pluginsGLPI · stonebuzz · Oct 20, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 14, 2025
diff --git a/inc/common.class.php b/inc/common.class.php
@@ -1018,7 +1018,7 @@ public static function showGraphDatas(
                 echo "<tr class='tab_bg_1'>";
                 echo '<td>' . htmlspecialchars($label2) . '</td>';
                 if ($simpledatas) { //simple array
-                    echo "<td class='center'>" . htmlspecialchars($cols) . ' ' . htmlspecialchars($unit) . '</td>';
+                    echo "<td class='center'>" . htmlspecialchars($cols) . ' ' . htmlspecialchars($unit ?? '') . '</td>';
                 } else { //multiple array
                     foreach ($cols as $date => $nb) {
                         if (!is_array($nb)) {

diff --git a/inc/graph.class.php b/inc/graph.class.php
@@ -60,7 +60,7 @@ public function initGraph($options)
             echo "<div class='graph_title'>";
             $gtype = htmlspecialchars($_REQUEST['gtype']);
 
-            echo "<img src='" . $CFG_GLPI['root_doc'] . "'/plugins/mreporting/pics/chart-$gtype.png' class='title_pics' />";
+            echo "<img src='" . $CFG_GLPI['root_doc'] . "/plugins/mreporting/pics/chart-$gtype.png' class='title_pics' />";
             echo htmlspecialchars($options['title']);
             echo '</div>';
 
@@ -105,7 +105,10 @@ public function initGraph($options)
 
         echo "<div class='graph' id='graph_content" . $randname . "'>";
 
-        $colors = htmlspecialchars("'" . implode("', '", PluginMreportingConfig::getColors()) . "'");
+
+        $colorsArray = PluginMreportingConfig::getColors();
+        $escapedColors = array_map(fn($color) => htmlspecialchars($color, ENT_QUOTES, 'UTF-8'), $colorsArray);
+        $colors = "'" . implode("', '", $escapedColors) . "'";
         echo "<script type='text/javascript+protovis'>
          showGraph$randname = function() {
             colors = pv.colors($colors);";
@@ -299,7 +302,7 @@ public function showHbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -496,7 +499,7 @@ public function showPie($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -776,7 +779,7 @@ function getLevelNbNode(node) {
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1008,7 +1011,7 @@ public function showHgbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1244,7 +1247,7 @@ public function showVstackbar($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1485,7 +1488,7 @@ public function showArea($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;
@@ -1765,7 +1768,7 @@ public function showGarea($params, $dashboard = false, $width = false)
 JAVASCRIPT;
 
         if ($show_graph) {
-            echo htmlspecialchars($JS);
+            echo $JS;
         }
 
         $opt['randname'] = $randname;

diff --git a/inc/graphpng.class.php b/inc/graphpng.class.php
@@ -86,7 +86,7 @@ public function initGraph($options)
                 echo '</div>';
             }
             echo "<div class='graph_title'>";
-            echo "<img src='" . $CFG_GLPI['root_doc'] . "'/plugins/mreporting/pics/chart-" . htmlspecialchars($prev_function) . ".png' class='title_pics' />";
+            echo "<img src='" . $CFG_GLPI['root_doc'] . "/plugins/mreporting/pics/chart-" . htmlspecialchars($prev_function) . ".png' class='title_pics' />";
             echo htmlspecialchars($options['title']);
             echo '</div>';
 

diff --git a/inc/helpdesk.class.php b/inc/helpdesk.class.php
@@ -88,7 +88,7 @@ public function reportHbarTicketNumberByEntity($config = [])
         $result = $DB->request($query);
 
         foreach ($result as $ticket) {
-            $label = empty($ticket['name']) ? __s('Root entity') : $ticket['name'];
+            $label = empty($ticket['name']) ? __s('Root entity') : htmlspecialchars($ticket['name']);
             $datas['datas'][$label] = $ticket['count'];
         }
 
