diff --git a/CHANGELOG.md b/CHANGELOG.md index 839fca2b..95368426 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Fix crash when injection model has no mandatory fields defined - Fix models created on parent entities can't be used on child entites - Fix responsible group injection payload normalization so group remains visible in GLPI after import +- Fix incorrect escaping of apostrophes and accents - Fix plugin rights initialization and cleanup + ## [2.15.4] - 2026-03-16 ### Fixed diff --git a/inc/backendcsv.class.php b/inc/backendcsv.class.php index b694c07d..a2863be3 100644 --- a/inc/backendcsv.class.php +++ b/inc/backendcsv.class.php @@ -91,14 +91,11 @@ public function setHeaderPresent($present = true) **/ public static function parseLine($fic, $data, $encoding = 1) { - /** @var DBmysql $DB */ - global $DB; - $csv = []; $num = count($data); for ($c = 0; $c < $num; $c++) { - $tmp = trim($DB->escape($data[$c])); + $tmp = trim($data[$c]); switch ($encoding) { case PluginDatainjectionBackend::ENCODING_ISO8859_1: $csv[0][] = $tmp === '' || $tmp === '0' ? Toolbox::encodeInUtf8($tmp) : $tmp; diff --git a/inc/mapping.class.php b/inc/mapping.class.php index 99c44f19..98f059d1 100644 --- a/inc/mapping.class.php +++ b/inc/mapping.class.php @@ -28,6 +28,11 @@ * ------------------------------------------------------------------------- */ +use Glpi\Application\View\TemplateRenderer; + +use function Safe\ob_get_clean; +use function Safe\ob_start; + class PluginDatainjectionMapping extends CommonDBTM { public static $rightname = "plugin_datainjection_model"; @@ -93,60 +98,39 @@ public function getItemtype() **/ public static function showFormMappings(PluginDatainjectionModel $model) { - /** @var array $CFG_GLPI */ - global $CFG_GLPI; - $canedit = $model->can($model->fields['id'], UPDATE); - $lines = isset($_SESSION['datainjection']['lines']) ? unserialize($_SESSION['datainjection']['lines']) : []; - echo "
"; - - //Display link to the preview popup - if (isset($_SESSION['datainjection']['lines']) && !empty($lines)) { - $nblines = $_SESSION['datainjection']['nblines']; - echo ""; - echo ""; + $show_preview = isset($_SESSION['datainjection']['lines']) && !empty($lines); + $preview_url = ''; + if ($show_preview) { + $preview_url = plugin_datainjection_geturl() . "front/popup.php?popup=preview&models_id=" . $model->getID(); } - echo "
"; - $url = plugin_datainjection_geturl() . - "front/popup.php?popup=preview&models_id=" . - $model->getID(); - echo ""; - echo __s('See the file', 'datainjection') . ""; - echo "
"; - echo ""; - echo ""; - echo ""; - echo ""; - echo ""; - echo ""; - $model->loadMappings(); + $mappings = []; foreach ($model->getMappings() as $mapping) { - $mappings_id = $mapping->getID(); - echo ""; - echo ""; - echo ""; - echo ""; - echo ""; - } + $dropdown_html = ob_get_clean(); - if ($canedit) { - echo ""; + $mappings[] = [ + 'id' => $mapping->getID(), + 'name' => $mapping->fields['name'], + 'dropdown_html' => $dropdown_html, + ]; } - echo "
" . __s('Header of the file', 'datainjection') . "" . __s('Tables', 'datainjection') . "" . _sn('Field', 'Fields', 2) . "" . __s('Link field', 'datainjection') . "
" . $mapping->fields['name'] . ""; + ob_start(); $options = ['primary_type' => $model->fields['itemtype']]; PluginDatainjectionInjectionType::dropdownLinkedTypes($mapping, $options); - echo ""; - echo "
"; - echo ""; - echo ""; - echo "
