.sh ./xml_setup/fresh-install.xml
 ```
 
 - a non-ITIL iTop upgrade (use itil-upgrade.xml to have ITIL modules instead)
+
 ```
 ./install-itop.sh ./xml_setup/upgrade.xml
 ```
 
 - a specific iTop installation by providing both xml setup file
-in below example file provided is the one generated by iTop during last setup.
+  in below example file provided is the one generated by iTop during last setup.
+
 ```
 ./install-itop.sh ../../log/install-2024-04-03.xml
 ```

setup/unattended-install/unattended-install.php

@@ -25,7 +25,9 @@ EOF;
     exit(-1);
 }
 /////////////////////////////////////////////////
-if (! utils::IsModeCLI())
+
+$sCleanName = strtolower(trim(PHP_SAPI));
+if ($sCleanName !== 'cli')
 {
 	echo "Mode CLI only";
 	exit(-1);

setup/wizardsteps.class.inc.php

@@ -2607,6 +2607,11 @@ class WizStepDone extends WizardStep
 		$oProductionEnv->InitDataModel($oConfig, true);
 		$sIframeUrl = $oConfig->GetModuleSetting('itop-hub-connector', 'setup_url', '');
 
+        $sSetupTokenFile = APPROOT.'data/.setup';
+        $sSetupToken = bin2hex(random_bytes(12));
+        file_put_contents($sSetupTokenFile, $sSetupToken);
+        $sIframeUrl.= "&setup_token=$sSetupToken";
+
 		if ($sIframeUrl != '')
 		{
 			$oPage->add('<iframe id="fresh_content" style="border:0; width:100%; display:none;" src="'.$sIframeUrl.'"></iframe>');

sources/form/formmanager.class.inc.php

@@ -21,6 +21,7 @@
 namespace Combodo\iTop\Form;
 
 use Combodo\iTop\Renderer\FormRenderer;
+use CoreException;
 
 /**
  * Description of formmanager
@@ -59,6 +60,12 @@ abstract class FormManager
 		$oFormManager = new static();
 
 		$sFormRendererClass = $aJson['formrenderer_class'];
+        // N°7455 - Ensure form renderer class extends FormRenderer
+        if (false === is_a($sFormRendererClass, FormRenderer::class, true))
+        {
+            throw new CoreException('Form renderer class must extend '.FormRenderer::class);
+        }
+
 		/** @var \Combodo\iTop\Renderer\FormRenderer $oFormRenderer */
 		$oFormRenderer = new $sFormRendererClass();
 		$oFormRenderer->SetEndpoint($aJson['formrenderer_endpoint']);

sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php

@@ -611,7 +611,7 @@ JS
 					if ($oAttDef->IsExternalKey())
 					{
 						/** @var \AttributeExternalKey $oAttDef */
-						$aAttProperties['value'] = $oRemoteItem->Get($sAttCode . '_friendlyname');
+						$aAttProperties['value'] = \Str::pure2html($oRemoteItem->Get($sAttCode . '_friendlyname'));
 
 						// Checking if user can access object's external key
 						$sObjectUrl = ApplicationContext::MakeObjectUrl($oAttDef->GetTargetClass(), $oRemoteItem->Get($sAttCode));

templates/login/password/resetpwddone.html.twig

@@ -7,7 +7,7 @@
 	<div id="login-content">
 		<h1>{{ 'UI:ResetPwd-Title'|dict_s }}</h1>
 		{% if bNoUser %}
-			<p>{{ 'UI:ResetPwd-Error-WrongLogin'|dict_format(sAuthUser) }}</p>
+			<p>{{ 'UI:ResetPwd-EmailSent'|dict_s }}</p>
 		{% elseif bBadToken %}
 			<p>{{ 'UI:ResetPwd-Error-InvalidToken'|dict_s }}</p>
 		{% else %}

templates/login/password/resetpwdform.html.twig

@@ -8,7 +8,7 @@
 		<div id="login-title">
 			<h1>{{ 'UI:ResetPwd-Title'|dict_s }}</h1>
 			{% if bNoUser and sErrorMessage is null %}
-				<p>{{ 'UI:ResetPwd-Error-WrongLogin'|dict_format(sAuthUser) }}</p>
+				<p>{{ 'UI:ResetPwd-EmailSent'|dict_s }}</p>
 			{% elseif bBadToken and sErrorMessage is null %}
 				<p>{{ 'UI:ResetPwd-Error-InvalidToken'|dict_s }}</p>
 			{% else %}

tests/php-unit-tests/composer.json

@@ -4,6 +4,9 @@
     "sempro/phpunit-pretty-print": "^1.4"
   },
   "autoload": {
+    "classmap": [
+      "unitary-tests/"
+    ],
     "psr-4": {
       "Combodo\\iTop\\Test\\UnitTest\\": "src/BaseTestCase/",
       "Combodo\\iTop\\Test\\UnitTest\\Hook\\": "src/Hook/",

tests/php-unit-tests/module_integration.xml.dist

@@ -19,10 +19,6 @@
         printerClass="Sempro\PHPUnitPrettyPrinter\PrettyPrinter"
 >
 
-  <extensions>
-    <extension class="Combodo\iTop\Test\UnitTest\Hook\TestsRunStartHook" />
-  </extensions>
-
   <php>
     <ini name="error_reporting" value="E_ALL"/>
     <ini name="display_errors" value="On"/>

tests/php-unit-tests/phpunit.xml.dist

@@ -19,10 +19,6 @@
         printerClass="Sempro\PHPUnitPrettyPrinter\PrettyPrinter"
 >
 
-  <extensions>
-    <extension class="Combodo\iTop\Test\UnitTest\Hook\TestsRunStartHook" />
-  </extensions>
-
   <php>
     <ini name="error_reporting" value="E_ALL"/>
     <ini name="display_errors" value="On"/>
@@ -45,7 +41,9 @@
     <testsuite name="Setup">
       <directory>unitary-tests/setup</directory>
     </testsuite>
-    <!-- Note: The unitary-tests/sources/application/TwigBase is omitted for now as the test is not working -->
+    <testsuite name="SourcesApplicationTwigBase">
+      <directory>unitary-tests/sources/application/TwigBase</directory>
+    </testsuite>
     <testsuite name="SourcesApplicationSearch">
       <directory>unitary-tests/sources/application/search</directory>
     </testsuite>

tests/php-unit-tests/postbuild_integration.xml.dist

@@ -19,10 +19,6 @@
         printerClass="Sempro\PHPUnitPrettyPrinter\PrettyPrinter"
 >
 
-  <extensions>
-    <extension class="Combodo\iTop\Test\UnitTest\Hook\TestsRunStartHook" />
-  </extensions>
-
     <php>
         <ini name="error_reporting" value="E_ALL"/>
         <ini name="display_errors" value="On"/>

tests/php-unit-tests/src/BaseTestCase/ItopCustomDatamodelTestCase.php

@@ -7,11 +7,9 @@
 namespace Combodo\iTop\Test\UnitTest;
 
 use CMDBSource;
-use Combodo\iTop\Test\UnitTest\Hook\TestsRunStartHook;
 use Combodo\iTop\Test\UnitTest\Service\UnitTestRunTimeEnvironment;
 use Config;
 use Exception;
-use IssueLog;
 use MetaModel;
 use SetupUtils;
 use utils;
@@ -31,9 +29,9 @@ use utils;
 abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 {
 	/**
-	 * @var bool[]
-	 */
-	protected static $aReadyCustomEnvironments = [];
+	 * @var UnitTestRunTimeEnvironment
+     */
+	protected $oEnvironment = null;
 
 	/**
 	 * @inheritDoc
@@ -51,11 +49,19 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 		$this->setRunClassInSeparateProcess(true);
