From 1346fda7e16124448b3386543482431a09dd6f02 Mon Sep 17 00:00:00 2001
From: elmahdiabbassi <emabbassi-ext@centreon.com>
Date: Thu, 20 Oct 2022 16:18:14 +0100
Subject: [PATCH 1/2] fix xss security in pbreadcrumbs file and refactor code

---
 www/include/core/pathway/pathway.php | 47 +++++++++++++++-------------
 1 file changed, 25 insertions(+), 22 deletions(-)

diff --git a/www/include/core/pathway/pathway.php b/www/include/core/pathway/pathway.php
index 231ae94a08d..e56a4249cdb 100644
--- a/www/include/core/pathway/pathway.php
+++ b/www/include/core/pathway/pathway.php
@@ -4,34 +4,34 @@
  * Copyright 2005-2020 Centreon
  * Centreon is developped by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
- * 
- * This program is free software; you can redistribute it and/or modify it under 
- * the terms of the GNU General Public License as published by the Free Software 
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
  * Foundation ; either version 2 of the License.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A 
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
  * PARTICULAR PURPOSE. See the GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with 
+ *
+ * You should have received a copy of the GNU General Public License along with
  * this program; if not, see <http://www.gnu.org/licenses>.
- * 
- * Linking this program statically or dynamically with other modules is making a 
- * combined work based on this program. Thus, the terms and conditions of the GNU 
+ *
+ * Linking this program statically or dynamically with other modules is making a
+ * combined work based on this program. Thus, the terms and conditions of the GNU
  * General Public License cover the whole combination.
- * 
- * As a special exception, the copyright holders of this program give Centreon 
- * permission to link this program with independent modules to produce an executable, 
- * regardless of the license terms of these independent modules, and to copy and 
- * distribute the resulting executable under terms of Centreon choice, provided that 
- * Centreon also meet, for each linked independent module, the terms  and conditions 
- * of the license of that module. An independent module is a module which is not 
- * derived from this program. If you modify this program, you may extend this 
+ *
+ * As a special exception, the copyright holders of this program give Centreon
+ * permission to link this program with independent modules to produce an executable,
+ * regardless of the license terms of these independent modules, and to copy and
+ * distribute the resulting executable under terms of Centreon choice, provided that
+ * Centreon also meet, for each linked independent module, the terms  and conditions
+ * of the license of that module. An independent module is a module which is not
+ * derived from this program. If you modify this program, you may extend this
  * exception to your version of the program, but you are not obliged to do so. If you
  * do not wish to do so, delete this exception statement from your version.
- * 
+ *
  * For more information : contact@centreon.com
- * 
+ *
  */
 
 if (!isset($centreon)) {
@@ -62,7 +62,8 @@
                 . 'WHERE topology_url = :url'
             );
             $statement->bindValue(':url', $url, \PDO::PARAM_STR);
-            if ($statement->execute()
+            if (
+                $statement->execute()
                 && $result = $statement->fetch(\PDO::FETCH_ASSOC)
             ) {
                 $p = $result['topology_page'];
@@ -96,6 +97,7 @@
 
 $breadcrumbData = [];
 $basePath = '/' . trim(explode('main.get.php', $_SERVER['REQUEST_URI'])[0], "/");
+$basePath = htmlspecialchars($basePath, ENT_QUOTES, 'UTF-8');
 /*
  * <a href="<?= $details['is_react'] ? "{$basePath}{$details['url']}" : "main.php?p={$page}{$details["opt"]}" ?>" class="pathWay"><?= _($details["name"]); ?></a>
  */
@@ -137,7 +139,8 @@
     foreach ($breadcrumbData as $page => $details) {
         echo $flag;
         ?>
-        <a href="<?= $details['is_react'] ? "{$basePath}{$details['url']}" : "main.php?p={$page}{$details["opt"]}" ?>"<?= $details['is_react'] ? ' isreact="isreact"' : '' ?> class="pathWay"><?= _($details["name"]); ?></a>
+        <a href="<?= $details['is_react'] ? "{$basePath}{$details['url']}" : "main.php?p={$page}{$details["opt"]}" ?>"
+            <?= $details['is_react'] ? ' isreact="isreact"' : '' ?> class="pathWay"><?= _($details["name"]); ?></a>
         <?php
         $flag = '<span class="pathWayBracket" >  &nbsp;&#62;&nbsp; </span>';
     }

From be4f6d981867fdbaf12142778b277e58554645de Mon Sep 17 00:00:00 2001
From: elmahdiabbassi <emabbassi-ext@centreon.com>
Date: Fri, 21 Oct 2022 11:57:36 +0100
Subject: [PATCH 2/2] delete commented line

---
 www/include/core/pathway/pathway.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/www/include/core/pathway/pathway.php b/www/include/core/pathway/pathway.php
index e56a4249cdb..7868dc8b2b9 100644
--- a/www/include/core/pathway/pathway.php
+++ b/www/include/core/pathway/pathway.php
@@ -98,9 +98,6 @@
 $breadcrumbData = [];
 $basePath = '/' . trim(explode('main.get.php', $_SERVER['REQUEST_URI'])[0], "/");
 $basePath = htmlspecialchars($basePath, ENT_QUOTES, 'UTF-8');
-/*
- * <a href="<?= $details['is_react'] ? "{$basePath}{$details['url']}" : "main.php?p={$page}{$details["opt"]}" ?>" class="pathWay"><?= _($details["name"]); ?></a>
- */
 
 if ($pdoStatement->execute()) {
     while ($result = $pdoStatement->fetch(\PDO::FETCH_ASSOC)) {