Fixed with a 'work around' in io_safe_output for the SQL items in the reports.

2025-07-27 15:54:29 +02:00 · 2015-02-17 15:09:22 +01:00 · 2015-02-17 15:09:22 +01:00 · 8b232ead56
commit 8b232ead56
parent 6b5ab72c05
3 changed files with 56 additions and 6 deletions
--- a/pandora_console/include/functions_io.php
+++ b/pandora_console/include/functions_io.php
@ -249,6 +249,54 @@ function io_safe_output($value, $utf8 = true)
 	return $valueHtmlEncode;
 }
 //----------------------------------------------------------
 // Work arround.
 // 
 // It is the function from 6.0 and it is used in this
 // part of code only.
 //----------------------------------------------------------
 function patched_io_safe_output($value, $utf8 = true) {
 	if (is_numeric($value))
 		return $value;
 	if (is_array($value)) {
 		array_walk($value, "io_safe_output_array");
 		return $value;
 	}
 	if (! mb_check_encoding ($value, 'UTF-8'))
 		$value = utf8_encode ($value);
 	//Replace the html entitie of ( for the char
 	$value = str_replace("&#40;", '(', $value);
 	//Replace the html entitie of ) for the char
 	$value = str_replace("&#41;", ')', $value);
 	//Replace the html entitie of < for the char
 	$value = str_replace("&lt;", '<', $value);
 	//Replace the html entitie of > for the char
 	$value = str_replace("&gt;", '>', $value);
 	//Revert html entities to chars
 	for ($i = 0; $i < 33; $i++) {
 		$value = str_ireplace("&#x" . dechex($i) . ";",
 			io_html_to_ascii(dechex($i)), $value);
 	}
 	if ($utf8) {
 		$value =  html_entity_decode ($value, ENT_QUOTES, "UTF-8");
 	}
 	else {
 		$value =  html_entity_decode ($value, ENT_QUOTES);
 	}
 	return $value;
 }
 //----------------------------------------------------------
 /**
 * Convert the $value encode in html entity to clear char string. This function 
 * should be called always to "clean" HTML encoded data; to render to a text
--- a/pandora_console/include/functions_reporting.php
+++ b/pandora_console/include/functions_reporting.php
@ -4635,7 +4635,7 @@ function reporting_render_report_html_item ($content, $table, $report, $mini = f
 			}
 			$table->colspan[$next_row][0] = 3;
-
+			
 			$table2->class = 'databox';
 			$table2->width = '100%';
@ -4645,21 +4645,23 @@ function reporting_render_report_html_item ($content, $table, $report, $mini = f
 				$table2->head = explode('|', $content['header_definition']);
 			}
 			if ($content['treport_custom_sql_id'] != 0) {
 				switch ($config["dbtype"]) {
 					case "mysql":
-						$sql = io_safe_output (db_get_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
+						$sql = patched_io_safe_output (db_get_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 						break;
 					case "postgresql":
-						$sql = io_safe_output (db_get_value_filter('"sql"', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
+						$sql = patched_io_safe_output (db_get_value_filter('"sql"', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 						break;
 					case "oracle":
-						$sql = io_safe_output (db_get_value_filter('sql', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
+						$sql = patched_io_safe_output (db_get_value_filter('sql', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 						break;
 				}
 			}
 			else {
-				$sql = io_safe_output ($content['external_source']);
+				$sql = patched_io_safe_output ($content['external_source']);
 			}
 			// Do a security check on SQL coming from the user
--- a/pandora_console/operation/reporting/reporting_xml.php
+++ b/pandora_console/operation/reporting/reporting_xml.php
@ -698,7 +698,7 @@ foreach ($contents as $content) {
 				$sql = $content['external_source'];
 			}
-			$sql = safe_output ($sql);
+			$sql = patched_io_safe_output($sql);
 			$result = db_get_all_rows_sql($sql);
 			if ($result === false) {
 				$result = array();