 	}
 
-	/**
+    /**
 	 * @return string Abs path to the XML delta to use for the tests of that class
 	 */
 	abstract public function GetDatamodelDeltaAbsPath(): string;
 
+	protected function setUp(): void
+	{
+        static::LoadRequiredItopFiles();
+        $this->oEnvironment = new UnitTestRunTimeEnvironment('production', $this->GetTestEnvironment());
+
+		parent::setUp();
+	}
+
 	/**
 	 * @inheritDoc
 	 */
@@ -93,40 +99,16 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 	}
 
 	/**
-	 * Mark {@see \Combodo\iTop\Test\UnitTest\ItopDataTestCase::GetTestEnvironment()} as ready (compiled)
-	 *
-	 * @return void
-	 */
-	private function MarkEnvironmentReady(): void
-	{
-		if (false === $this->IsEnvironmentReady()) {
-			touch(static::GetTestEnvironmentFolderAbsPath());
-		}
-	}
-
-	/**
-	 * @return bool True if the {@see \Combodo\iTop\Test\UnitTest\ItopDataTestCase::GetTestEnvironment()} is ready (compiled, but not started)
-	 *
-	 * @details Having the environment ready means that it has been compiled for this global tests run, not that it is a relic from a previous global tests run
+	 * @return bool True if the {@see \Combodo\iTop\Test\UnitTest\ItopDataTestCase::GetTestEnvironment()} is ready (compiled, up-to-date, but not necessarily started)
 	 */
 	final protected function IsEnvironmentReady(): bool
 	{
-		// As these test cases run in separate processes, the best way we found to let know a process if its environment was already prepared for **this run** was to compare the modification times of:
-		// - its own env-<ENV> folder
-		// - a file generated at the beginning of the global test run {@see \Combodo\iTop\Test\UnitTest\Hook\TestsRunStartHook}
-		$sRunStartedFilePath = TestsRunStartHook::GetRunStartedFileAbsPath();
-		$sEnvFolderPath = static::GetTestEnvironmentFolderAbsPath();
-
 		clearstatcache();
-		if (false === file_exists($sRunStartedFilePath) || false === file_exists($sEnvFolderPath)) {
+		if (false === file_exists($this->GetTestEnvironmentFolderAbsPath())) {
 			return false;
 		}
-
-		$iRunStartedFileModificationTime = filemtime($sRunStartedFilePath);
-		$iEnvFolderModificationTime = filemtime($sEnvFolderPath);
-
-		return $iEnvFolderModificationTime >= $iRunStartedFileModificationTime;
-	}
+        return $this->oEnvironment->IsUpToDate();
+    }
 
 	/**
 	 * @inheritDoc
@@ -141,6 +123,12 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 		// Note: To improve performances, we compile all XML deltas from test cases derived from this class and make a single environment where everything will be ran at once.
 		//       This requires XML deltas to be compatible, but it is a known and accepted trade-off. See PR #457
 		if (false === $this->IsEnvironmentReady()) {
+
+            $this->debug("Preparing custom environment '$sTestEnv' with the following datamodel files:");
+            foreach ($this->oEnvironment->GetCustomDatamodelFiles() as $sCustomDatamodelFile) {
+                $this->debug("  - $sCustomDatamodelFile");
+            }
+
 			//----------------------------------------------------
 			// Clear any previous "$sTestEnv" environment
 			//----------------------------------------------------
@@ -153,14 +141,6 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 				SetupUtils::tidydir($sConfFolder);
 			}
 
-			// - Datamodel delta files
-			// - Cache folder
-			// - Compiled folder
-			// We don't need to clean them as they are already by the compilation
-
-			// - Drop database
-			// We don't do that now, it will be done before re-creating the DB, once the metamodel is started
-
 			//----------------------------------------------------
 			// Prepare "$sTestEnv" environment
 			//----------------------------------------------------
@@ -179,7 +159,7 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
 			$oTestConfig->Set('db_name', $oTestConfig->Get('db_name').'_'.$sTestEnvSanitizedForDBName);
 
 			// - Compile env. based on the existing 'production' env.
-			$oEnvironment = new UnitTestRunTimeEnvironment($sTestEnv);
+			$oEnvironment = new UnitTestRunTimeEnvironment($sSourceEnv, $sTestEnv);
 			$oEnvironment->WriteConfigFileSafe($oTestConfig);
 			$oEnvironment->CompileFrom($sSourceEnv, false);
 
@@ -194,8 +174,7 @@ abstract class ItopCustomDatamodelTestCase extends ItopDataTestCase
             // In 2.7, we can't call MetaModel::DBCreate() directly as the views creation will fail
             $this->InvokeNonPublicStaticMethod(MetaModel::class, 'DBCreateTables', []);
 
-			$this->MarkEnvironmentReady();
-			$this->debug('Preparation of custom environment "'.$sTestEnv.'" done.');
+			$this->debug("Custom environment '$sTestEnv' is ready!");
 		}
 
 		parent::PrepareEnvironment();

tests/php-unit-tests/src/BaseTestCase/ItopTestCase.php

@@ -28,20 +28,8 @@ abstract class ItopTestCase extends TestCase
 
 	protected static $aBackupStaticProperties = [];
 
-	/** @noinspection UsingInclusionOnceReturnValueInspection avoid errors for approot includes */
 	protected function setUp(): void
 	{
-		$sAppRootRelPath = 'approot.inc.php';
-		$sDepthSeparator = '../';
-		for ($iDepth = 0; $iDepth < 8; $iDepth++) {
-			if (file_exists($sAppRootRelPath)) {
-				require_once $sAppRootRelPath;
-				break;
-			}
-
-			$sAppRootRelPath = $sDepthSeparator.$sAppRootRelPath;
-		}
-
 		$this->LoadRequiredItopFiles();
 		$this->LoadRequiredTestFiles();
 	}
@@ -68,8 +56,9 @@ abstract class ItopTestCase extends TestCase
 	 */
 	protected function LoadRequiredItopFiles(): void
 	{
-		// Empty until we actually need to require some files in the class
-	}
+		// At least make sure that the autoloader will be loaded, and that the APPROOT constant is defined
+        require_once __DIR__.'/../../../../approot.inc.php';
+    }
 
 	/**
 	 * Overload this method to require necessary files through {@see \Combodo\iTop\Test\UnitTest\ItopTestCase::RequireOnceUnitTestFile()}
@@ -96,23 +85,6 @@ abstract class ItopTestCase extends TestCase
 		require_once APPROOT . $sFileRelPath;
 	}
 
-	/**
-	 * Helper to load a module file. The caller test must be in that module !
