Internal: Fix regression introduced during XSS protection on tag sets

Combodo · Dec 19, 2018 · 3219957 · 3219957
1 parent 44671a5
commit 3219957
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/js/search/search_form_criteria_enum.js b/js/search/search_form_criteria_enum.js
@@ -829,7 +829,7 @@ $(function()
 		// - Make a jQuery element for a list item
 		_makeListItemElement: function(sLabel, sValue, bInitChecked, bInitHidden)
 		{
-			var sEscapedLabel = $('<div />').text(sLabel).html();
+			var sEscapedLabel = sLabel; // Note: We don't escape this anymore as there is an issue with AttributeExternalKey being already escaped. This will be put back in iTop 2.7 with the AttributeDefinition::GetAllowedValues() refactoring. $('<div />').text(sLabel).html();
 			var oItemElem = $('<div></div>')
 				.addClass('sfc_opc_mc_item')
 				.attr('data-value-code', sValue)

diff --git a/sources/application/search/searchform.class.inc.php b/sources/application/search/searchform.class.inc.php
@@ -28,6 +28,7 @@
 use AttributeExternalField;
 use AttributeFriendlyName;
 use AttributeSubItem;
+use AttributeTagSet;
 use CMDBObjectSet;
 use Combodo\iTop\Application\Search\CriterionConversion\CriterionToSearchForm;
 use CoreException;
@@ -467,6 +468,16 @@ public static function GetFieldAllowedValues($oAttrDef)
 				return array('values' => $aAllowedValues);
 			}
 		}
+		elseif ($oAttrDef instanceof AttributeTagSet)
+		{
+			$aAllowedValues = array();
+			foreach($oAttrDef->GetAllowedValues() as $sCode => $sRawValue)
+			{
+				$aAllowedValues[$sCode] = utils::HtmlEntities($sRawValue);
+			}
+
+			return array('values' => $aAllowedValues);
+		}
 		else
 		{
 			if (method_exists($oAttrDef, 'GetAllowedValuesAsObjectSet'))