#565 Fixed security issues (XSS)

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@2282 a333f486-631f-4898-b8df-5754b55c2be0

application/cmdbabstract.class.inc.php

@@ -1371,7 +1371,7 @@ abstract class cmdbAbstractObject extends CMDBObject implements iDisplay
 				if (is_null($aAllowedValues))
 				{
 					// Any value is possible, display an input box
-					$sHtml .= "<label>".MetaModel::GetFilterLabel($sClassName, $sFilterCode).":</label>&nbsp;<input class=\"textSearch\" name=\"$sFilterCode\" value=\"$sFilterValue\"/>\n";
+					$sHtml .= "<label>".MetaModel::GetFilterLabel($sClassName, $sFilterCode).":</label>&nbsp;<input class=\"textSearch\" name=\"$sFilterCode\" value=\"".htmlentities($sFilterValue, ENT_QUOTES, 'utf-8')."\"/>\n";
 				}
 				else
 				{

datamodels/1.x/itop-attachments/ajax.attachment.php

@@ -102,7 +102,8 @@ try
 }
 catch (Exception $e)
 {
-	echo $e->GetMessage();
+	// note: transform to cope with XSS attacks
+	echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8');
 	IssueLog::Error($e->getMessage());
 }
 ?>

pages/ajax.render.php

@@ -875,7 +875,8 @@ try
 }
 catch (Exception $e)
 {
-	echo $e->GetMessage();
+	// note: transform to cope with XSS attacks
+	echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8');
 	echo "<p>Debug trace: <pre>".print_r($e->getTrace(), true)."</pre></p>\n";
 	IssueLog::Error($e->getMessage());
 }