-	 * Will browse dir up to find a module.*.php
-	 *
-	 * @param string $sFileRelPath for example 'portal/src/Helper/ApplicationHelper.php'
-	 * @since 2.7.10 3.1.1 3.2.0 N°6709 method creation
-	 */
-	protected function RequireOnceCurrentModuleFile(string $sFileRelPath): void
-	{
-		$aStack = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 1);
-		$sCallerFileFullPath = $aStack[0]['file'];
-		$sCallerDir = dirname($sCallerFileFullPath);
-
-		$sModuleRootPath = static::GetFirstDirUpContainingFile($sCallerDir, 'module.*.php');
-		require_once $sModuleRootPath . $sFileRelPath;
-	}
-
 	/**
 	 * Require once a unit test file (eg. a mock class) from its relative path from the *current* dir.
 	 * This ensure that required files don't crash when unit tests dir is moved in the iTop structure (see N°5608)
@@ -130,26 +102,6 @@ abstract class ItopTestCase extends TestCase
 		require_once $sCallerDirAbsPath . DIRECTORY_SEPARATOR . $sFileRelPath;
 	}
 
-	private static function GetFirstDirUpContainingFile(string $sSearchPath, string $sFileToFindGlobPattern): ?string
-	{
-		for ($iDepth = 0; $iDepth < 8; $iDepth++) {
-			$aGlobFiles = glob($sSearchPath . '/' . $sFileToFindGlobPattern);
-			if (is_array($aGlobFiles) && (count($aGlobFiles) > 0)) {
-				return $sSearchPath . '/';
-			}
-			$iOffsetSep = strrpos($sSearchPath, '/');
-			if ($iOffsetSep === false) {
-				$iOffsetSep = strrpos($sSearchPath, '\\');
-				if ($iOffsetSep === false) {
-					// Do not throw an exception here as PHPUnit will not show it clearly when determing the list of test to perform
-					return 'Could not find the approot file in ' . $sSearchPath;
-				}
-			}
-			$sSearchPath = substr($sSearchPath, 0, $iOffsetSep);
-		}
-		return null;
-	}
-
 	protected function debug($sMsg)
 	{
 		if (DEBUG_UNIT_TEST) {
@@ -164,7 +116,7 @@ abstract class ItopTestCase extends TestCase
 
 	public function GetMicroTime()
 	{
-		list($uSec, $sec) = explode(" ", microtime());
+		[$uSec, $sec] = explode(" ", microtime());
 		return ((float)$uSec + (float)$sec);
 	}
 
@@ -206,7 +158,7 @@ abstract class ItopTestCase extends TestCase
 	/**
 	 * @param string $sObjectClass for example DBObject::class
 	 * @param string $sMethodName
-	 * @param object $oObject
+	 * @param object|null $oObject
 	 * @param array $aArgs
 	 *
 	 * @return mixed method result
@@ -249,7 +201,7 @@ abstract class ItopTestCase extends TestCase
 	 * @throws \ReflectionException
 	 * @since 2.7.8 3.0.3 3.1.0
 	 */
-	public function GetNonPublicProperty(object $oObject, string $sProperty)
+	public function GetNonPublicProperty($oObject, string $sProperty)
 	{
 		$oProperty = $this->GetProperty(get_class($oObject), $sProperty);
 
@@ -318,7 +270,7 @@ abstract class ItopTestCase extends TestCase
 	 * @throws \ReflectionException
 	 * @since 2.7.8 3.0.3 3.1.0
 	 */
-	public function SetNonPublicProperty(object $oObject, string $sProperty, $value)
+	public function SetNonPublicProperty($oObject, string $sProperty, $value)
 	{
 		$oProperty = $this->GetProperty(get_class($oObject), $sProperty);
 		$oProperty->setValue($oObject, $value);

tests/php-unit-tests/src/Hook/TestsRunStartHook.php

@@ -1,63 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/*
- * @copyright   Copyright (C) 2010-2023 Combodo SARL
- * @license     http://opensource.org/licenses/AGPL-3.0
- */
-
-namespace Combodo\iTop\Test\UnitTest\Hook;
-
-require_once __DIR__ . '/../../../../approot.inc.php';
-
-use PHPUnit\Runner\AfterLastTestHook;
-use PHPUnit\Runner\BeforeFirstTestHook;
-use utils;
-
-/**
- * Class TestsRunStartHook
- *
- * IMPORTANT: This will no longer work in PHPUnit 10.0 and there is no alternative for now, so we will have to migrate it when the time comes
- * @link https://localheinz.com/articles/2023/02/14/extending-phpunit-with-its-new-event-system/#content-hooks-event-system
- *
- * @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
- * @package Combodo\iTop\Test\UnitTest\Hook
- * @since N°6097 2.7.10 3.0.4 3.1.1
- */
-class TestsRunStartHook implements BeforeFirstTestHook, AfterLastTestHook
-{
-	/**
-	 * Use the modification time on this file to check whereas it is newer than the requirements in a test case
-	 *
-	 * @return string Abs. path to a file generated when the global tests run starts.
