Prevent XSS in Entity badge

glpi-project · Nov 3, 2022 · 6f208f1 · 6f208f1
1 parent 1fe7a87
commit 6f208f1
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 13 deletions.
diff --git a/src/Entity.php b/src/Entity.php
@@ -35,6 +35,7 @@
 
 use Glpi\Event;
 use Glpi\Plugin\Hooks;
+use Glpi\Toolbox\Sanitizer;
 
 /**
  * Entity class
@@ -3918,13 +3919,44 @@ public static function getDefaultContract(int $entities_id): int
 
     public static function badgeCompletename(string $entity_string = ""): string
     {
-        $split  = explode(' > ', trim($entity_string));
-        foreach ($split as &$node) {
-            $node = "<span class='text-nowrap'>$node</span>";
-        }
+        // `completename` is expected to be received as it is stored in DB,
+        // meaning that `>` separator is not encoded, but `<`, `>` and `&` from self or parent names are encoded.
+        $names  = explode(' > ', trim($entity_string));
+
+        // Convert the whole completename into decoded HTML.
+        foreach ($names as &$name) {
+            $name = Sanitizer::decodeHtmlSpecialChars($name);
+        }
+
+        // Construct HTML with special chars encoded.
+        $title = htmlspecialchars(implode(' > ', $names));
+        $breadcrumbs = implode(
+            '<i class="fas fa-caret-right mx-1"></i>',
+            array_map(
+                function (string $name): string {
+                    return '<span class="text-nowrap">' . htmlspecialchars($name) . '</span>';
+                },
+                $names
+            )
+        );
+
 
-        return "<span class='entity-badge' title='$entity_string'>" .
-         implode('<i class="fas fa-caret-right mx-1"></i>', $split) .
-        "</span>";
+        return '<span class="entity-badge" title="' . $title . '">' . $breadcrumbs . "</span>";
+    }
+
+    /**
+     * Return HTML code for entity badge showing its completename.
+     *
+     * @param int $entity_id
+     *
+     * @return string|null
+     */
+    public static function badgeCompletenameById(int $entity_id): ?string
+    {
+        $entity = new self();
+        if ($entity->getFromDB($entity_id)) {
+            return self::badgeCompletename($entity->fields['completename']);
+        }
+        return null;
     }
 }
diff --git a/templates/components/itilobject/fields_panel.html.twig b/templates/components/itilobject/fields_panel.html.twig
@@ -75,9 +75,7 @@
                   ) }}
                {% else %}
                   {% set entity_html %}
-                     {{ call('Entity::badgeCompletename', [
-                        get_item_name('Entity', item.fields['entities_id'])
-                     ])|raw }}
+                     {{ call('Entity::badgeCompletenameById', [item.fields['entities_id']])|raw }}
                   {% endset %}
 
                   {{ fields.field(

diff --git a/templates/components/itilobject/timeline/new_form.html.twig b/templates/components/itilobject/timeline/new_form.html.twig
@@ -51,9 +51,7 @@
                      <div class="alert alert-info" role="alert">
                         {% set entitybadge %}
                            <span class="ms-1">
-                              {{ call('Entity::badgeCompletename', [
-                                 get_item_name('Entity', item.fields['entities_id'])
-                              ])|raw }}
+                              {{ call('Entity::badgeCompletenameById', [item.fields['entities_id']])|raw }}
                            </span>
                         {% endset %}