From 25e4c1017a67110edb9d11fab6c2bf4f0550fa38 Mon Sep 17 00:00:00 2001
From: Jose Gonzalez <jose.gonzalez@artica.es>
Date: Mon, 5 Apr 2021 11:06:20 +0200
Subject: [PATCH 1/4] WIP: Backup upload

---
 .../operation/messages/message_edit.php       | 140 ++++++++++--------
 1 file changed, 75 insertions(+), 65 deletions(-)

diff --git a/pandora_console/operation/messages/message_edit.php b/pandora_console/operation/messages/message_edit.php
index 2378372a2a..33e90a27e4 100644
--- a/pandora_console/operation/messages/message_edit.php
+++ b/pandora_console/operation/messages/message_edit.php
@@ -1,9 +1,8 @@
 <?php
 /**
- * Extension to manage a list of gateways and the node address where they should
- * point to.
+ * Message Edition.
  *
- * @category   Extensions
+ * @category   Workspace
  * @package    Pandora FMS
  * @subpackage Community
  * @version    1.0.0
@@ -27,6 +26,7 @@
  * ============================================================================
  */
 
+// Begin.
 global $config;
 
 require_once 'include/functions_users.php';
@@ -34,14 +34,15 @@ require_once 'include/functions_groups.php';
 require_once 'include/functions_io.php';
 
 // Parse parameters.
-$new_msg = get_parameter('new_msg', 0);
-$dst_user = get_parameter('dst_user');
-$dst_group = get_parameter('dst_group');
-$subject = get_parameter('subject', '');
-$message = get_parameter('message');
-$read_message = get_parameter('read_message', 0);
-$reply = get_parameter('reply', 0);
-$show_sent = get_parameter('show_sent', 0);
+$send_mes     = (bool) get_parameter('send_mes', false);
+$new_msg      = (string) get_parameter('new_msg');
+$dst_user     = get_parameter('dst_user');
+$dst_group    = get_parameter('dst_group');
+$subject      = (string) get_parameter('subject');
+$message      = (string) get_parameter('message');
+$read_message = (bool) get_parameter('read_message', false);
+$reply        = (bool) get_parameter('reply', false);
+$show_sent    = get_parameter('show_sent', 0);
 
 $buttons['message_list'] = [
     'active' => false,
@@ -92,7 +93,7 @@ ui_print_page_header(
 // Read a message.
 if ($read_message) {
     $message_id = (int) get_parameter('id_message');
-    if ($show_sent) {
+    if ((bool) $show_sent === true) {
         $message = messages_get_message_sent($message_id);
     } else {
         $message = messages_get_message($message_id);
@@ -196,26 +197,31 @@ if ($read_message) {
     return;
 }
 
-// Create message (destination user).
-if (($new_msg) && (!empty($dst_user)) && (!$reply)) {
-    $return = messages_create_message(
-        $config['id_user'],
-        [$dst_user],
-        [],
-        $subject,
-        $message
-    );
+if ($send_mes === true) {
+    if (empty($dst_user) === true && empty($dst_group) === true) {
+        // The user or group must be selected for send the message.
+        ui_print_error_message(__('User or group must be selected.'));
+    } else if ((bool) $reply === false) {
+        // Create message (destination user).
+        $return = messages_create_message(
+            $config['id_user'],
+            [$dst_user],
+            [],
+            $subject,
+            $message
+        );
 
-    $user_name = get_user_fullname($dst_user);
-    if (!$user_name) {
-        $user_name = $dst_user;
+        $user_name = get_user_fullname($dst_user);
+        if (empty($user_name) === true) {
+            $user_name = $dst_user;
+        }
+
+        ui_print_result_message(
+            $return,
+            __('Message successfully sent to user %s', $user_name),
+            __('Error sending message to user %s', $user_name)
+        );
     }
-
-    ui_print_result_message(
-        $return,
-        __('Message successfully sent to user %s', $user_name),
-        __('Error sending message to user %s', $user_name)
-    );
 }
 
 // Message creation form.
@@ -230,11 +236,7 @@ $table->data = [];
 
 $table->data[0][0] = __('Sender');
 
-if (!empty($own_info['fullname'])) {
-    $table->data[0][1] = $own_info['fullname'];
-} else {
-    $table->data[0][1] = $config['id_user'];
-}
+$table->data[0][1] = (empty($own_info['fullname']) === false) ? $own_info['fullname'] : $config['id_user'];
 