@@ -142,9 +142,18 @@ public function reportHgbarTicketNumberByCatAndEntity($config = [])
             if (empty($data['category'])) {
                 $data['category'] = __s('None');
             }
+
+            $data['category'] = str_replace(
+                ["'", '"'],
+                ["\'", "&quot;"],
+                $data['category'],
+            );
+
             $categories[$data['category']] = $data['itilcategories_id'];
         }
 
+
+
         $labels2 = array_keys($categories);
 
         $tmp_cat = [];
@@ -426,8 +435,19 @@ private function reportHgbarTicketNumberByCategoryAndByType(array $config, $filt
                 $ticket['category_id']   = 0;
                 $ticket['category_name'] = __s('None');
             }
-            $type = $ticket['type'] == 0 ? __s('Undefined', 'mreporting') : Ticket::getTicketTypeName(intval($ticket['type']));
+            if ($ticket['type'] == 0) {
+                $type = __s('Undefined', 'mreporting');
+            } else {
+                $type = htmlspecialchars(Ticket::getTicketTypeName(intval($ticket['type'])));
+            }
             $datas['labels2'][$type]                         = $type;
+
+            $ticket['category_name'] = str_replace(
+                ["'", '"'],
+                ["\'", "&quot;"],
+                $ticket['category_name'],
+            );
+
             $datas['datas'][$ticket['category_name']][$type] = $ticket['count'];
         }
 
@@ -597,6 +617,12 @@ public function reportHgbarOpenedTicketNumberByCategory($config = [])
         foreach ($result as $ticket) {
             if (empty($ticket['category_name'])) {
                 $ticket['category_name'] = __s('None');
+            } else {
+                $ticket['category_name'] = str_replace(
+                    ["'", '"'],
+                    ["\'", "&quot;"],
+                    $ticket['category_name'],
+                );
             }
 
             if (!isset($datas['datas'][$ticket['category_name']])) {
@@ -607,6 +633,8 @@ public function reportHgbarOpenedTicketNumberByCategory($config = [])
                 }
             }
 
+
+
             $datas['datas'][$ticket['category_name']][$status[$ticket['status']]] = $ticket['count'];
         }
 
@@ -824,9 +852,10 @@ public function reportSunburstTicketByCategories($config = [])
         $itilcategory = new ITILCategory();
         foreach ($flat_datas as $cat_id => $current_datas) {
             if (!isset($flat_datas[$current_datas['parent']]) && ($current_datas['parent'] != 0 && $itilcategory->getFromDB(intval($current_datas['parent'])))) {
+
                 $flat_datas[$current_datas['parent']] = [
                     'id'     => $current_datas['parent'],
-                    'name'   => $itilcategory->fields['name'],
+                    'name'   => htmlspecialchars($itilcategory->fields['name']),
                     'parent' => $itilcategory->fields['itilcategories_id'],
                     'count'  => 0,
                 ];

diff --git a/psalm.xml b/psalm.xml
@@ -11,13 +11,16 @@
     </projectFiles>
 
     <issueHandlers>
-        <!--
-            Too many false positives.
-            - many are already secured by ForbidDynamicInstantiationRule, but Psalm does not seems to consider `is_a()` checks safe enough;
-            - many are related dynamic call to plugin functions/classes, we need a lot of refactor to indicate to Psalm these can be ignored;
-            - the rest is likely to not be exploitable, due to the really low probability to have a classname
-              that can be abused and that implements the specific static method called on a dynamic classname.
-        -->
+        <TaintedTextWithQuotes>
+            <errorLevel type="suppress">
+            <file name="inc/graph.class.php" />
+            </errorLevel>
+        </TaintedTextWithQuotes>
+        <TaintedHtml>
+            <errorLevel type="suppress">
+            <file name="inc/graph.class.php" />
+            </errorLevel>
+        </TaintedHtml>
         <TaintedCallable errorLevel="suppress" />
     </issueHandlers>
 </psalm>