-	 */
-	public static function GetRunStartedFileAbsPath(): string
-	{
-		// Note: This can't be put in the cache-<ENV> folder as we have multiple <ENV> running across the test cases
-		//       We also don't want to put it in the unit tests folder as it is not supposed to be writable
-		return APPROOT.'data/.php-unit-tests-run-started';
-	}
-
-	/**
-	 * @inheritDoc
-	 */
-	public function executeBeforeFirstTest(): void
-	{
-		// Create / change modification timestamp of file marking the beginning of the tests run
-		touch(static::GetRunStartedFileAbsPath());
-	}
-
-	/**
-	 * @inheritDoc
-	 */
-	public function executeAfterLastTest(): void
-	{
-		// Cleanup of file marking the beginning of the tests run
-		if (file_exists(static::GetRunStartedFileAbsPath())) {
-			unlink(static::GetRunStartedFileAbsPath());
-		}
-	}
-
-
-}

tests/php-unit-tests/src/Service/UnitTestRunTimeEnvironment.php

@@ -9,9 +9,13 @@ namespace Combodo\iTop\Test\UnitTest\Service;
 
 use Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase;
 use IssueLog;
+use LogChannels;
 use MFCoreModule;
+use RecursiveDirectoryIterator;
+use RecursiveIteratorIterator;
 use ReflectionClass;
 use RunTimeEnvironment;
+use utils;
 
 
 /**
@@ -25,62 +29,140 @@ use RunTimeEnvironment;
 class UnitTestRunTimeEnvironment extends RunTimeEnvironment
 {
 	/**
+	 * @var string[]
+	 */
+	protected $aCustomDatamodelFiles = null;
+
+    /**
+     * @var string
+     */
+    protected $sSourceEnv;
+
+    public function __construct($sSourceEnv, $sTargetEnv)
+    {
+        parent::__construct($sTargetEnv);
+        $this->sSourceEnv = $sSourceEnv;
+    }
+
+    public function GetEnvironment(): string
+	{
+		return $this->sFinalEnv;
+	}
+
+    public function IsUpToDate()
+    {
+        clearstatcache();
+        $fLastCompilationTime = filemtime(APPROOT.'env-'.$this->sFinalEnv);
+        $aModifiedFiles = [];
+        $this->FindFilesModifiedAfter($fLastCompilationTime, APPROOT.'datamodels/2.x', $aModifiedFiles);
+        $this->FindFilesModifiedAfter($fLastCompilationTime, APPROOT.'extensions', $aModifiedFiles);
+        $this->FindFilesModifiedAfter($fLastCompilationTime, APPROOT.'data/production-modules', $aModifiedFiles);
+        foreach ($this->GetCustomDatamodelFiles() as $sCustomDatamodelFile) {
+            if (filemtime($sCustomDatamodelFile) > $fLastCompilationTime) {
+                $aModifiedFiles[] = $sCustomDatamodelFile;
+            }
+        }
+        if (count($aModifiedFiles) > 0) {
+            echo "The following files have been modified after the last compilation:\n";
+            foreach ($aModifiedFiles as $sFile) {
+                echo " - $sFile\n";
+            }
+        }
+        return (count($aModifiedFiles) === 0);
+    }
+
+    /**
 	 * @inheritDoc
 	 */
 	protected function GetMFModulesToCompile($sSourceEnv, $sSourceDir)
 	{
 		$aRet = parent::GetMFModulesToCompile($sSourceEnv, $sSourceDir);
 
-		/** @var string[] $aDeltaFiles Referential of loaded deltas. Mostly to avoid duplicates. */
-		$aDeltaFiles = [];
-		foreach (get_declared_classes() as $sClass) {
-			// Filter on classes derived from this \Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCaseItopCustomDatamodelTestCase
-			if (false === is_a($sClass, ItopCustomDatamodelTestCase::class, true)) {
-				continue;
-			}
-
-			$oReflectionClass = new ReflectionClass($sClass);
-			$oReflectionMethod = $oReflectionClass->getMethod('GetDatamodelDeltaAbsPath');
-
-			// Filter on classes with an actual XML delta (eg. not \Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase and maybe some other deriving from a class with a delta)
-			if ($oReflectionMethod->isAbstract()) {
-				continue;
-			}
-
-			/** @var \Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase $oTestClassInstance */
-			$oTestClassInstance = new $sClass();
-
-			// Check test class is for desired environment
-			if ($oTestClassInstance->GetTestEnvironment() !== $this->sFinalEnv) {
-				continue;
-			}
-
-			// Check XML delta actually exists
-			$sDeltaFile = $oTestClassInstance->GetDatamodelDeltaAbsPath();
-			if (false === is_file($sDeltaFile)) {
-				$this->fail("Could not prepare '$this->sFinalEnv' as the XML delta file '$sDeltaFile' (used in $sClass) does not seem to exist");
-			}
-
-			// Avoid duplicates
-			if (in_array($sDeltaFile, $aDeltaFiles)) {
-				continue;
-			}
-
-			// Prepare fake module name for delta
-			$sDeltaName = preg_replace('/[^\d\w]/', '', $sDeltaFile);
-			// Note: We can't use \MFDeltaModule as we can't specify the ID which leads to only 1 delta being applied... In the future we might introduce a new MFXXXModule, but in the meantime it feels alright (GLA / RQU)
-			$oDelta = new MFCoreModule($sDeltaName, $sDeltaName, $sDeltaFile);
-
-			IssueLog::Debug('XML delta found for unit tests', static::class, [
-				'Unit test class' => $sClass,
-				'Delta file path' => $sDeltaFile,
-			]);
-
-			$aDeltaFiles[] = $sDeltaFile;
-			$aRet[$sDeltaName] = $oDelta;
+		foreach ($this->GetCustomDatamodelFiles() as $sDeltaFile) {
+			$sDeltaId = preg_replace('/[^\d\w]/', '', $sDeltaFile);
+            $sDeltaName = basename($sDeltaFile);
+            $sDeltaDir = dirname($sDeltaFile);
+			$oDelta = new MFCoreModule($sDeltaName, "$sDeltaDir/$sDeltaName", $sDeltaFile);
+			$aRet[$sDeltaId] = $oDelta;
 		}
-
 		return $aRet;
 	}
 
+	public function GetCustomDatamodelFiles()
+	{
+		if (!is_null($this->aCustomDatamodelFiles)) {
+			return $this->aCustomDatamodelFiles;
+		}
+		$this->aCustomDatamodelFiles = [];
+
+		// Search for the PHP files implementing the method GetDatamodelDeltaAbsPath
+		// and extract the delta file path from the method
+		foreach(['unitary-tests', 'integration-tests'] as $sTestDir) {
+			// Iterate on all PHP files in subdirectories
+			// Note: grep is not available on Windows, so we will use the PHP Reflection API
+			foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator(__DIR__."/../../$sTestDir")) as $oFile) {
+				if ($oFile->isDir()){
+					continue;
+				}
+				if (pathinfo($oFile->getFilename(), PATHINFO_EXTENSION) !== 'php') {
+					continue;
+				}
+				$sFile = $oFile->getPathname();
+				$sContent = file_get_contents($sFile);
+				if (strpos($sContent, 'GetDatamodelDeltaAbsPath') === false) {
+					continue;
+				}
+				$sClass = '';
+				$aMatches = [];
+				if (preg_match('/namespace\s+([^;]+);/', $sContent, $aMatches)) {
+					$sNamespace = $aMatches[1];
+					$sClass = $sNamespace.'\\'.basename($sFile, '.php');
+				}
+				if (preg_match('/\s+class\s+([^ ]+)\s+/', $sContent, $aMatches)) {