 $table->data[1][0] = __('Destination');
 
@@ -245,7 +247,7 @@ $is_admin = (bool) db_get_value(
     $config['id_user']
 );
 
-if ($is_admin) {
+if ($is_admin === true) {
     $users_full = db_get_all_rows_filter(
         'tusuario',
         [],
@@ -264,24 +266,20 @@ if ($is_admin) {
 
 $users = [];
 foreach ($users_full as $user_id => $user_info) {
-    $users[$user_info['id_user']] = $user_info['fullname'];
+    $users[$user_info['id_user']] = (empty($user_info['fullname']) === true) ? $user_info['id_user'] : $user_info['fullname'];
 }
 
 // Check if the user to reply is in the list, if not add reply user.
 if ($reply) {
-    if (!array_key_exists($dst_user, $users)) {
+    if (array_key_exists($dst_user, $users) === false) {
         // Add the user to reply.
         $user_reply = db_get_row('tusuario', 'id_user', $dst_user);
         $users[$user_reply['id_user']] = $user_reply['fullname'];
     }
 }
 
-
-if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'PM')) {
-    $return_all_groups = true;
-} else {
-    $return_all_groups = false;
-}
+$return_all_groups = ((bool) $own_info['is_admin'] === true
+|| check_acl($config['id_user'], 0, 'PM') === true);
 
 $groups = users_get_groups($config['id_user'], 'AR');
 // Get a list of all groups.
@@ -294,21 +292,26 @@ $table->data[1][1] = html_print_select(
     false,
     true,
     false,
-    '',
-    false
+    ''
 );
 $table->data[1][1] .= '&nbsp;&nbsp;'.__('OR').'&nbsp;&nbsp;';
-$table->data[1][1] .= '<div class="w250px inline">'.html_print_select_groups(
-    $config['id_user'],
-    'AR',
-    $return_all_groups,
-    'dst_group',
-    $dst_group,
-    '',
-    __('Select group'),
-    '',
+$table->data[1][1] .= html_print_div(
+    [
+        'class'   => 'w250px inline',
+        'content' => html_print_select_groups(
+            $config['id_user'],
+            'AR',
+            $return_all_groups,
+            'dst_group',
+            $dst_group,
+            '',
+            __('Select group'),
+            '',
+            true
+        ),
+    ],
     true
-).'</div>';
+);
 
 $table->data[2][0] = __('Subject');
 $table->data[2][1] = html_print_input_text(
@@ -331,14 +334,21 @@ $table->data[3][1] = html_print_textarea(
 );
 
 echo '<form method="post" action="index.php?sec=message_list&amp;sec2=operation/messages/message_edit&amp;new_msg=1">';
+// Print the main table.
 html_print_table($table);
+// Print the action buttons section.
+html_print_div(
+    [
+        'class'   => 'action-buttons',
+        'style'   => 'width: '.$table->width,
+        'content' => html_print_submit_button(
+            __('Send message'),
+            'send_mes',
+            false,
+            'class="sub wand"',
+            true
+        ),
+    ]
+);
 
-echo '<div class="action-buttons" style="width: '.$table->width.'">';
-    html_print_submit_button(
-        __('Send message'),
-        'send_mes',
-        false,
-        'class="sub wand"'
-    );
-    echo '</form>';
-    echo '</div>';
+echo '</form>';

From bfaf8a87946c9d5ae5b522e65cfe02f90b442637 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Gonz=C3=A1lez?= <jose.gonzalez@pandorafms.com>
Date: Mon, 5 Apr 2021 17:55:46 +0200
Subject: [PATCH 2/4] WIP: Backup upload

---
 pandora_console/include/functions_io.php      |  26 ++++
 .../operation/messages/message_edit.php       | 116 +++++++++++-------
 2 files changed, 99 insertions(+), 43 deletions(-)

diff --git a/pandora_console/include/functions_io.php b/pandora_console/include/functions_io.php
index cad1dbf91a..7e3d2660b2 100755
--- a/pandora_console/include/functions_io.php
+++ b/pandora_console/include/functions_io.php
@@ -590,3 +590,29 @@ function io_output_password($password)
 
