diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php index 35b3a3bc42..569537fed3 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php @@ -597,7 +597,7 @@ class PushController extends Controller private function formatUser(User $user) { - $subtitle = array_filter([htmlspecialchars($user->getJob()), htmlspecialchars($user->getCompany())]); + $subtitle = array_filter([$user->getJob(), $user->getCompany()]); return [ 'type' => 'USER', diff --git a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php index 0e9704b576..1bd06d83b2 100644 --- a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php +++ b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php @@ -806,7 +806,7 @@ class ThesaurusController extends Controller if (!$t) { $t = "..."; } - $fullBranch = " / " . $t . $fullBranch; + $fullBranch = " / " . htmlspecialchars($t) . $fullBranch; } } $nodes = $xpathstruct->query("/record/description/*"); @@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller '1', null ); - $fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue; + $fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue; $hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue; $languages = $synonyms = []; @@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller $languages[$lng_code[0]] = $language; } + // Escape path between span tag in fullpath_html + preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER); + + $safeFullpath = ''; + foreach($matches as $match) { + unset($match[0]); // full match result not used + $match[2] = htmlspecialchars($match[2]); + $safeFullpath .= implode('', $match); + } + return $this->render('thesaurus/properties.html.twig', [ 'typ' => $request->get('typ'), 'bid' => $request->get('bid'), @@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller 'id' => $request->get('id'), 'dlg' => $request->get('dlg'), 'languages' => $languages, - 'fullpath' => $fullpath, + 'fullpath' => $safeFullpath, 'hits' => $hits, 'synonyms' => $synonyms, ]); @@ -2128,7 +2138,7 @@ class ThesaurusController extends Controller $sy = $sy_list->appendChild($ret->createElement("sy")); $sy->setAttribute("id", $n->getAttribute("id")); - $sy->setAttribute("v", htmlspecialchars($t = $n->getAttribute("v"))); + $sy->setAttribute("v", $t = $n->getAttribute("v")); $sy->setAttribute("w", $n->getAttribute("w")); $sy->setAttribute("hits", ''); $sy->setAttribute("lng", $lng = $n->getAttribute("lng")); @@ -2177,7 +2187,7 @@ class ThesaurusController extends Controller $firstsy = $goodsy = null; for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) { if ($n2->nodeName == "sy") { - $t = htmlspecialchars($n2->getAttribute("v")); + $t = $n2->getAttribute("v"); if (! $firstsy) { $firstsy = $t; } diff --git a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php index e7b844297f..ca820a6be5 100644 --- a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php +++ b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php @@ -252,7 +252,7 @@ class ThesaurusXmlHttpController extends Controller /** @var DOMElement $n2 */ for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) { if ($n2->nodeName == "sy") { - $sy = htmlspecialchars($n2->getAttribute("v")); + $sy = $n2->getAttribute("v"); if (!$firstsy) { $firstsy = $sy; if ($request->get("debug")) { @@ -441,7 +441,7 @@ class ThesaurusXmlHttpController extends Controller for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) { if ($n2->nodeName == "sy") { $lng = $n2->getAttribute("lng"); - $t = htmlspecialchars($n2->getAttribute("v")); + $t = $n2->getAttribute("v"); $ksy = $n2->getAttribute("w"); if ($k = $n2->getAttribute("k")) { $ksy .= " ($k)"; @@ -586,7 +586,7 @@ class ThesaurusXmlHttpController extends Controller for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) { if ($n2->nodeName == "sy") { $lng = $n2->getAttribute("lng"); - $t = htmlspecialchars($n2->getAttribute("v")); + $t = $n2->getAttribute("v"); $ksy = $n2->getAttribute("w"); if ($k = $n2->getAttribute("k")) { $ksy .= " ($k)"; @@ -843,7 +843,7 @@ class ThesaurusXmlHttpController extends Controller for ($n2 = $n->firstChild; $n2; $n2 = $n2->nextSibling) { if ($n2->nodeName == 'sy') { $lng = $n2->getAttribute('lng'); - $t = htmlspecialchars($n2->getAttribute('v')); + $t = $n2->getAttribute('v'); $key = $n2->getAttribute('w'); // key of the current sy if ($k = $n2->getAttribute('k')) { $key .= ' (' . $k . ')'; @@ -920,7 +920,7 @@ class ThesaurusXmlHttpController extends Controller $bid = $request->get('bid'); for ($i = 0; $i < $nodes->length; $i++) { $n = $nodes->item($i); - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); $tid = $n->getAttribute('id'); $html .= '

