Fix dropdown name escaping and autonaming from templates; fixes glpi-…

…project#8818
cedric-anne · May 26, 2021 · 3acd10d · 3acd10d
1 parent beeac5f
commit 3acd10d
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 28 deletions.
diff --git a/inc/commondbtm.class.php b/inc/commondbtm.class.php
@@ -1096,14 +1096,6 @@ function add(array $input, $options = [], $history = true) {
          }
       }
 
-      if (isset($input['name'])) {
-         $input['name'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['name']));
-      }
-
-      if (isset($input['comments'])) {
-         $input['comments'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['comments']));
-      }
-
       // Store input in the object to be available in all sub-method / hook
       $this->input = $input;
 
@@ -1456,14 +1448,6 @@ function update(array $input, $history = 1, $options = []) {
          return false;
       }
 
-      if (isset($input['name'])) {
-         $input['name'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['name']));
-      }
-
-      if (isset($input['comments'])) {
-         $input['comments'] = strip_tags(Toolbox::unclean_cross_side_scripting_deep($input['comments']));
-      }
-
       // Store input in the object to be available in all sub-method / hook
       $this->input = $input;
 

diff --git a/inc/dbutils.class.php b/inc/dbutils.class.php
@@ -1125,6 +1125,12 @@ public function getTreeValueCompleteName($table, $ID, $withcomment = false, $tra
          } else {
             $name = $result['completename'];
          }
+
+         // Separator is not encoded in DB, and it could not be changed as this is mandatory to be able to split tree
+         // correctly even if some tree elements are containing ">" char in their name (this one will be encoded).
+         $separator = ' > ';
+         $name = implode(Toolbox::clean_cross_side_scripting_deep($separator), explode($separator, $name));
+
          if ($tooltip) {
             $comment  = sprintf(__('%1$s: %2$s')."<br>",
                               "<span class='b'>".__('Complete name')."</span>",

diff --git a/js/common.js b/js/common.js
@@ -976,20 +976,22 @@ var typewatch = (function(){
  * Function that renders select2 selections.
  */
 var templateSelection = function (selection) {
+   var text = '';
    if (!("element" in selection)) {
-      return selection.text;
-   }
-
-   // Data generated by ajax containing 'selection_text'
-   if (Object.prototype.hasOwnProperty.call(selection, 'selection_text')) {
-      return selection.selection_text;
-   }
-   // Data generated with optgroups
-   if (selection.element.parentElement.nodeName == 'OPTGROUP') {
-      return selection.element.parentElement.getAttribute('label') + ' - ' + selection.text;
+      text = selection.text;
+   } else if (Object.prototype.hasOwnProperty.call(selection, 'selection_text')) {
+      // Data generated by ajax containing 'selection_text'
+      text = selection.selection_text;
+   } else if (selection.element.parentElement.nodeName == 'OPTGROUP') {
+      // Data generated with optgroups
+      text = selection.element.parentElement.getAttribute('label') + ' - ' + selection.text;
+   } else {
+      // Default text
+      text = selection.text;
    }
-   // Default text
-   return selection.text;
+   var _elt = $('<span></span>');
+   _elt.html(escapeMarkupText(text));
+   return _elt;
 };
 
 /**