escape single quote in HTML option of a dropdown

fix #3308
glpi-project · Dec 19, 2017 · 7cd0aa1 · 7cd0aa1
1 parent baca5c9
commit 7cd0aa1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/inc/dropdown.class.php b/inc/dropdown.class.php
@@ -1930,7 +1930,7 @@ static function showFromArray($name, array $elements, $options = []) {
                $output .= "</optgroup>";
             } else {
                if (!isset($param['used'][$key])) {
-                  $output .= "<option value='".$key."'";
+                  $output .= "<option value='".Html::entities_deep($key)."'";
                   // Do not use in_array : trouble with 0 and empty value
                   foreach ($param['values'] as $value) {
                      if (strcmp($key, $value)===0) {