"; - Html::closeForm(); + + TemplateRenderer::getInstance()->display('@datainjection/mappings_form.html.twig', [ + 'form_action' => Toolbox::getItemTypeFormURL(self::class), + 'show_preview' => $show_preview, + 'preview_url' => $preview_url, + 'mappings' => $mappings, + 'canedit' => $canedit, + 'model_id' => $model->fields['id'], + ]); } diff --git a/inc/mappingcollection.class.php b/inc/mappingcollection.class.php index 4d03393f..e77d4270 100644 --- a/inc/mappingcollection.class.php +++ b/inc/mappingcollection.class.php @@ -58,8 +58,6 @@ public function load($models_id) $this->mappingCollection = []; foreach ($data = $DB->doQuery($sql) as $data) { - // Addslashes to conform to value return by PluginDatainjectionBackendcsv::parseLine - $data["name"] = addslashes($data["name"]); $mapping = new PluginDatainjectionMapping(); $mapping->fields = $data; $this->mappingCollection[] = $mapping; diff --git a/inc/model.class.php b/inc/model.class.php index efc89ae1..26af99be 100644 --- a/inc/model.class.php +++ b/inc/model.class.php @@ -958,6 +958,7 @@ public static function getInstanceByModelID($models_id) $model->getFromDB($models_id); $specific = self::getInstance($model->getFiletype()); $specific->getFromDBByModelID($models_id); + $model->specific_model = $specific; return $model; } @@ -1180,11 +1181,11 @@ public function isFileCorrect() //If name of the mapping is not equal in the csv file header and in the DB $name_from_file = trim( mb_strtoupper( - stripslashes($header[$mapping->getRank()]), + $header[$mapping->getRank()], 'UTF-8', ), ); - $name_from_db = trim(mb_strtoupper(stripslashes($mapping->getName()), 'UTF-8')); + $name_from_db = trim(mb_strtoupper($mapping->getName(), 'UTF-8')); if ($name_from_db != $name_from_file) { if ($error['error_message'] == '') { @@ -1331,7 +1332,7 @@ public static function showPreviewMappings($models_id) echo ""; foreach ($mappings as $mapping) { - echo"" . stripslashes($mapping->getMappingName()) . ""; + echo"" . htmlescape($mapping->getMappingName()) . ""; } echo ""; unset($lines[0]); @@ -1340,7 +1341,7 @@ public static function showPreviewMappings($models_id) foreach ($lines as $line) { echo ""; foreach ($line[0] as $value) { - echo "" . $value . ""; + echo "" . htmlescape($value) . ""; } echo ""; } diff --git a/templates/mappings_form.html.twig b/templates/mappings_form.html.twig new file mode 100644 index 00000000..1063f0e0 --- /dev/null +++ b/templates/mappings_form.html.twig @@ -0,0 +1,70 @@ +{# + # ------------------------------------------------------------------------- + # DataInjection plugin for GLPI + # ------------------------------------------------------------------------- + # + # LICENSE + # + # This file is part of DataInjection. + # + # DataInjection is free software; you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by + # the Free Software Foundation; either version 2 of the License, or + # (at your option) any later version. + # + # DataInjection is distributed in the hope that it will be useful, + # but WITHOUT ANY WARRANTY; without even the implied warranty of + # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + # GNU General Public License for more details. + # + # You should have received a copy of the GNU General Public License + # along with DataInjection. If not, see . + # ------------------------------------------------------------------------- + # @copyright Copyright (C) 2007-2023 by DataInjection plugin team. + # @license GPLv2 https://www.gnu.org/licenses/gpl-2.0.html + # @link https://github.com/pluginsGLPI/datainjection + # ------------------------------------------------------------------------- + #} + + + + {% if show_preview %} + + + + +
+ + {{ __('See the file', 'datainjection') }} + +
+ {% endif %} + + + + + + + + + + {% for mapping in mappings %} + + + + + + + {% endfor %} + + {% if canedit %} + + + + {% endif %} +
{{ __('Header of the file', 'datainjection') }}{{ __('Tables', 'datainjection') }}{{ _n('Field', 'Fields', 2) }}{{ __('Link field', 'datainjection') }}
{{ mapping.name }}{{ mapping.dropdown_html|raw }}
+ + +
+ +