#446 continuing: sanitizing parameters...

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@1451 a333f486-631f-4898-b8df-5754b55c2be0

application/ajaxwebpage.class.inc.php

@@ -45,11 +45,12 @@ class ajax_page extends WebPage
     {
         parent::__construct($s_title);
         $this->m_sReadyScript = "";
-		$this->add_header("Content-type: text/html; charset=utf-8");
+		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->add_header("Cache-control: no-cache");
 		$this->m_sCurrentTabContainer = '';
         $this->m_sCurrentTab = '';
 		$this->m_aTabs = array();
+		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';
     }	
 
@@ -97,10 +98,6 @@ class ajax_page extends WebPage
     	{
 			$this->add_header('Content-type: '.$this->sContentType);
     	}
-    	else
-    	{
-			$this->add_header('Content-type: text/html');
-    	}
     	if (!empty($this->sContentDisposition))
     	{
 			$this->add_header('Content-Disposition: '.$this->sContentDisposition.'; filename="'.$this->sContentFileName.'"');

application/cmdbabstract.class.inc.php

@@ -1388,8 +1388,8 @@ EOF
 		$sHtml .= "<form id=\"formOQL{$iSearchFormId}\"><table style=\"width:80%;\"><tr style=\"vertical-align:top\">\n";
 		$sHtml .= "<td style=\"text-align:right\"><label>SELECT&nbsp;</label><select name=\"oql_class\">";
 		$aClasses = MetaModel::EnumChildClasses($sClassName, ENUM_CHILD_CLASSES_ALL);
-		$sSelectedClass = utils::ReadParam('oql_class', $sClassName);
-		$sOQLClause = utils::ReadParam('oql_clause', '');
+		$sSelectedClass = utils::ReadParam('oql_class', $sClassName, false, 'class');
+		$sOQLClause = utils::ReadParam('oql_clause', '', false, 'raw_data');
 		asort($aClasses);
 		foreach($aClasses as $sChildClass)
 		{
@@ -2339,7 +2339,7 @@ EOF
 	{
 		$aErrors = array();
 
-		$aRawValues = utils::ReadParam($sArgName, array());
+		$aRawValues = utils::ReadParam($sArgName, array(), '', 'raw_data');
 
 		$aValues = array();
 		foreach($this->GetWriteableAttList($aAttList, $aErrors) as $sAttCode => $oAttDef)

application/itopwebpage.class.inc.php

@@ -629,7 +629,7 @@ EOF
 		}
 
 		// Render the text of the global search form
-		$sText = htmlentities(utils::ReadParam('text', ''), ENT_QUOTES, 'UTF-8');
+		$sText = htmlentities(utils::ReadParam('text', '', false, 'raw_data'), ENT_QUOTES, 'UTF-8');
 		$sOnClick = "";
 		if (empty($sText))
 		{

application/portalwebpage.class.inc.php

@@ -427,7 +427,7 @@ EOF
 			//
 			$this->add('<span style="white-space: nowrap;padding:5px;display:inline-block;">');
 			$sFilterValue = '';
-			$sFilterValue = utils::ReadParam($sPrefix.$sFieldName, '');
+			$sFilterValue = utils::ReadParam($sPrefix.$sFieldName, '', false, 'raw_data');
 			$sFilterOpCode = null; // Use the default 'loose' OpCode
 			$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttSpec);
 			if ($oAttDef->IsExternalKey())
@@ -530,14 +530,14 @@ EOF
 	 * @input string $sMethod Either get or post
 	 * @return Hash Array of name => value corresponding to the parameters that were passed to the page
 	 */
-	public function ReadAllParams($sParamList, $sPrefix = 'attr_', $sMethod = 'get')
+	public function ReadAllParams($sParamList, $sPrefix = 'attr_')
 	{
 		$aParams = explode(',', $sParamList);
 		$aValues = array();
 		foreach($aParams as $sName)
 		{
 			$sName = trim($sName);
-			$value = utils::ReadParam($sPrefix.$sName, null, $sMethod);
+			$value = utils::ReadParam($sPrefix.$sName, null, false, 'raw_data');
 			if (!is_null($value))
 			{
 				$aValues[$sName] = $value;
@@ -658,8 +658,8 @@ EOF
 	 */
 	public function FindObjectFromArgs($aAllowedClasses = null)
 	{
-		$sClass = utils::ReadParam('class', '');
-		$iId = utils::ReadParam('id', 0);
+		$sClass = utils::ReadParam('class', '', true, 'class');
+		$iId = utils::ReadParam('id', 0, true, 'integer');
 	
