N°9235 - Sanitize oql_clause query parameter in universal search page

Lenaick · Lenaick · commit 7bfa14a8744c · 2026-03-09T17:06:00.000+01:00
diff --git a/pages/UniversalSearch.php b/pages/UniversalSearch.php
@@ -109,7 +109,7 @@
 	$oP->SetBreadCrumbEntry($sPageId, $sLabel, '', '', 'fas fa-search', iTopWebPage::ENUM_BREADCRUMB_ENTRY_ICON_TYPE_CSS_CLASSES);
 
 	// Menu node
-	$sFilter = $oFilter->ToOQL();
+	$sFilter = utils::EscapeHtml($oFilter->ToOQL());
 	$oP->add("\n<!-- $sFilter -->\n");
 }
 $oP->add("</div>\n");

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@`
`109`	`109`	`$oP->SetBreadCrumbEntry($sPageId, $sLabel, '', '', 'fas fa-search', iTopWebPage::ENUM_BREADCRUMB_ENTRY_ICON_TYPE_CSS_CLASSES);`
`110`	`110`
`111`	`111`	`// Menu node`
`112`		`- $sFilter = $oFilter->ToOQL();`
	`112`	`+ $sFilter = utils::EscapeHtml($oFilter->ToOQL());`
`113`	`113`	`$oP->add("\n<!-- $sFilter -->\n");`
`114`	`114`	`}`
`115`	`115`	`$oP->add("</div>\n");`