fix(form): remove html entities in db

Signed-off-by: Thierry Bugier <tbugier@teclib.com>
pluginsGLPI · Oct 24, 2018 · 468ee6b · 468ee6b
1 parent 5cac2b8
commit 468ee6b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 20 deletions.
diff --git a/inc/form.class.php b/inc/form.class.php
@@ -1021,13 +1021,6 @@ class='formcreator_form form_horizontal'>";
     * @return array the modified $input array
     */
    public function prepareInputForAdd($input) {
-      // Decode (if already encoded) and encode strings to avoid problems with quotes
-      foreach ($input as $key => $value) {
-         if (!is_array($value)) {
-            $input[$key] = plugin_formcreator_encode($value);
-         }
-      }
-
       // generate a unique id
       if (!isset($input['uuid'])
           || empty($input['uuid'])) {
@@ -1041,15 +1034,6 @@ public function prepareInputForAdd($input) {
             Session::addMessageAfterRedirect(__('The name cannot be empty!', 'formcreator'), false, ERROR);
             return [];
          }
-         $input['name'] = addslashes($input['name']);
-      }
-
-      if (isset($input['description'])) {
-         $input['description'] = addslashes($input['description']);
-      }
-
-      if (isset($input['content'])) {
-         $input['content'] = addslashes($input['content']);
       }
 
       if (!isset($input['requesttype'])) {
@@ -1934,6 +1918,8 @@ public static function import($form = []) {
    */
 
    public static function import(PluginFormcreatorImportLinker $importLinker, $form = []) {
+      global $DB;
+
       $form_obj = new self;
       $entity   = new Entity;
       $form_cat = new PluginFormcreatorCategory;
@@ -1960,7 +1946,9 @@ public static function import(PluginFormcreatorImportLinker $importLinker, $form
                                                           $form['uuid'])) {
          // add id key
          $form['id'] = $forms_id;
-
+         foreach (['name', 'description', 'content'] as $key) {
+            $form[$key] = $DB->escape($form[$key]);
+         }
          // update existing form
          $form_obj->update($form);
       } else {

diff --git a/install/update_2.6_2.7.php b/install/update_2.6_2.7.php
@@ -100,15 +100,15 @@ function plugin_formcreator_update_2_7(Migration $migration) {
       ]
    ];
    foreach ($DB->request($request) as $row) {
-      $values = html_entity_decode($row['values']);
-      $defaultValues = html_entity_decode($row['default_values']);
+      $values = Toolbox::addslashes_deep(html_entity_decode($row['values']));
+      $defaultValues = Toolbox::addslashes_deep(html_entity_decode($row['default_values']));
       $id = $row['id'];
       $DB->query("UPDATE `glpi_plugin_formcreator_questions` SET `values` = '$values', `default_values` = '$defaultValues' WHERE `id` = '$id'");
    }
 
    // decode html entities in name of questions
    foreach ($DB->request(['FROM' => 'glpi_plugin_formcreator_questions']) as $row) {
-      $name = html_entity_decode($row['name']);
+      $name = Toolbox::addslashes_deep(html_entity_decode($row['name']));
       $id = $row['id'];
       $DB->query("UPDATE `glpi_plugin_formcreator_questions` SET `name`='$name' WHERE `id` = '$id'");
    }
@@ -182,4 +182,16 @@ function plugin_formcreator_update_2_7(Migration $migration) {
    foreach ($tables as $table) {
       $migration->changeField($table, 'name', 'name', 'string', ['after' => 'id']);
    }
+
+   //remove html entities in forms
+   $request = [
+      'FROM'   => 'glpi_plugin_formcreator_forms',
+   ];
+   foreach ($DB->request($request) as $row) {
+      $name = Toolbox::addslashes_deep(html_entity_decode($row['name']));
+      $description = Toolbox::addslashes_deep(html_entity_decode($row['description']));
+      $content = Toolbox::addslashes_deep(html_entity_decode($row['content']));
+      $id = $row['id'];
+      $DB->query("UPDATE `glpi_plugin_formcreator_forms` SET `name` = '$name', `description` = '$description', `content` = '$content' WHERE `id` = '$id'");
+   }
 }