+					$sClass = $sNamespace.'\\'.$aMatches[1];
+				}
+				if ($sClass === '') {
+					continue;
+				}
+                require_once $sFile;
+				$oReflectionClass = new ReflectionClass($sClass);
+				if ($oReflectionClass->isAbstract()) {
+					continue;
+				}
+                // Check if the class extends ItopCustomDatamodelTestCase
+                if (!$oReflectionClass->isSubclassOf(ItopCustomDatamodelTestCase::class)) {
+                    continue;
+                }
+				/** @var \Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase $oTestClassInstance */
+				$oTestClassInstance = new $sClass();
+				if ($oTestClassInstance->GetTestEnvironment() !== $this->sFinalEnv) {
+					continue;
+				}
+				$sDeltaFile = $oTestClassInstance->GetDatamodelDeltaAbsPath();
+				if (!is_file($sDeltaFile)) {
+					throw new \Exception("Unknown delta file: $sDeltaFile, from test class '$sClass'");
+				}
+				if (!in_array($sDeltaFile, $this->aCustomDatamodelFiles)) {
+					$this->aCustomDatamodelFiles[] = $sDeltaFile;
+				}
+			}
+		}
+
+		return $this->aCustomDatamodelFiles;
+	}
+
+    private function FindFilesModifiedAfter(float $fReferenceTimestamp, string $sPathToScan, array &$aModifiedFiles)
+    {
+        if (!is_dir($sPathToScan)) {
+            return;
+        }
+        foreach (new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($sPathToScan)) as $oFile) {
+            if ($oFile->isDir()) {
+                continue;
+            }
+            if (filemtime($oFile->getPathname()) > $fReferenceTimestamp) {
+                $aModifiedFiles[] = $oFile->getPathname();
+            }
+        }
+    }
 }

tests/php-unit-tests/unitary-tests/application/applicationextension/Delta/application-extension-usages-in-snippets.xml

@@ -140,7 +140,7 @@ class ExampleFor_iQueryModifier implements \iQueryModifier
 
 	public function GetFieldExpression(QueryBuilderContext &$oBuild, $sClass, $sAttCode, $sColId, Expression $oFieldSQLExp, SQLQuery &$oSelect)
 	{
-	  // Do nothing, we just need the class to exists for the unit test
+	  return $oFieldSQLExp;
 	}
 }
       ]]></content>

tests/php-unit-tests/unitary-tests/application/utilsTest.php

@@ -495,7 +495,7 @@ class utilsTest extends ItopTestCase
 			'good element_identifier' => ['element_identifier', 'AD05nb', 'AD05nb'],
 			'bad element_identifier' => ['element_identifier', 'AD05nb+', 'AD05nb'],
 			'good url' => ['url', 'https://www.w3schools.com', 'https://www.w3schools.com'],
-			'bad url' => ['url', 'https://www.w3schoo<EFBFBD><EFBFBD>ls.co<EFBFBD>m', null],
+			'bad url' => ['url', 'https//www.w3schools.com', null],
 			'raw_data' => ['raw_data', '<Test>\s😃😃😃', '<Test>\s😃😃😃'],
 		];
 	}

tests/php-unit-tests/unitary-tests/core/Delta/delta_test_sanitize_output.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<itop_design xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.7">
+    <classes>
+        <class id="TestServer" _delta="define">
+            <parent>cmdbAbstractObject</parent>
+            <properties>
+                <category>bizmodel</category>
+                <abstract>false</abstract>
+                <key_type>autoincrement</key_type>
+                <db_table>test_server</db_table>
+                <db_key_field>id</db_key_field>
+            </properties>
+            <presentation/>
+            <methods/>
+            <fields>
+                <field id="contact_list" xsi:type="AttributeLinkedSetIndirect">
+                    <linked_class>lnkContactTestToServer</linked_class>
+                    <ext_key_to_me>test_server_id</ext_key_to_me>
+                    <ext_key_to_remote>contact_test_id</ext_key_to_remote>
+                    <is_null_allowed>true</is_null_allowed>
+                </field>
+                <field id="password_list" xsi:type="AttributeLinkedSet">
+                    <linked_class>PasswordTest</linked_class>
+                    <ext_key_to_me>server_test_id</ext_key_to_me>
+                    <is_null_allowed>true</is_null_allowed>
+                </field>
+                <field id="name" xsi:type="AttributeString">
+                    <sql>name</sql>
+                    <default_value/>
+                    <is_null_allowed>false</is_null_allowed>
+                </field>
+            </fields>
+        </class>
+
+
+        <class id="ContactTest" _delta="define">
+            <parent>cmdbAbstractObject</parent>
+            <properties>
+                <category>bizmodel</category>
+                <abstract>false</abstract>
+                <key_type>autoincrement</key_type>
+                <db_table>contact_test</db_table>
+                <db_key_field>id</db_key_field>
+            </properties>
+            <presentation/>
+            <methods/>
+            <fields>
+                <field id="password" xsi:type="AttributeEncryptedString">
+                    <sql>password</sql>
+                </field>
+                <field id="server_test_list" xsi:type="AttributeLinkedSetIndirect">
+                    <linked_class>lnkContactTestToServer</linked_class>
+                    <ext_key_to_me>contact_test_id</ext_key_to_me>
+                    <ext_key_to_remote>test_server_id</ext_key_to_remote>
+                    <is_null_allowed>true</is_null_allowed>
+                </field>
+            </fields>
+        </class>
+
+
+        <class id="lnkContactTestToServer" _delta="define">
+            <parent>cmdbAbstractObject</parent>
+            <properties>
+                <category>bizmodel</category>
+                <abstract>false</abstract>
+                <key_type>autoincrement</key_type>
+                <db_table>lnk_contact_server_test</db_table>
+                <db_key_field>id</db_key_field>
+            </properties>
+            <presentation/>
+            <methods/>
+            <fields>
+                <field id="contact_test_password" xsi:type="AttributeExternalField" _delta="define">
+                    <extkey_attcode>contact_test_id</extkey_attcode>
+                    <target_attcode>password</target_attcode>
+                </field>
+                <field id="test_server_id" xsi:type="AttributeExternalKey" _delta="define">
+                    <target_class>TestServer</target_class>
+                    <on_target_delete>DEL_MANUAL</on_target_delete>
+                    <sql>test_server</sql>
+                    <is_null_allowed>false</is_null_allowed>
+
+                </field>
+                <field id="contact_test_id" xsi:type="AttributeExternalKey" _delta="define">