 		if (empty($sClass))
 		{
@@ -781,7 +781,7 @@ EOF
 
 	protected function GetWizardStepHistory()
 	{
-		$sRawHistory = trim(utils::ReadParam('step_history', ''));
+		$sRawHistory = trim(utils::ReadParam('step_history', '', false, 'raw_data'));
 		if (strlen($sRawHistory) == 0)
 		{
 			return array();

modules/itop-attachments/ajax.attachment.php

@@ -49,7 +49,7 @@ try
 			'att_id' => 0,
 			'msg' => ''
 		);
-		$sObjClass = stripslashes(utils::ReadParam('obj_class', ''));
+		$sObjClass = stripslashes(utils::ReadParam('obj_class', '', false, 'class'));
 		$sTempId = utils::ReadParam('temp_id', '');
 		if (empty($sObjClass))
 		{

pages/UI.php

@@ -591,9 +591,9 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'search_oql': // OQL query
-			$sOQLClass = utils::ReadParam('oql_class', '');
-			$sBaseClass = utils::ReadParam('base_class', $sOQLClass);
-			$sOQLClause = utils::ReadParam('oql_clause', '');
+			$sOQLClass = utils::ReadParam('oql_class', '', false, 'class');
+			$sBaseClass = utils::ReadParam('base_class', $sOQLClass, false, 'class');
+			$sOQLClause = utils::ReadParam('oql_clause', '', false, 'raw_data');
 			$sFormat = utils::ReadParam('format', '');
 			$bSearchForm = utils::ReadParam('search_form', true);
 			$sTitle = utils::ReadParam('title', 'UI:SearchResultsPageTitle');
@@ -629,7 +629,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'search_form': // Search form
-			$sClass = utils::ReadParam('class', '');
+			$sClass = utils::ReadParam('class', '', false, 'class');
 			$sFormat = utils::ReadParam('format', 'html');
 			$bSearchForm = utils::ReadParam('search_form', true);
 			if (empty($sClass))
@@ -644,7 +644,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'search': // Serialized CMDBSearchFilter
-			$sFilter = utils::ReadParam('filter', '');
+			$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 			$sFormat = utils::ReadParam('format', '');
 			$bSearchForm = utils::ReadParam('search_form', true);
 			if (empty($sFilter))
@@ -660,7 +660,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'full_text': // Global "google-like" search
-			$sFullText = trim(utils::ReadParam('text', ''));
+			$sFullText = trim(utils::ReadParam('text', '', false, 'raw_data'));
 			if (empty($sFullText))
 			{
 				$oP->p(Dict::S('UI:Search:NoSearch'));
@@ -752,7 +752,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'modify': // Form to modify an object
-			$sClass = utils::ReadParam('class', '');
+			$sClass = utils::ReadParam('class', '', false, 'class');
 			$sClassLabel = MetaModel::GetName($sClass);
 			$id = utils::ReadParam('id', '');
 			if ( empty($sClass) || empty($id)) // TO DO: check that the class name is valid !
@@ -790,7 +790,7 @@ try
 
 		case 'select_for_modify_all': // Select the list of objects to be modified (bulk modify)
 		$oP->set_title(Dict::S('UI:ModifyAllPageTitle'));
-		$sFilter = utils::ReadParam('filter', '');
+		$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 		if (empty($sFilter))
 		{
 			throw new ApplicationException(Dict::Format('UI:Error:1ParametersMissing', 'filter'));
@@ -806,8 +806,8 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'form_for_modify_all': // Form to modify multiple objects (bulk modify)
-		$sFilter = utils::ReadParam('filter', '');
-		$sClass = utils::ReadParam('class', '');
+		$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$oFullSetFilter = DBObjectSearch::unserialize($sFilter);
 		$aSelectedObj = utils::ReadMultipleSelection($oFullSetFilter);
 		if (count($aSelectedObj) > 0)
@@ -978,8 +978,8 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'preview_or_modify_all': // Preview or apply bulk modify
-		$sFilter = utils::ReadParam('filter', '');
-		$sClass = utils::ReadParam('class', '');
+		$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$bPreview = utils::ReadParam('preview_mode', '');
 		$sSelectedObj = utils::ReadParam('selectObj', '');
 		if ( empty($sClass) || empty($sSelectedObj)) // TO DO: check that the class name is valid !
@@ -1081,7 +1081,7 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'new': // Form to create a new object
-			$sClass = utils::ReadParam('class', '');
+			$sClass = utils::ReadParam('class', '', false, 'class');
 			$sStateCode = utils::ReadParam('state', '');
 			$bCheckSubClass = utils::ReadParam('checkSubclass', true);
 			if ( empty($sClass) )
@@ -1089,7 +1089,7 @@ EOF
 				throw new ApplicationException(Dict::Format('UI:Error:1ParametersMissing', 'class'));
 			}
 
