fix(Core): fix display

inc/common.class.php

@@ -1018,7 +1018,7 @@ public static function showGraphDatas(
                 echo "<tr class='tab_bg_1'>";
                 echo '<td>' . htmlspecialchars($label2) . '</td>';
                 if ($simpledatas) { //simple array
-                    echo "<td class='center'>" . htmlspecialchars($cols) . ' ' . htmlspecialchars($unit) . '</td>';
+                    echo "<td class='center'>" . htmlspecialchars($cols) . ' ' . htmlspecialchars($unit ?? '') . '</td>';
                 } else { //multiple array
                     foreach ($cols as $date => $nb) {
                         if (!is_array($nb)) {

inc/graph.class.php

@@ -105,7 +105,10 @@ public function initGraph($options)
 
         echo "<div class='graph' id='graph_content" . $randname . "'>";
 
-        $colors = htmlspecialchars("'" . implode("', '", PluginMreportingConfig::getColors()) . "'");
+
+        $colorsArray = PluginMreportingConfig::getColors();
+        $escapedColors = array_map(fn($color) => htmlspecialchars($color, ENT_QUOTES, 'UTF-8'), $colorsArray);
+        $colors = "'" . implode("', '", $escapedColors) . "'";
         echo "<script type='text/javascript+protovis'>
          showGraph$randname = function() {
             colors = pv.colors($colors);";
@@ -299,7 +302,7 @@ public function showHbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -496,7 +499,7 @@ public function showPie($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -776,7 +779,7 @@ function getLevelNbNode(node) {
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1008,7 +1011,7 @@ public function showHgbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1244,7 +1247,7 @@ public function showVstackbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1485,7 +1488,7 @@ public function showArea($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1765,7 +1768,7 @@ public function showGarea($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;

inc/helpdesk.class.php

@@ -424,11 +424,15 @@ private function reportHgbarTicketNumberByCategoryAndByType(array $config, $filt
         foreach ($result as $ticket) {
             if (empty($ticket['category_id'])) {
                 $ticket['category_id']   = 0;
-                $ticket['category_name'] = __s('None');
+                $ticket['category_name'] = __('None');
+            }
+            if ($ticket['type'] == 0) {
+                $type = __('Undefined', 'mreporting');
+            } else {
+                $type = htmlspecialchars(Ticket::getTicketTypeName(intval($ticket['type'])));
             }
-            $type = $ticket['type'] == 0 ? __s('Undefined', 'mreporting') : Ticket::getTicketTypeName(intval($ticket['type']));
             $datas['labels2'][$type]                         = $type;
-            $datas['datas'][$ticket['category_name']][$type] = $ticket['count'];
+            $datas['datas'][htmlspecialchars($ticket['category_name'])][$type] = $ticket['count'];
         }
 
         return $datas;
@@ -826,7 +830,7 @@ public function reportSunburstTicketByCategories($config = [])
             if (!isset($flat_datas[$current_datas['parent']]) && ($current_datas['parent'] != 0 && $itilcategory->getFromDB(intval($current_datas['parent'])))) {
                 $flat_datas[$current_datas['parent']] = [
                     'id'     => $current_datas['parent'],
-                    'name'   => $itilcategory->fields['name'],
+                    'name'   => htmlspecialchars($itilcategory->fields['name']),
                     'parent' => $itilcategory->fields['itilcategories_id'],
                     'count'  => 0,
                 ];

psalm.xml

@@ -11,13 +11,16 @@
     </projectFiles>
 
     <issueHandlers>
-        <!--
-            Too many false positives.
-            - many are already secured by ForbidDynamicInstantiationRule, but Psalm does not seems to consider `is_a()` checks safe enough;
-            - many are related dynamic call to plugin functions/classes, we need a lot of refactor to indicate to Psalm these can be ignored;
-            - the rest is likely to not be exploitable, due to the really low probability to have a classname
-              that can be abused and that implements the specific static method called on a dynamic classname.
-        -->
+        <TaintedTextWithQuotes>
+            <errorLevel type="suppress">
+            <file name="inc/graph.class.php" />
+            </errorLevel>
+        </TaintedTextWithQuotes>
+        <TaintedHtml>
+            <errorLevel type="suppress">
+            <file name="inc/graph.class.php" />
+            </errorLevel>
+        </TaintedHtml>
         <TaintedCallable errorLevel="suppress" />
     </issueHandlers>
 </psalm>