-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/snyk report #18077
base: main
Are you sure you want to change the base?
Fix/snyk report #18077
Conversation
cd57ecd
to
0d8acad
Compare
0d8acad
to
3202cdb
Compare
Quality Gate passedIssues Measures |
// limit to GLPI Classes | ||
if (!class_exists($link_class) && !is_subclass_of($_POST["itemtype"], "CommonDBTM")) { | ||
return; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should always use getItemForItemtype()
to instanciate classes from a dynamic classname.
@@ -717,6 +717,8 @@ private static function getTabIconClass(?string $form_itemtype = null): string | |||
**/ | |||
public static function createTabEntry($text, $nb = 0, ?string $form_itemtype = null, string $icon = '') | |||
{ | |||
$text = htmlspecialchars($text); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created a PR for this one as it requires some calls to be adapted. See #18121.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can even drop the GLPI_DEMO_MODE
constant and its different usages. See #18122.
if (isset($_POST['language']) && $_POST['language'] != '' && isset($CFG_GLPI['languages'][$_POST['language']])) { | ||
$_SESSION["glpilanguage"] = $_POST['language']; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the purpose of this is to be able to display a confirmation message in the target language when the user uses the language switch feature. This can probably be done in User::prepareInputForUpdate()
when the target user is the current user.
It would prevent side effects, for instance when the language
present in the $_POST
variable is related to something else than the current user.
Description
Working on the reports of local scans with snyk (as we can only scan the default branch with their saas)