-			$aArgs = utils::ReadParam('default', array());
+			$aArgs = utils::ReadParam('default', array(), false, 'raw_data');
 			$aContext = $oAppContext->GetAsHash();
 			foreach( $oAppContext->GetNames() as $key)
 			{
@@ -1149,7 +1149,7 @@ EOF
 				$oP->add("<div class=\"wizContainer\">\n");
 				$oP->add('<form>');
 				$oP->add('<p>'.Dict::Format('UI:SelectTheTypeOf_Class_ToCreate', $sClassLabel));
-				$aDefaults = utils::ReadParam('default', array());
+				$aDefaults = utils::ReadParam('default', array(), false, 'raw_data');
 				$oP->add($oAppContext->GetForForm());
 				$oP->add("<input type=\"hidden\" name=\"checkSubclass\" value=\"0\">\n");
 				$oP->add("<input type=\"hidden\" name=\"state\" value=\"$sStateCode\">\n");
@@ -1280,7 +1280,7 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'select_for_deletion': // Select multiple objects for deletion
-			$sFilter = utils::ReadParam('filter', '');
+			$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 			if (empty($sFilter))
 			{
 				throw new ApplicationException(Dict::Format('UI:Error:1ParametersMissing', 'filter'));
@@ -1332,7 +1332,7 @@ EOF
 
 		case 'delete':				// Deletion (preview)
 		case 'delete_confirmed':	// Deletion (confirmed)
-		$sClass = utils::ReadParam('class', '');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$sClassLabel = MetaModel::GetName($sClass);
 		$id = utils::ReadParam('id', '');
 		$oObj = MetaModel::GetObject($sClass, $id);
@@ -1347,7 +1347,7 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'apply_new': // Creation of a new object
-		$sClass = utils::ReadPostedParam('class', '');
+		$sClass = utils::ReadPostedParam('class', '', 'class');
 		$sClassLabel = MetaModel::GetName($sClass);
 		$sTransactionId = utils::ReadPostedParam('transaction_id', '');
 		if ( empty($sClass) ) // TO DO: check that the class name is valid !
@@ -1441,7 +1441,7 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		case 'select_bulk_stimulus': // Form displayed when applying a stimulus to many objects
-		$sFilter = utils::ReadParam('filter', '');
+		$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 		$sStimulus = utils::ReadParam('stimulus', '');
 		$sState = utils::ReadParam('state', '');
 		if (empty($sFilter) || empty($sStimulus) || empty($sState))
@@ -1464,7 +1464,7 @@ EOF
 		break;
 		
 		case 'bulk_stimulus':
-		$sFilter = utils::ReadParam('filter', '');
+		$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 		$sStimulus = utils::ReadParam('stimulus', '');
 		$sState = utils::ReadParam('state', '');
 		if (empty($sFilter) || empty($sStimulus) || empty($sState))
@@ -1771,7 +1771,7 @@ EOF
 		break;
 
 		case 'stimulus': // Form displayed when applying a stimulus (state change)
-		$sClass = utils::ReadParam('class', '');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', '');
 		$sStimulus = utils::ReadParam('stimulus', '');
 		if ( empty($sClass) || empty($id) ||  empty($sStimulus) ) // TO DO: check that the class name is valid !
@@ -2001,7 +2001,7 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 		
 		case 'swf_navigator': // Graphical display of the relations "impact" / "depends on"
-		$sClass = utils::ReadParam('class', '');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', 0);
 		$sRelation = utils::ReadParam('relation', 'impact');
 		

pages/UniversalSearch.php

@@ -47,8 +47,8 @@ $oP->add_linked_script("../js/jquery.blockUI.js");
 // From now on the context is limited to the the selected organization ??
 