'; @@ -967,7 +967,7 @@ class ThesaurusXmlHttpController extends Controller $allsy = ''; for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) { if ($n->nodeName == 'sy') { - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); if ($n->getAttribute('bold')) { $allsy .= ( $allsy ? ' ; ' : '') . 'getAttribute('id') . '\'>' . $t . ''; } else { @@ -1078,12 +1078,12 @@ class ThesaurusXmlHttpController extends Controller $ret['result'] = array(); for ($i = 0; $i < $nodes->length; $i++) { $n = $nodes->item($i); - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); $tid = $n->getAttribute('id'); $ret['result'][] = array( 'id' => $n->getAttribute('id'), - 't' => htmlspecialchars($n->getAttribute('v')), + 't' => $n->getAttribute('v'), ); } } @@ -1103,7 +1103,7 @@ class ThesaurusXmlHttpController extends Controller $allsy = array(); for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) { if ($n->nodeName == 'sy') { - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); $allsy[] = array( 'id' => $n->getAttribute('id'), 't' => $t, @@ -1190,7 +1190,7 @@ class ThesaurusXmlHttpController extends Controller } else { for ($i = 0; $i < $nodes->length; $i++) { $n = $nodes->item($i); - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); $tid = $n->getAttribute('id'); $zhtml .= '

'; @@ -1213,7 +1213,7 @@ class ThesaurusXmlHttpController extends Controller $allsy = ''; for ($n = $srcnode->firstChild; $n; $n = $n->nextSibling) { if ($n->nodeName == 'sy') { - $t = htmlspecialchars($n->getAttribute('v')); + $t = $n->getAttribute('v'); if ($n->getAttribute('bold')) { $allsy .= ( $allsy ? ' ; ' : '') . 'getAttribute('id') . '\'>' . $t . ''; } else { @@ -1611,7 +1611,7 @@ class ThesaurusXmlHttpController extends Controller if ($n2->nodeName == 'sy') { $lng = $n2->getAttribute('lng'); - $t = htmlspecialchars($n2->getAttribute('v')); + $t = $n2->getAttribute('v'); $key = $n2->getAttribute('w'); // key of the current sy if ($k = $n2->getAttribute('k')) { diff --git a/templates/web/prod/templates/push.html.twig b/templates/web/prod/templates/push.html.twig index fe47af8ed9..a769c2d3be 100644 --- a/templates/web/prod/templates/push.html.twig +++ b/templates/web/prod/templates/push.html.twig @@ -12,17 +12,17 @@
- <%= item.display_name %> + <%= htmlEncode(item.display_name) %>
- +
- <%= item.subtitle || '' %> + <%= htmlEncode(item.subtitle) || '' %>
@@ -47,7 +47,7 @@ @@ -81,12 +81,12 @@
- <%= item.name %> + <%= htmlEncode(item.name) %>
@@ -201,12 +201,12 @@
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
@@ -242,12 +242,12 @@
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
@@ -267,3 +267,22 @@ + diff --git a/templates/web/thesaurus/new-term.html.twig b/templates/web/thesaurus/new-term.html.twig index 8c7c825392..5c9dc238ca 100644 --- a/templates/web/thesaurus/new-term.html.twig +++ b/templates/web/thesaurus/new-term.html.twig @@ -16,11 +16,11 @@ {% if context %} {% set zterm %} - {% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %} + {% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %} {% endset %} {% else %} {% set zterm %} - {% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %} + {% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %} {% endset %} {% endif %} diff --git a/templates/web/thesaurus/thesaurus.html.twig b/templates/web/thesaurus/thesaurus.html.twig index 692d5ad355..87b234b371 100644 --- a/templates/web/thesaurus/thesaurus.html.twig +++ b/templates/web/thesaurus/thesaurus.html.twig @@ -338,6 +338,8 @@ for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling ) { var lng = sy.getAttribute("lng"); + var v = escapeHtmlDataFromXML(sy.getAttribute("v")); + html += ""; if(lng) if(tFlags[lng]) @@ -347,7 +349,7 @@ else html += ""; - html += ""; + html += ""; var hits = 0+sy.getAttribute("hits"); if(hits == 1) @@ -361,6 +363,12 @@ return(html); } + // Let the browser to do it + function escapeHtmlDataFromXML(data){ + var d = document.createElement('div'); + d.appendChild(document.createTextNode(data)); + return d.innerHTML; + } // /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
 ?  "+sy.getAttribute("v")+" "+ v +"