Fix/snyk report #18077
Fix/snyk report #18077
Conversation
orthagh
force-pushed
the
fix/snyk_report
branch
from
cd57ecd
to
0d8acad
Compare
orthagh
force-pushed
the
fix/snyk_report
branch
from
0d8acad
to
3202cdb
Compare
|
| // limit to GLPI Classes | ||
| if (!class_exists($link_class) && !is_subclass_of($_POST["itemtype"], "CommonDBTM")) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
We should always use getItemForItemtype() to instanciate classes from a dynamic classname.
| @@ -717,6 +717,8 @@ private static function getTabIconClass(?string $form_itemtype = null): string | |||
| **/ | |||
| public static function createTabEntry($text, $nb = 0, ?string $form_itemtype = null, string $icon = '') | |||
| { | |||
| $text = htmlspecialchars($text); | |||
There was a problem hiding this comment.
I created a PR for this one as it requires some calls to be adapted. See #18121.
There was a problem hiding this comment.
We can even drop the GLPI_DEMO_MODE constant and its different usages. See #18122.
| if (isset($_POST['language']) && $_POST['language'] != '' && isset($CFG_GLPI['languages'][$_POST['language']])) { | ||
| $_SESSION["glpilanguage"] = $_POST['language']; | ||
| } |
There was a problem hiding this comment.
I guess the purpose of this is to be able to display a confirmation message in the target language when the user uses the language switch feature. This can probably be done in User::prepareInputForUpdate() when the target user is the current user.
It would prevent side effects, for instance when the language present in the $_POST variable is related to something else than the current user.
Description
Working on the reports of local scans with snyk (as we can only scan the default branch with their saas)