     return io_safe_output($plaintext);
 }
+
+
+/**
+ * Prevents html tags if exists
+ */
+function io_safe_html_tags(string $string)
+{
+    $init = strpos($string, '<');
+    $output = '';
+
+    if ($init !== false) {
+        $output = strstr($string, '<', true);
+        $tmpOutput = strstr($string, '<');
+        $output .= strstr(substr($tmpOutput, 1), '>', true);
+        $tmpOutput = strstr($string, '>');
+        $output .= substr($tmpOutput, 1);
+        $init = strpos($output, '<');
+        if ($init !== false) {
+            $output .= io_safe_html_tags($output);
+        }
+    } else {
+        $output = $string;
+    }
+
+    return $output;
+}
diff --git a/pandora_console/operation/messages/message_edit.php b/pandora_console/operation/messages/message_edit.php
index 33e90a27e4..84cc2ce7e6 100644
--- a/pandora_console/operation/messages/message_edit.php
+++ b/pandora_console/operation/messages/message_edit.php
@@ -38,10 +38,11 @@ $send_mes     = (bool) get_parameter('send_mes', false);
 $new_msg      = (string) get_parameter('new_msg');
 $dst_user     = get_parameter('dst_user');
 $dst_group    = get_parameter('dst_group');
-$subject      = (string) get_parameter('subject');
+$subject      = (string) strip_tags(get_parameter('subject'));
 $message      = (string) get_parameter('message');
 $read_message = (bool) get_parameter('read_message', false);
 $reply        = (bool) get_parameter('reply', false);
+$replied      = (bool) get_parameter('replied', false);
 $show_sent    = get_parameter('show_sent', 0);
 
 $buttons['message_list'] = [
@@ -201,7 +202,7 @@ if ($send_mes === true) {
     if (empty($dst_user) === true && empty($dst_group) === true) {
         // The user or group must be selected for send the message.
         ui_print_error_message(__('User or group must be selected.'));
-    } else if ((bool) $reply === false) {
+    } else {
         // Create message (destination user).
         $return = messages_create_message(
             $config['id_user'],
@@ -221,6 +222,11 @@ if ($send_mes === true) {
             __('Message successfully sent to user %s', $user_name),
             __('Error sending message to user %s', $user_name)
         );
+
+        // If is a reply, is not necessary do more.
+        if ($replied === true) {
+            return;
+        }
     }
 }
 
@@ -270,49 +276,55 @@ foreach ($users_full as $user_id => $user_info) {
 }
 
 // Check if the user to reply is in the list, if not add reply user.
-if ($reply) {
-    if (array_key_exists($dst_user, $users) === false) {
-        // Add the user to reply.
-        $user_reply = db_get_row('tusuario', 'id_user', $dst_user);
-        $users[$user_reply['id_user']] = $user_reply['fullname'];
-    }
+if ($reply === true) {
+    $table->data[1][1] = (array_key_exists($dst_user, $users) === true) ? $users[$dst_user] : $dst_user;
+    $table->data[1][1] .= html_print_input_hidden(
+        'dst_user',
+        $dst_user,
+        true
+    );
+    $table->data[1][1] .= html_print_input_hidden(
+        'replied',
+        '1',
+        true
+    );
+} else {
+    $return_all_groups = ((bool) $own_info['is_admin'] === true
+    || check_acl($config['id_user'], 0, 'PM') === true);
+
+    $groups = users_get_groups($config['id_user'], 'AR');
+    // Get a list of all groups.
+    $table->data[1][1] = html_print_select(
+        $users,
+        'dst_user',
+        $dst_user,
+        'changeStatusOtherSelect(\'dst_user\', \'dst_group\')',
+        __('Select user'),
+        false,
+        true,
+        false,
+        ''
+    );
+    $table->data[1][1] .= '&nbsp;&nbsp;'.__('OR').'&nbsp;&nbsp;';
+    $table->data[1][1] .= html_print_div(
+        [
+            'class'   => 'w250px inline',
+            'content' => html_print_select_groups(
+                $config['id_user'],
+                'AR',
+                $return_all_groups,
+                'dst_group',
+                $dst_group,
+                'changeStatusOtherSelect(\'dst_group\', \'dst_user\')',
+                __('Select group'),
+                '',
+                true
+            ),
+        ],
+        true
+    );
 }
 
