From f9150075246df4ed9755a4a150e25edb468767be Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Mon, 2 Dec 2024 13:36:21 -0500
Subject: [PATCH] Security: Confirm delete action with modal instead of alert

Fix advisory GHSA-gw58-89f7-4xgj
---
 main/inc/lib/glossary.lib.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/main/inc/lib/glossary.lib.php b/main/inc/lib/glossary.lib.php
index 732dca98f25..6c199f4f0f4 100755
--- a/main/inc/lib/glossary.lib.php
+++ b/main/inc/lib/glossary.lib.php
@@ -663,8 +663,16 @@ public static function actions_filter($glossary_id, $url_params, $row)
         $glossary_term = Security::remove_XSS(strip_tags($glossary_data['name']));
         if (api_is_allowed_to_edit(null, true)) {
             if ($glossary_data['session_id'] == api_get_session_id()) {
-                $return .= '<a href="'.api_get_self().'?action=delete_glossary&glossary_id='.$glossary_id.'&'.api_get_cidreq().'" onclick="return confirmation(\''.$glossary_term.'\');">'.
-                    Display::return_icon('delete.png', get_lang('Delete'), '', 22).'</a>';
+                $return .= Display::url(
+                    Display::return_icon('delete.png', get_lang('Delete')),
+                    '#',
+                    [
+                        'data-item-title' => $glossary_term,
+                        'data-href' => api_get_self().'?action=delete_glossary&glossary_id='.$glossary_id.'&'.api_get_cidreq(),
+                        'data-toggle' => 'modal',
+                        'data-target' => '#confirm-delete',
+                    ]
+                );
             } else {
                 $return = get_lang('EditionNotAvailableFromSession');
             }