From 476ebe70a70cf5af7427b7a8f2f5c4484d0ec0d6 Mon Sep 17 00:00:00 2001
From: alejandro-campos <alejandro.campos@artica.es>
Date: Thu, 28 May 2020 14:47:36 +0200
Subject: [PATCH] fixes in reports front page default setup

---
 .../godmode/setup/setup_visuals.php           | 27 +++++++++++++------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/pandora_console/godmode/setup/setup_visuals.php b/pandora_console/godmode/setup/setup_visuals.php
index 58e31d7edd..733e2f666e 100755
--- a/pandora_console/godmode/setup/setup_visuals.php
+++ b/pandora_console/godmode/setup/setup_visuals.php
@@ -1093,7 +1093,7 @@ $row++;
         }
     }
 
-    // Logo
+    // Logo.
     $table_report->data['custom_report_front-logo'][0] = __('Custom report front').' - '.__('Custom logo').ui_print_help_tip(
         __("The dir of custom logos is in your www Console in 'images/custom_logo'. You can upload more files (ONLY JPEG AND PNG) in upload tool in console."),
         true
@@ -1107,7 +1107,7 @@ $row++;
         '',
         true
     );
-    // Preview
+    // Preview.
     $table_report->data['custom_report_front-preview'][0] = __('Custom report front').' - '.'Preview';
     if (empty($config['custom_report_front_logo'])) {
         $config['custom_report_front_logo'] = 'images/pandora_logo_white.jpg';
@@ -1115,23 +1115,32 @@ $row++;
 
     $table_report->data['custom_report_front-preview'][1] = '<span id="preview_image">'.html_print_image($config['custom_report_front_logo'], true).'</span>';
 
-    // Header
+    // Header.
     $table_report->data['custom_report_front-header'][0] = __('Custom report front').' - '.__('Header');
+
+    // Do not remove io_safe_output in textarea. TinyMCE avoids XSS injection.
     $table_report->data['custom_report_front-header'][1] = html_print_textarea(
         'custom_report_front_header',
         5,
         15,
-        $config['custom_report_front_header'],
+        io_safe_output($config['custom_report_front_header']),
         'style="width: 38em;"',
         true
     );
 
-    // First page
+    // First page.
+    // Do not remove io_safe_output in textarea. TinyMCE avoids XSS injection.
+    if ($config['custom_report_front']) {
+        $firstpage_content = $config['custom_report_front_firstpage'];
+    } else {
+        $firstpage_content = io_safe_output($config['custom_report_front_firstpage']);
+    }
+
     $table_report->data['custom_report_front-first_page'][0] = __('Custom report front').' - '.__('First page');
     $custom_report_front_firstpage = str_replace(
         '(_URLIMAGE_)',
         ui_get_full_url(false, true, false, false),
-        $config['custom_report_front_firstpage']
+        io_safe_output($firstpage_content)
     );
     $table_report->data['custom_report_front-first_page'][1] = html_print_textarea(
         'custom_report_front_firstpage',
@@ -1142,13 +1151,15 @@ $row++;
         true
     );
 
-    // Footer
+    // Footer.
     $table_report->data['custom_report_front-footer'][0] = __('Custom report front').' - '.__('Footer');
+
+    // Do not remove io_safe_output in textarea. TinyMCE avoids XSS injection.
     $table_report->data['custom_report_front-footer'][1] = html_print_textarea(
         'custom_report_front_footer',
         5,
         15,
-        $config['custom_report_front_footer'],
+        io_safe_output($config['custom_report_front_footer']),
         'style="width: 38em;"',
         true
     );