+                    <target_class>ContactTest</target_class>
+                    <on_target_delete>DEL_MANUAL</on_target_delete>
+                    <sql>contact_test</sql>
+                    <is_null_allowed>false</is_null_allowed>
+
+                </field>
+            </fields>
+        </class>
+        <class id="PasswordTest" _delta="define">
+            <parent>cmdbAbstractObject</parent>
+            <properties>
+                <category>bizmodel</category>
+                <abstract>false</abstract>
+                <key_type>autoincrement</key_type>
+                <db_table>password_test</db_table>
+                <db_key_field>id</db_key_field>
+            </properties>
+            <presentation/>
+            <methods/>
+            <fields>
+                <field id="server_test_id" xsi:type="AttributeExternalKey" _delta="define">
+                    <target_class>TestServer</target_class>
+                    <sql>server_test_id</sql>
+                    <on_target_delete>DEL_MANUAL</on_target_delete>
+                </field>
+                <field id="password" xsi:type="AttributeEncryptedString" _delta="define">
+                    <sql>password</sql>
+                </field>
+            </fields>
+        </class>
+    </classes>
+</itop_design>

tests/php-unit-tests/unitary-tests/core/RestServicesSanitizeOutputTest.php

@@ -0,0 +1,164 @@
+<?php
+declare(strict_types=1);
+
+namespace Combodo\iTop\Test\UnitTest\Core;
+
+use ArchivedObjectException;
+use AttributeEncryptedString;
+use Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase;
+use CoreException;
+use CoreUnexpectedValue;
+use Exception;
+use MetaModel;
+use ormLinkSet;
+use PasswordTest;
+use RestResultWithObjects;
+
+/**
+ * @runTestsInSeparateProcesses
+ * @preserveGlobalState disabled
+ * @backupGlobals disabled
+ */
+class RestServicesSanitizeOutputTest extends ItopCustomDatamodelTestCase
+{
+    private const SIMPLE_PASSWORD = '123456';
+
+    /**
+     * @throws Exception
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+        // Workaround to cope with inconsistent settings in itop-config files from the CI
+        AttributeEncryptedString::$sKey = '6eb9d9afa3ee0fbcebe622a33bf57aaeafb7c37998fd24c403c2522c2d60117f';
+    }
+
+    /**
+     * @return void
+     * @throws CoreException
+     */
+    public function testSanitizeAttributeOnRequestedObject()
+    {
+        $oContactTest = MetaModel::NewObject('ContactTest', [
+                        'password' => self::SIMPLE_PASSWORD]
+        );
+        $oRestResultWithObject = new RestResultWithObjects();
+        $oRestResultWithObject->AddObject(0, 'ok', $oContactTest, ['ContactTest' => ['password']]);
+        $oRestResultWithObject->SanitizeContent();
+        static::assertEquals(
+                '{"objects":{"ContactTest::-1":{"code":0,"message":"ok","class":"ContactTest","key":-1,"fields":{"password":"*****"}}},"code":0,"message":null}',
+                json_encode($oRestResultWithObject));
+    }
+
+    /**
+     * @return void
+     * @throws Exception
+     */
+    public function testSanitizeAttributeExternalFieldOnLink()
+    {
+        $oContactTest = $this->createObject('ContactTest', [
+                        'password' => self::SIMPLE_PASSWORD]
+        );
+
+        $oTestServer = $this->createObject('TestServer', [
+                'name' => 'test_server',
+        ]);
+
+
+        // create lnkContactTestToServer
+        $oLnkContactTestToServer = $this->createObject('lnkContactTestToServer', [
+                'contact_test_id' => $oContactTest->GetKey(),
+                'test_server_id' => $oTestServer->GetKey()
+        ]);
+
+        $oRestResultWithObject = new RestResultWithObjects();
+        $oRestResultWithObject->AddObject(0, 'ok', $oLnkContactTestToServer,
+                ['lnkContactTestToServer' => ['contact_test_password']]);
+
+        $oRestResultWithObject->SanitizeContent();
+
+        static::assertContains(
+                '*****',
+                json_encode($oRestResultWithObject));
+
+        static::assertNotContains(
+                self::SIMPLE_PASSWORD,
+                json_encode($oRestResultWithObject));
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function testSanitizeAttributeOnObjectRelatedThroughNNRelation()
+    {
+        $oContactTest = $this->createObject('ContactTest', [
+                'password' => self::SIMPLE_PASSWORD]);
+
+        $oTestServer = $this->createObject('TestServer', [
+                'name' => 'test_server',
+        ]);
+
+        // create lnkContactTestToServer
+        $this->createObject('lnkContactTestToServer', [
+                'contact_test_id' => $oContactTest->GetKey(),
+                'test_server_id' => $oTestServer->GetKey()
+        ]);
+
+        $oRestResultWithObject = new RestResultWithObjects();
+        $oRestResultWithObject->AddObject(0, 'ok', $oTestServer,
+                ['TestServer' => ['contact_list']]);
+
+        $oRestResultWithObject->SanitizeContent();
+        static::assertContains(
+                '*****',
+                json_encode($oRestResultWithObject));
+
+        static::assertNotContains(
+                self::SIMPLE_PASSWORD,
+                json_encode($oRestResultWithObject));
+    }
+
+
+    /**
+     * @throws CoreException
+     * @throws CoreUnexpectedValue
+     * @throws ArchivedObjectException
+     * @throws Exception
+     */
+    public function testSanitizeOnObjectRelatedThrough1NRelation()
+    {
+        $oTestServer = $this->createObject('TestServer', [
+                'name' => 'my_server',
+        ]);
+
+        $oPassword = new PasswordTest();
+        $oPassword->Set('password', self::SIMPLE_PASSWORD);
+        $oPassword->Set('server_test_id', $oTestServer->GetKey());
+
+        /** @var ormLinkSet $oContactList */
+        $oContactList = $oTestServer->Get('password_list');
+        $oContactList->AddItem($oPassword);
+        $oTestServer->Set('password_list', $oContactList);
+
+        $oRestResultWithObject = new RestResultWithObjects();
+        $oRestResultWithObject->AddObject(0, 'ok', $oTestServer, ['TestServer' => ['id', 'password_list']]);
+        $oRestResultWithObject->SanitizeContent();
+
+        static::assertContains(
+                '*****',
+                json_encode($oRestResultWithObject));
+
+        static::assertNotContains(
+                self::SIMPLE_PASSWORD,
+                json_encode($oRestResultWithObject));
+
+    }
+
+    /**