 // Now render the content of the page
-$sBaseClass = utils::ReadParam('baseClass', 'Organization');
-$sClass = utils::ReadParam('class', $sBaseClass);
+$sBaseClass = utils::ReadParam('baseClass', 'Organization', false, 'class');
+$sClass = utils::ReadParam('class', $sBaseClass, false, 'class');
 $sOQLClause = utils::ReadParam('oql_clause', '', false, 'raw_data');
 $sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 $sOperation = utils::ReadParam('operation', '');

pages/ajax.render.php

@@ -45,7 +45,7 @@ try
 	$operation = utils::ReadParam('operation', '');
 	$sFilter = stripslashes(utils::ReadParam('filter', '', false, 'raw_data'));
 	$sEncoding = utils::ReadParam('encoding', 'serialize');
-	$sClass = utils::ReadParam('class', 'MissingAjaxParam');
+	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');
 	$sStyle = utils::ReadParam('style', 'list');
 
 	switch($operation)
@@ -171,7 +171,7 @@ try
 		// ui.linkswidget
 		case 'searchObjectsToAdd':
 		$oPage->SetContentType('text/html');
-		$sRemoteClass = utils::ReadParam('sRemoteClass', '');
+		$sRemoteClass = utils::ReadParam('sRemoteClass', '', false, 'class');
 		$sAttCode = utils::ReadParam('sAttCode', '');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$sSuffix = utils::ReadParam('sSuffix', '');
@@ -186,9 +186,9 @@ try
 		// ui.extkeywidget
 		case 'searchObjectsToSelect':
 		$oPage->SetContentType('text/html');
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
-		$sRemoteClass = utils::ReadParam('sRemoteClass', '');
+		$sRemoteClass = utils::ReadParam('sRemoteClass', '', false, 'class');
 		$sFilter = utils::ReadParam('sFilter', '', false, 'raw_data');
 		$sJson = utils::ReadParam('json', '', false, 'raw_data');
 		if (!empty($sJson))
@@ -207,7 +207,7 @@ try
 	
 		// ui.extkeywidget: autocomplete
 		case 'ac_extkey':
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$sFilter = utils::ReadParam('sFilter', '', false, 'raw_data');
 		$sJson = utils::ReadParam('json', '', false, 'raw_data');
@@ -229,7 +229,7 @@ try
 		// ui.extkeywidget
 		case 'objectSearchForm':
 		$oPage->SetContentType('text/html');
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$sTitle = utils::ReadParam('sTitle', '', false, 'raw_data');
 		$oWidget = new UIExtKeyWidget($sTargetClass, $iInputId);
@@ -238,7 +238,7 @@ try
 
 		// ui.extkeywidget
 		case 'objectCreationForm':
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$oWidget = new UIExtKeyWidget($sTargetClass, $iInputId);
 		$oWidget->GetObjectCreationForm($oPage);
@@ -246,7 +246,7 @@ try
 		
 		// ui.extkeywidget
 		case 'doCreateObject':
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$sFormPrefix = utils::ReadParam('sFormPrefix', '');
 		$oWidget = new UIExtKeyWidget($sTargetClass, $iInputId);
@@ -256,7 +256,7 @@ try
 		