-$return_all_groups = ((bool) $own_info['is_admin'] === true
-|| check_acl($config['id_user'], 0, 'PM') === true);
-
-$groups = users_get_groups($config['id_user'], 'AR');
-// Get a list of all groups.
-$table->data[1][1] = html_print_select(
-    $users,
-    'dst_user',
-    $dst_user,
-    '',
-    __('Select user'),
-    false,
-    true,
-    false,
-    ''
-);
-$table->data[1][1] .= '&nbsp;&nbsp;'.__('OR').'&nbsp;&nbsp;';
-$table->data[1][1] .= html_print_div(
-    [
-        'class'   => 'w250px inline',
-        'content' => html_print_select_groups(
-            $config['id_user'],
-            'AR',
-            $return_all_groups,
-            'dst_group',
-            $dst_group,
-            '',
-            __('Select group'),
-            '',
-            true
-        ),
-    ],
-    true
-);
-
 $table->data[2][0] = __('Subject');
 $table->data[2][1] = html_print_input_text(
     'subject',
@@ -333,6 +345,23 @@ $table->data[3][1] = html_print_textarea(
     true
 );
 
+$jsOutput = '';
+ob_start();
+?>
+<script type="text/javascript">
+    function changeStatusOtherSelect(myId, otherId) {
+        if (document.getElementById(myId).value !== "") {
+            if (otherId === "dst_group") {
+                $('#'+otherId).select2('val', '0');
+            } else {
+                document.getElementById(otherId).value = "";
+            }
+        }
+    }
+</script>
+<?php
+$jsOutput = ob_get_clean();
+
 echo '<form method="post" action="index.php?sec=message_list&amp;sec2=operation/messages/message_edit&amp;new_msg=1">';
 // Print the main table.
 html_print_table($table);
@@ -352,3 +381,4 @@ html_print_div(
 );
 
 echo '</form>';
+echo $jsOutput;
\ No newline at end of file

From a9a1a7ccb83be98b8922273c6b1a0937815cd002 Mon Sep 17 00:00:00 2001
From: Jose Gonzalez <jose.gonzalez@artica.es>
Date: Tue, 6 Apr 2021 10:36:43 +0200
Subject: [PATCH 3/4] Added function for safe html symbols tag

---
 pandora_console/include/functions_io.php | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/pandora_console/include/functions_io.php b/pandora_console/include/functions_io.php
index 7e3d2660b2..d22641d4c7 100755
--- a/pandora_console/include/functions_io.php
+++ b/pandora_console/include/functions_io.php
@@ -593,22 +593,25 @@ function io_output_password($password)
 
 
 /**
- * Prevents html tags if exists
+ * Clean html tags symbols for prevent use JS
+ *
+ * @param string $string String for safe.
+ *
+ * @return string
  */
 function io_safe_html_tags(string $string)
 {
-    $init = strpos($string, '<');
-    $output = '';
-
-    if ($init !== false) {
+    // Must have safe output for work properly.
+    $string = io_safe_output($string);
+    if (strpos($string, '<') !== false && strpos($string, '>') !== false) {
         $output = strstr($string, '<', true);
         $tmpOutput = strstr($string, '<');
         $output .= strstr(substr($tmpOutput, 1), '>', true);
         $tmpOutput = strstr($string, '>');
         $output .= substr($tmpOutput, 1);
-        $init = strpos($output, '<');
-        if ($init !== false) {
-            $output .= io_safe_html_tags($output);
+        // If the string still contains tags symbols.
+        if (strpos($string, '<') !== false && strpos($string, '>') !== false) {
+            $output = io_safe_html_tags($output);
         }
     } else {
         $output = $string;

From cf4b62d4d7ed36e23b2f256ebe2242f83eb1a4d4 Mon Sep 17 00:00:00 2001
From: Jose Gonzalez <jose.gonzalez@artica.es>
Date: Tue, 6 Apr 2021 10:37:14 +0200
Subject: [PATCH 4/4] Solved issue with HTML adding in subject

---
 pandora_console/operation/messages/message_edit.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pandora_console/operation/messages/message_edit.php b/pandora_console/operation/messages/message_edit.php
index 84cc2ce7e6..c2ce7529ec 100644
--- a/pandora_console/operation/messages/message_edit.php
+++ b/pandora_console/operation/messages/message_edit.php
@@ -38,7 +38,7 @@ $send_mes     = (bool) get_parameter('send_mes', false);
 $new_msg      = (string) get_parameter('new_msg');
 $dst_user     = get_parameter('dst_user');
 $dst_group    = get_parameter('dst_group');
-$subject      = (string) strip_tags(get_parameter('subject'));
+$subject      = io_safe_html_tags(get_parameter('subject'));
 $message      = (string) get_parameter('message');
 $read_message = (bool) get_parameter('read_message', false);
 $reply        = (bool) get_parameter('reply', false);