From e79eaa99c3d77b55e43c25d4d9061836216291a9 Mon Sep 17 00:00:00 2001 From: Charlotte Sacre Date: Wed, 19 Jul 2023 11:35:29 -0400 Subject: [PATCH 1/2] issue_tracker - resolve special characters in title --- modules/issue_tracker/jsx/IssueForm.js | 19 ++++++++++++++++++- .../issue_tracker/jsx/issueTrackerIndex.js | 19 ++++++++++++++++++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/modules/issue_tracker/jsx/IssueForm.js b/modules/issue_tracker/jsx/IssueForm.js index 90b7a972617..c25649233f9 100644 --- a/modules/issue_tracker/jsx/IssueForm.js +++ b/modules/issue_tracker/jsx/IssueForm.js @@ -54,6 +54,23 @@ class IssueForm extends Component { this.getFormData(); } + /** + * Restores special characters in the text string + * @param {string} text + * @return {string} + */ + htmlSpecialCharsDecode(text) { + if (text != null) { + return text + .replace(/&/g, '&') + .replace(/"/g, '"') + .replace(/</g, '<') + .replace(/>/g, '>'); + } else { + return text; + } + } + /** * Open 'Attachment Upload' Modal * @@ -234,7 +251,7 @@ class IssueForm extends Component { name='title' label='Title' onUserInput={this.setFormData} - value={this.state.formData.title} + value={this.htmlSpecialCharsDecode(this.state.formData.title)} disabled={!hasEditPermission} required={true} /> diff --git a/modules/issue_tracker/jsx/issueTrackerIndex.js b/modules/issue_tracker/jsx/issueTrackerIndex.js index 74e30789d0c..0e5384dd542 100644 --- a/modules/issue_tracker/jsx/issueTrackerIndex.js +++ b/modules/issue_tracker/jsx/issueTrackerIndex.js @@ -50,6 +50,23 @@ class IssueTrackerIndex extends Component { }); } + /** + * Restores special characters in the text string + * @param {string} text + * @return {string} + */ + htmlSpecialCharsDecode(text) { + if (text != null) { + return text + .replace(/&/g, '&') + .replace(/"/g, '"') + .replace(/</g, '<') + .replace(/>/g, '>'); + } else { + return text; + } + } + /** * Modify behaviour of specified column cells in the Data Table component * @@ -68,7 +85,7 @@ class IssueTrackerIndex extends Component { - {row.Title} + {this.htmlSpecialCharsDecode(row.Title)} ); result = {link}; From df1a7e1a1acc3dff26f59efb317f5ccd158f9375 Mon Sep 17 00:00:00 2001 From: Charlotte Sacre Date: Thu, 10 Aug 2023 19:45:47 -0400 Subject: [PATCH 2/2] issue_tracker - use unsafe inserts/updates --- modules/issue_tracker/jsx/IssueForm.js | 19 +------------------ .../issue_tracker/jsx/issueTrackerIndex.js | 19 +------------------ modules/issue_tracker/php/edit.class.inc | 8 ++++---- 3 files changed, 6 insertions(+), 40 deletions(-) diff --git a/modules/issue_tracker/jsx/IssueForm.js b/modules/issue_tracker/jsx/IssueForm.js index c25649233f9..90b7a972617 100644 --- a/modules/issue_tracker/jsx/IssueForm.js +++ b/modules/issue_tracker/jsx/IssueForm.js @@ -54,23 +54,6 @@ class IssueForm extends Component { this.getFormData(); } - /** - * Restores special characters in the text string - * @param {string} text - * @return {string} - */ - htmlSpecialCharsDecode(text) { - if (text != null) { - return text - .replace(/&/g, '&') - .replace(/"/g, '"') - .replace(/</g, '<') - .replace(/>/g, '>'); - } else { - return text; - } - } - /** * Open 'Attachment Upload' Modal * @@ -251,7 +234,7 @@ class IssueForm extends Component { name='title' label='Title' onUserInput={this.setFormData} - value={this.htmlSpecialCharsDecode(this.state.formData.title)} + value={this.state.formData.title} disabled={!hasEditPermission} required={true} /> diff --git a/modules/issue_tracker/jsx/issueTrackerIndex.js b/modules/issue_tracker/jsx/issueTrackerIndex.js index 0e5384dd542..74e30789d0c 100644 --- a/modules/issue_tracker/jsx/issueTrackerIndex.js +++ b/modules/issue_tracker/jsx/issueTrackerIndex.js @@ -50,23 +50,6 @@ class IssueTrackerIndex extends Component { }); } - /** - * Restores special characters in the text string - * @param {string} text - * @return {string} - */ - htmlSpecialCharsDecode(text) { - if (text != null) { - return text - .replace(/&/g, '&') - .replace(/"/g, '"') - .replace(/</g, '<') - .replace(/>/g, '>'); - } else { - return text; - } - } - /** * Modify behaviour of specified column cells in the Data Table component * @@ -85,7 +68,7 @@ class IssueTrackerIndex extends Component { - {this.htmlSpecialCharsDecode(row.Title)} + {row.Title} ); result = {link}; diff --git a/modules/issue_tracker/php/edit.class.inc b/modules/issue_tracker/php/edit.class.inc index 448dac4997b..0e3a0680d52 100644 --- a/modules/issue_tracker/php/edit.class.inc +++ b/modules/issue_tracker/php/edit.class.inc @@ -447,11 +447,11 @@ class Edit extends \NDB_Page implements ETagCalculator $historyValues = $this->getChangedValues($issueValues, $issueID, $user); if (!empty($issueID)) { - $db->update('issues', $issueValues, ['issueID' => $issueID]); + $db->unsafeUpdate('issues', $issueValues, ['issueID' => $issueID]); } else { $issueValues['reporter'] = $user->getUsername(); $issueValues['dateCreated'] = date('Y-m-d H:i:s'); - $db->insert('issues', $issueValues); + $db->unsafeInsert('issues', $issueValues); $issueID = intval($db->getLastInsertId()); } @@ -815,7 +815,7 @@ class Edit extends \NDB_Page implements ETagCalculator 'issueID' => $issueID, 'addedBy' => $user->getUsername(), ]; - $db->insert('issues_history', $changedValues); + $db->unsafeInsert('issues_history', $changedValues); } } } @@ -838,7 +838,7 @@ class Edit extends \NDB_Page implements ETagCalculator 'addedBy' => $user->getUsername(), 'issueID' => $issueID, ]; - $db->insert('issues_comments', $commentValues); + $db->unsafeInsert('issues_comments', $commentValues); } }