remove xss on dbutil::formatUserName

orthagh · trasher · commit 6dc5cb685616 · 2020-05-05T14:11:11.000+02:00
diff --git a/inc/dbutils.class.php b/inc/dbutils.class.php
@@ -1542,7 +1542,7 @@ public function getPreviousItem($table, $ID, $condition = "", $nextprev_item = "
     *
     * @return string formatted username
     */
-   public function formatUserName($ID, $login, $realname, $firstname, $link = 0, $cut = 0, $force_config = false) {
+   public function formatUserName($ID, $login, $realname, $firstname, $link = 1, $cut = 0, $force_config = false) {
       global $CFG_GLPI;
 
       $before = "";
@@ -1559,37 +1559,38 @@ public function formatUserName($ID, $login, $realname, $firstname, $link = 0, $c
       }
 
       if (strlen($realname) > 0) {
-         $temp = $realname;
+         $formatted = $realname;
 
          if (strlen($firstname) > 0) {
             if ($order == User::FIRSTNAME_BEFORE) {
-               $temp = $firstname." ".$temp;
+               $formatted = $firstname." ".$formatted;
             } else {
-               $temp .= " ".$firstname;
+               $formatted .= " ".$firstname;
             }
          }
 
          if (($cut > 0)
-            && (Toolbox::strlen($temp) > $cut)) {
-            $temp = Toolbox::substr($temp, 0, $cut)." ...";
+            && (Toolbox::strlen($formatted) > $cut)) {
+            $formatted = Toolbox::substr($formatted, 0, $cut)." ...";
          }
 
       } else {
-         $temp = $login;
+         $formatted = $login;
       }
 
       if ($ID > 0
-         && ((strlen($temp) == 0) || $id_visible)) {
-         $temp = sprintf(__('%1$s (%2$s)'), $temp, $ID);
+         && ((strlen($formatted) == 0) || $id_visible)) {
+         $formatted = sprintf(__('%1$s (%2$s)'), $formatted, $ID);
       }
 
       if (($link == 1)
          && ($ID > 0)) {
-         $before = "<a title=\"".$temp."\" href='".User::getFormURLWithID($ID)."'>";
+         $before = "<a title=\"".Toolbox::addslashes_deep($formatted)."\"
+                       href='".User::getFormURLWithID($ID)."'>";
          $after  = "</a>";
       }
 
-      $username = $before.$temp.$after;
+      $username = $before.$formatted.$after;
       return $username;
    }
 

Original file line number	Diff line number	Diff line change
`@@ -1542,7 +1542,7 @@ public function getPreviousItem($table, $ID, $condition = "", $nextprev_item = "`
`1542`	`1542`	`*`
`1543`	`1543`	`* @return string formatted username`
`1544`	`1544`	`*/`
`1545`		`- public function formatUserName($ID, $login, $realname, $firstname, $link = 0, $cut = 0, $force_config = false) {`
	`1545`	`+ public function formatUserName($ID, $login, $realname, $firstname, $link = 1, $cut = 0, $force_config = false) {`
`1546`	`1546`	`global $CFG_GLPI;`
`1547`	`1547`
`1548`	`1548`	`$before = "";`
`@@ -1559,37 +1559,38 @@ public function formatUserName($ID, $login, $realname, $firstname, $link = 0, $c`
`1559`	`1559`	`}`
`1560`	`1560`
`1561`	`1561`	`if (strlen($realname) > 0) {`
`1562`		`- $temp = $realname;`
	`1562`	`+ $formatted = $realname;`
`1563`	`1563`
`1564`	`1564`	`if (strlen($firstname) > 0) {`
`1565`	`1565`	`if ($order == User::FIRSTNAME_BEFORE) {`
`1566`		`- $temp = $firstname." ".$temp;`
	`1566`	`+ $formatted = $firstname." ".$formatted;`
`1567`	`1567`	`} else {`
`1568`		`- $temp .= " ".$firstname;`
	`1568`	`+ $formatted .= " ".$firstname;`
`1569`	`1569`	`}`
`1570`	`1570`	`}`
`1571`	`1571`
`1572`	`1572`	`if (($cut > 0)`
`1573`		`- && (Toolbox::strlen($temp) > $cut)) {`
`1574`		`- $temp = Toolbox::substr($temp, 0, $cut)." ...";`
	`1573`	`+ && (Toolbox::strlen($formatted) > $cut)) {`
	`1574`	`+ $formatted = Toolbox::substr($formatted, 0, $cut)." ...";`
`1575`	`1575`	`}`
`1576`	`1576`
`1577`	`1577`	`} else {`
`1578`		`- $temp = $login;`
	`1578`	`+ $formatted = $login;`
`1579`	`1579`	`}`
`1580`	`1580`
`1581`	`1581`	`if ($ID > 0`
`1582`		`- && ((strlen($temp) == 0) \|\| $id_visible)) {`
`1583`		`- $temp = sprintf(__('%1$s (%2$s)'), $temp, $ID);`
	`1582`	`+ && ((strlen($formatted) == 0) \|\| $id_visible)) {`
	`1583`	`+ $formatted = sprintf(__('%1$s (%2$s)'), $formatted, $ID);`
`1584`	`1584`	`}`
`1585`	`1585`
`1586`	`1586`	`if (($link == 1)`
`1587`	`1587`	`&& ($ID > 0)) {`
`1588`		`- $before = "<a title=\"".$temp."\" href='".User::getFormURLWithID($ID)."'>";`
	`1588`	`+ $before = "<a title=\"".Toolbox::addslashes_deep($formatted)."\"`
	`1589`	`+ href='".User::getFormURLWithID($ID)."'>";`
`1589`	`1590`	`$after = "</a>";`
`1590`	`1591`	`}`
`1591`	`1592`
`1592`		`- $username = $before.$temp.$after;`
	`1593`	`+ $username = $before.$formatted.$after;`
`1593`	`1594`	`return $username;`
`1594`	`1595`	`}`
`1595`	`1596`