+     * @return string Abs path to the XML delta to use for the tests of that class
+     */
+    public function GetDatamodelDeltaAbsPath(): string
+    {
+        return __DIR__ . '/Delta/delta_test_sanitize_output.xml';
+    }
+}

tests/php-unit-tests/unitary-tests/core/RestServicesTest.php

@@ -0,0 +1,125 @@
+<?php
+declare(strict_types=1);
+
+namespace Combodo\iTop\Test\UnitTest\Core;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use CoreException;
+use CoreServices;
+use CoreUnexpectedValue;
+use RestResultWithObjects;
+use UserLocal;
+
+/**
+ * @runTestsInSeparateProcesses
+ * @preserveGlobalState disabled
+ * @backupGlobals disabled
+ */
+class RestServicesTest extends ItopDataTestCase
+{
+    /**
+     * @return void
+     * @dataProvider providerTestSanitizeJsonInput
+     */
+    public function testSanitizeJsonInput($sJsonData, $sExpectedJsonDataSanitized)
+    {
+        $oRS = new CoreServices();
+        $sOutputJson = $oRS->SanitizeJsonInput($sJsonData);
+        static::assertEquals($sExpectedJsonDataSanitized, $sOutputJson);
+    }
+
+    /**
+     * @return array[]
+     */
+    public function providerTestSanitizeJsonInput(): array
+    {
+        return [
+                'core/check_credentials' => [
+                        '{"operation": "core/check_credentials", "user": "admin", "password": "admin"}',
+                        '{
+    "operation": "core/check_credentials",
+    "user": "admin",
+    "password": "*****"
+}'
+                ],
+                'core/update' => [
+                        '{"operation": "core/update", "comment": "Update user", "class": "UserLocal", "key": {"id":1}, "output_fields": "first_name, password", "fields": {"password" : "123456"}}',
+                        '{
+    "operation": "core/update",
+    "comment": "Update user",
+    "class": "UserLocal",
+    "key": {
+        "id": 1
+    },
+    "output_fields": "first_name, password",
+    "fields": {
+        "password": "*****"
+    }
+}'
+                ],
+                'core/create' => [
+                        '{"operation": "core/create", "comment": "Create user", "class": "UserLocal", "fields": {"first_name": "John", "last_name": "Doe", "email": "jd@example/com", "password" : "123456"}}',
+                        '{
+    "operation": "core/create",
+    "comment": "Create user",
+    "class": "UserLocal",
+    "fields": {
+        "first_name": "John",
+        "last_name": "Doe",
+        "email": "jd@example/com",
+        "password": "*****"
+    }
+}'
+                ],
+        ];
+    }
+
+    /**
+     * @param $sOperation
+     * @param $aJsonData
+     * @param $sExpectedJsonDataSanitized
+     * @return void
+     * @throws CoreException
+     * @throws CoreUnexpectedValue
+     * @dataProvider providerTestSanitizeJsonOutput
+     */
+    public function testSanitizeJsonOutput($sOperation, $aJsonData, $sExpectedJsonDataSanitized)
+    {
+        $oUser = new UserLocal();
+        $oUser->Set('password', '123456');
+        $oRestResultWithObject = new RestResultWithObjects();
+        $oRestResultWithObject->AddObject(0, 'ok', $oUser, ['UserLocal' => ['login', 'password']]);
+        $oRestResultWithObject->SanitizeContent();
+        static::assertEquals($sExpectedJsonDataSanitized, json_encode($oRestResultWithObject));
+    }
+
+    /**
+     * @return array[]
+     */
+    public function providerTestSanitizeJsonOutput(): array
+    {
+        return [
+
+                'core/update' => [
+                        'core/update',
+                        ['comment' => 'Update user', 'class' => 'UserLocal', 'key' => ['login' => 'my_example'], 'output_fields' => 'password', 'fields' => ['password' => 'opkB!req57']],
+                        '{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"","password":"*****"}}},"code":0,"message":null}'
+                ],
+                'core/create' => [
+                        'core/create',
+                        ['comment' => 'Create user', 'class' => 'UserLocal', 'fields' => ['password' => 'Azertyuiiop*12', 'login' => 'toto', 'profile_list' => [1]]],
+                        '{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"","password":"*****"}}},"code":0,"message":null}'
+                ],
+                'core/get' => [
+                        'core/get',
+                        ['comment' => 'Get user', 'class' => 'UserLocal', 'key' => ['login' => 'my_example'], 'output_fields' => 'first_name, password'],
+                        '{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"","password":"*****"}}},"code":0,"message":null}'
+                ],
+                'core/check_credentials' => [
+                        'core/check_credentials',
+                        ['user' => 'admin', 'password' => 'admin'],
+                        '{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"","password":"*****"}}},"code":0,"message":null}'
+                ],
+        ];
+    }
+}

tests/php-unit-tests/unitary-tests/core/iTopConfigParserTest.php

@@ -21,7 +21,7 @@ class iTopConfigParserTest extends ItopTestCase
 
 		clearstatcache();
 		$this->sConfigPath = utils::GetConfigFilePath();
-		$this->tmpSavePath = tempnam('/tmp/', 'config-itop');
+		$this->tmpSavePath = tempnam(sys_get_temp_dir(), 'config-itop');
 
 		$this->conf_exists = is_file($this->sConfigPath);
 		if ($this->conf_exists)
@@ -156,8 +156,8 @@ class iTopConfigParserTest extends ItopTestCase
 	 */
 	public function testConfigWriteToFile()
 	{
-		$tmpConfigFileBeforePath = tempnam( '/tmp/', 'config-itop');
-		$tmpConfigFileAfterPath = tempnam( '/tmp/', 'config-itop');
+		$tmpConfigFileBeforePath = tempnam( sys_get_temp_dir(), 'config-itop');
+		$tmpConfigFileAfterPath = tempnam( sys_get_temp_dir(), 'config-itop');
 
 		//create new config file
 		$sConfigFile = utils::GetConfig()->GetLoadedFile();

tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-hub-connector/TokenValidationTest.php

@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+namespace Combodo\iTop\Test\UnitTest\Module\LaunchTest;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use TokenValidation;
+
+class TokenValidationTest extends ItopDataTestCase
+{
+    /**
+     * @param string $sSetupToken
+     *
+     * @return string
+     */
+    public function createSetupTokenFile(string $sSetupToken): string
+    {
+        $sSetupTokenFile = APPROOT . 'data/.setup';
+        file_put_contents($sSetupTokenFile, $sSetupToken);
+
+        return $sSetupTokenFile;
+    }
+
+    /**
+     * @group itop-community