 		// ui.extkeywidget
 		case 'getObjectName':
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$iObjectId = utils::ReadParam('iObjectId', '');
 		$oWidget = new UIExtKeyWidget($sTargetClass, $iInputId);
@@ -267,7 +267,7 @@ try
 		// ui.extkeywidget
 		case 'displayHierarchy':
 		$oPage->SetContentType('text/html');
-		$sTargetClass = utils::ReadParam('sTargetClass', '');
+		$sTargetClass = utils::ReadParam('sTargetClass', '', false, 'class');
 		$sInputId = utils::ReadParam('sInputId', '');
 		$sFilter = utils::ReadParam('sFilter', '', false, 'raw_data');
 		$sJson = utils::ReadParam('json', '', false, 'raw_data');
@@ -294,7 +294,7 @@ try
 		$sAttCode = utils::ReadParam('sAttCode', '');
 		$iInputId = utils::ReadParam('iInputId', '');
 		$sSuffix = utils::ReadParam('sSuffix', '');
-		$sRemoteClass = utils::ReadParam('sRemoteClass', $sClass);
+		$sRemoteClass = utils::ReadParam('sRemoteClass', $sClass, false, 'class');
 		$bDuplicates = (utils::ReadParam('bDuplicates', 'false') == 'false') ? false : true;
 		$oWidget = new UILinksWidget($sClass, $sAttCode, $iInputId, $sSuffix, $bDuplicates);
 		if ($sFilter != '')
@@ -448,7 +448,7 @@ try
 
 		case 'link':
 		$oPage->SetContentType('text/html');
-		$sClass = utils::ReadParam('sclass', 'logInfra');
+		$sClass = utils::ReadParam('sclass', 'logInfra', false, 'class');
 		$sAttCode = utils::ReadParam('attCode', 'name');
 		//$sOrg = utils::ReadParam('org_id', '');
 		$sName = utils::ReadParam('q', '');
@@ -495,8 +495,8 @@ try
 		
 		case 'search_form':
 		$oPage->SetContentType('text/html');
-		$sClass = utils::ReadParam('className', '');
-		$sRootClass = utils::ReadParam('baseClass', '');
+		$sClass = utils::ReadParam('className', '', false, 'class');
+		$sRootClass = utils::ReadParam('baseClass', '', false, 'class');
 		$currentId = utils::ReadParam('currentId', '');
 		$sAction = utils::ReadParam('action', '');
 		$oFilter = new DBObjectSearch($sClass);

pages/csvimport.php

@@ -192,12 +192,12 @@ try
 	{
 		$aResult = array();
 		$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data');
-		$sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '');
+		$sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '', false, 'raw_data');
 		$sSeparator = utils::ReadParam('separator', ',', false, 'raw_data');
 		$sTextQualifier = utils::ReadParam('text_qualifier', '"', false, 'raw_data');
 		$bHeaderLine = (utils::ReadParam('header_line', '0') == 1);
 		$iRealSkippedLines = $iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
-		$sClassName = utils::ReadParam('class_name', '');
+		$sClassName = utils::ReadParam('class_name', '', false, 'class');
 		$aFieldsMapping = utils::ReadParam('field', array(), false, 'field_name');
 		$aSearchFields = utils::ReadParam('search_field', array(), false, 'field_name');
 		$iCurrentStep = $bSimulate ? 4 : 5;
@@ -506,8 +506,6 @@ try
 		{
 			$oPage->add('<input type="hidden" name="search_field['.$index.']" value="1"/>');
 		}
-		$aFieldsMapping = utils::ReadParam('field', array());
-		$aSearchFields = utils::ReadParam('search_field', array());
 		$aDisplayFilters = array();
 		if ($bSimulate)
 		{
@@ -808,7 +806,7 @@ EOF
 		{
 			$iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
 		}
-		$sClassName = utils::ReadParam('class_name', '');
+		$sClassName = utils::ReadParam('class_name', '', false, 'class');
 		$bAdvanced = utils::ReadParam('advanced', 0);
 		$sEncoding = utils::ReadParam('encoding', 'UTF-8');
 	
@@ -1096,7 +1094,7 @@ EOF
 		}
 		$sOtherTextQualifier = in_array($sTextQualifier, array('"', "'")) ? '' : $sTextQualifier;
 		$bHeaderLine = utils::ReadParam('header_line', 0);
-		$sClassName = utils::ReadParam('class_name', '');
+		$sClassName = utils::ReadParam('class_name', '', false, 'class');
 		$bAdvanced = utils::ReadParam('advanced', 0);
 		
 		// Create a truncated version of the data used for the fast preview

pages/graphviz.php

@@ -108,7 +108,7 @@ function GraphvizLifecycle($sClass)
 	return $sDotFileContent;
 }
 