+     * @return void
+     */
+    public function testLaunch()
+    {
+        $this->RequireOnceItopFile('datamodels/2.x/itop-hub-connector/TokenValidation.php');
+
+        $oTokenValidation = new TokenValidation();
+
+        $sSetupToken = bin2hex(random_bytes(12));
+        $this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
+        $this->assertFalse($oTokenValidation->isSetupTokenValid(''));
+        $this->assertFalse($oTokenValidation->isSetupTokenValid($sSetupToken));
+        $this->createSetupTokenFile($sSetupToken);
+        $this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
+        $this->createSetupTokenFile($sSetupToken);
+        $this->assertFalse($oTokenValidation->isSetupTokenValid(''));
+        $this->createSetupTokenFile($sSetupToken);
+        $this->assertTrue($oTokenValidation->isSetupTokenValid($sSetupToken));
+    }
+}

tests/php-unit-tests/unitary-tests/setup/unattended-install/InstallationFileServiceTest.php

@@ -287,8 +287,8 @@ class InstallationFileServiceTest extends ItopTestCase {
 
 	private function GetMockListOfFoundModules() : array {
 		$sJsonContent = file_get_contents(realpath(__DIR__ . '/resources/AnalyzeInstallation.json'));
-		$sJsonContent = str_replace('ROOTDIR_TOREPLACE', APPROOT, $sJsonContent);
-		return json_decode($sJsonContent, true);
+		$sJsonContent = str_replace('ROOTDIR_TOREPLACE', addslashes(APPROOT), $sJsonContent);
+        return json_decode($sJsonContent, true);
 	}
 
 	/**

tests/php-unit-tests/unitary-tests/setup/unattended-install/UnattendedInstallTest.php

@@ -69,6 +69,12 @@ class UnattendedInstallTest extends ItopDataTestCase
 		$sOutput = implode('\n', $aOutput);
 		var_dump($sOutput);
 		$this->assertStringContainsString("Missing mandatory argument `--param-file`", $sOutput);
-		$this->assertEquals(255, $iCode);
+        if (DIRECTORY_SEPARATOR === '\\') {
+            // Windows
+            $this->assertEquals(-1, $iCode);
+        } else {
+            // Linux
+            $this->assertEquals(255, $iCode);
+        }
 	}
 }

tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php

@@ -1,58 +1,44 @@
 <?php
-namespace Combodo\iTop\Test\UnitTest;
+
+namespace Combodo\iTop\Test\UnitTest\Application\TwigBase;
 
 use Combodo\iTop\Portal\Twig\AppExtension;
-use Twig_Environment;
-use Twig_Loader_Array;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;
 
-/**
- * @runTestsInSeparateProcesses
- * @preserveGlobalState disabled
- * @backupGlobals disabled
- */
 class TwigTest extends ItopDataTestCase
 {
-	protected function setUp(): void
-	{
-		parent::setUp();
-		$this->RequireOnceItopFile('core/config.class.inc.php');
-	}
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->RequireOnceItopFile('core/config.class.inc.php');
+    }
 
-	/**
-	 * Test the fix for ticket N°4384
-	 *
-	 * @dataProvider TemplateProvider
-	 *
-	 */
-	public function testTemplate($sFileName, $sExpected)
-	{
-		$sId = 'TestTwig';
-		$oAppExtension = new AppExtension();
+    /**
+     * @covers N°4384 N°7810
+     *
+     */
+    public function testTemplate()
+    {
+        // Creating sandbox twig env. to load and test the custom form template
+        $oTwig = new Environment(new FilesystemLoader(__DIR__.'/'));
 
-		// Creating sandbox twig env. to load and test the custom form template
-		$oTwig = new Twig_Environment(new Twig_Loader_Array([$sId => $sFileName]));
+        // Manually registering filters and functions as we didn't find how to do it automatically
+        $oAppExtension = new AppExtension();
+        $aFilters = $oAppExtension->getFilters();
+        foreach ($aFilters as $oFilter)
+        {
+            $oTwig->addFilter($oFilter);
+        }
+        $aFunctions = $oAppExtension->getFunctions();
+        foreach ($aFunctions as $oFunction)
+        {
+            $oTwig->addFunction($oFunction);
+        }
 
-		// Manually registering filters and functions as we didn't find how to do it automatically
-		$aFilters = $oAppExtension->getFilters();
-		foreach ($aFilters as $oFilter)
-		{
-			$oTwig->addFilter($oFilter);
-		}
-		$aFunctions = $oAppExtension->getFunctions();
-		foreach ($aFunctions as $oFunction)
-		{
-			$oTwig->addFunction($oFunction);
-		}
-	}
+        $sOutput = $oTwig->render('test.html.twig');
 
-	public static function testTemplateProvider()
-	{
-		$aReturn = array();
-		$aReturn['filter_system'] = [
-				'sFileName' => 'test.html',
-				'expected' =>file_get_contents(dirname(__FILE__).'/test.html'),
-			];
-
-		return $aReturn;
-	}
+        $this->assertEquals(file_get_contents(__DIR__.'/test.html'), $sOutput);
+    }
 }

tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html

@@ -42,5 +42,8 @@ Smith, Dupond
 <div>['echo',1]|sort('system')|join</div>
 echo1
 
+<div>[['id','']|sort('system')</div>
+id
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email=""@attacker.tld

tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig

@@ -47,5 +47,8 @@
 <div>['echo',1]|sort('system')|join</div>
 {{ ['echo',1]|sort('system')|join }}
 
+<div>[['id','']|sort('system')</div>
+{{['id','']|sort('system')|join}}
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld

webservices/rest.php

@@ -209,7 +209,11 @@ try
 		/** @var iRestServiceProvider $oRS */
 		$oRS = $aOpToRestService[$sOperation]['service_provider'];
 		$sProvider = get_class($oRS);
-	
+		
+		if ($oRS instanceof iRestInputSanitizer) {
+			$sSanitizedJsonInput = $oRS->SanitizeJsonInput($sJsonString);
+		}
+
 		CMDBObject::SetTrackOrigin('webservice-rest');
 		$oResult = $oRS->ExecOperation($sVersion, $sOperation, $aJsonData);
 	}
@@ -234,6 +238,7 @@ catch(Exception $e)
 //
 $sResponse = json_encode($oResult);
 
+
 if ($sResponse === false)
 {
 	$oJsonIssue = new RestResult();
@@ -267,7 +272,7 @@ if (MetaModel::GetConfig()->Get('log_rest_service'))
 	$oLog->SetTrim('userinfo', UserRights::GetUser());
 	$oLog->Set('version', $sVersion);
 	$oLog->Set('operation', $sOperation);
-	$oLog->SetTrim('json_input', $sJsonString);
+    $oLog->SetTrim('json_input', $sSanitizedJsonInput ?? $sJsonString);
 
 	$oLog->Set('provider', $sProvider);
 	$sMessage = $oResult->message;
@@ -277,7 +282,8 @@ if (MetaModel::GetConfig()->Get('log_rest_service'))
 	}
 	$oLog->SetTrim('message', $sMessage);
 	$oLog->Set('code', $oResult->code);
-	$oLog->SetTrim('json_output', $sResponse);
+	$oResult->SanitizeContent();
+	$oLog->SetTrim('json_output', json_encode($oResult, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE));
 
 	$oLog->DBInsertNoReload();
 	$oKPI->ComputeAndReport('Log inserted');