-$sClass = utils::ReadParam('class', 'bizIncidentTicket');
+$sClass = utils::ReadParam('class', 'bizIncidentTicket', false, 'class');
 $sDir = dirname(__FILE__);
 $sImageFilePath = $sDir."/../images/lifecycle/".$sClass.".png";
 $sDotExecutable = MetaModel::GetConfig()->Get('graphviz_path');

pages/schema.php

@@ -524,7 +524,7 @@ $operation = utils::ReadParam('operation', '');
 switch($operation)
 {
 	case 'details_class':
-	$sClass = utils::ReadParam('class', 'logRealObject');
+	$sClass = utils::ReadParam('class', 'logRealObject', false, 'class');
 	DisplayClassDetails($oPage, $sClass, $sContext);
 	break;
 	

pages/xml.navigator.php

@@ -112,7 +112,7 @@ LoginWebPage::DoLogin(); // Check user rights and prompt if needed
 $oPage = new ajax_page("");
 $oPage->no_cache();
 
-$sClass = utils::ReadParam('class', 'Contact');
+$sClass = utils::ReadParam('class', 'Contact', false, 'class');
 $id = utils::ReadParam('id', 1);
 $sRelation = utils::ReadParam('relation', 'impacts');
 $aValidRelations = MetaModel::EnumRelations();

portal/index.php

@@ -61,13 +61,13 @@ function DumpHiddenParams($oP, $aInteractive, $aParameters)
  * @input string $sMethod Either get or post
  * @return Hash Array of name => value corresponding to the parameters that were passed to the page
  */
-function ReadAllParams($sMethod = 'get')
+function ReadAllParams()
 {
 	$aParams = GetParamsList();
 	$aValues = array();
 	foreach($aParams as $sName)
 	{
-		$value = utils::ReadParam('attr_'.$sName, null, $sMethod);
+		$value = utils::ReadParam('attr_'.$sName, null, false, 'raw_data');
 		if (!is_null($value))
 		{
 			$aValues[$sName] = $value;

setup/email.test.php

@@ -200,8 +200,8 @@ try
 		
 		case 'step2':
 		$oP->no_cache();
-		$sTo = Utils::ReadParam('to');
-		$sFrom = Utils::ReadParam('from');
+		$sTo = Utils::ReadParam('to', '', false, 'raw_data');
+		$sFrom = Utils::ReadParam('from', '', false, 'raw_data');
 		if (strlen($sFrom) == 0)
 		{
 			$sFrom = $sTo;

setup/index.php

@@ -1500,7 +1500,7 @@ ini_set('display_startup_errors', true);
 $aParams = array('mode', 'previous_step', 'licence_ok', 'db_server', 'db_user', 'db_pwd','db_name', 'new_db_name', 'db_prefix', 'module', 'sample_data', 'auth_user', 'auth_pwd', 'language', 'application_path');
 foreach($aParams as $sName)
 {
-	$aParamValues[$sName] = utils::ReadParam($sName, '');
+	$aParamValues[$sName] = utils::ReadParam($sName, '', false, 'raw_data');
 }
 
 if (file_exists(FINAL_CONFIG_FILE))

test/testlist.inc.php

@@ -1834,7 +1834,7 @@ class TestImportREST extends TestWebServices
 			),
 		); 
 
-     	$sSubTests = utils::ReadParam('subtests', null);
+     	$sSubTests = utils::ReadParam('subtests', null, true, 'raw_data');
      	if (is_null($sSubTests))
      	{
 			foreach ($aLoads as $iTestId => $aLoadSpec)

webservices/backoffice.dataloader.php

@@ -86,7 +86,7 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT");    // Date in the past
 /**
  * Main program
  */
-$sFileName = Utils::ReadParam('file', '');
+$sFileName = Utils::ReadParam('file', '', false, 'raw_data');
 
 $oP = new WebPage("iTop - Backoffice data loader");
 

webservices/export.php

@@ -45,7 +45,7 @@ $currentOrganization = utils::ReadParam('org_id', '');
 // Main program
 $sExpression = utils::ReadParam('expression', '', true /* Allow CLI */, 'raw_data');
 $sFormat = strtolower(utils::ReadParam('format', 'html'));
-$sFields = utils::ReadParam('fields', ''); // CSV field list (allows to specify link set attributes, still not taken into account for XML export)
+$sFields = utils::ReadParam('fields', '', true, 'raw_data'); // CSV field list (allows to specify link set attributes, still not taken into account for XML export)
 
 $oP = null;