Fixes incorrect escaping of apostrophes and accents

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fix models created on parent entities can't be used on child entites
 - Fix responsible group injection payload normalization so group remains visible in GLPI after import
 - Fix plugin rights initialization and cleanup
+- Fix incorrect escaping of apostrophes and accents
 
 ## [2.15.4] - 2026-03-16
 

inc/backendcsv.class.php

@@ -91,14 +91,11 @@ public function setHeaderPresent($present = true)
    **/
     public static function parseLine($fic, $data, $encoding = 1)
     {
-        /** @var DBmysql $DB */
-        global $DB;
-
         $csv = [];
         $num = count($data);
 
         for ($c = 0; $c < $num; $c++) {
-            $tmp = trim($DB->escape($data[$c]));
+            $tmp = trim($data[$c]);
             switch ($encoding) {
                 case PluginDatainjectionBackend::ENCODING_ISO8859_1:
                     $csv[0][] = $tmp === '' || $tmp === '0' ? Toolbox::encodeInUtf8($tmp) : $tmp;

inc/mapping.class.php

@@ -28,6 +28,11 @@
  * -------------------------------------------------------------------------
  */
 
+use Glpi\Application\View\TemplateRenderer;
+
+use function Safe\ob_get_clean;
+use function Safe\ob_start;
+
 class PluginDatainjectionMapping extends CommonDBTM
 {
     public static $rightname = "plugin_datainjection_model";
@@ -93,60 +98,39 @@ public function getItemtype()
    **/
     public static function showFormMappings(PluginDatainjectionModel $model)
     {
-        /** @var array $CFG_GLPI */
-        global $CFG_GLPI;
-
         $canedit = $model->can($model->fields['id'], UPDATE);
-
         $lines = isset($_SESSION['datainjection']['lines']) ? unserialize($_SESSION['datainjection']['lines']) : [];
 
-        echo "<form method='post' name=form action='" . Toolbox::getItemTypeFormURL(self::class) . "'>";
-
-        //Display link to the preview popup
-        if (isset($_SESSION['datainjection']['lines']) && !empty($lines)) {
-            $nblines = $_SESSION['datainjection']['nblines'];
-            echo "<table class='tab_cadre_fixe'>";
-            echo "<tr class='tab_bg_1'><td class='center'>";
-            $url = plugin_datainjection_geturl() .
-             "front/popup.php?popup=preview&amp;models_id=" .
-             $model->getID();
-            echo "<a href=#  onClick=\"var w = window.open('$url' , 'glpipopup', " .
-             "'height=400, width=600, top=100, left=100, scrollbars=yes' );w.focus();\"/>";
-            echo __s('See the file', 'datainjection') . "</a>";
-            echo "</td></tr>";
+        $show_preview = isset($_SESSION['datainjection']['lines']) && !empty($lines);
+        $preview_url = '';
+        if ($show_preview) {
+            $preview_url = plugin_datainjection_geturl() . "front/popup.php?popup=preview&models_id=" . $model->getID();
         }
 
-        echo "<table class='tab_cadre_fixe'>";
-        echo "<tr>";
-        echo "<th>" . __s('Header of the file', 'datainjection') . "</th>";
-        echo "<th>" . __s('Tables', 'datainjection') . "</th>";
-        echo "<th>" . _sn('Field', 'Fields', 2) . "</th>";
-        echo "<th>" . __s('Link field', 'datainjection') . "</th>";
-        echo "</tr>";
-
         $model->loadMappings();
+        $mappings = [];
 
         foreach ($model->getMappings() as $mapping) {
-            $mappings_id     = $mapping->getID();
-            echo "<tr class='tab_bg_1'>";
-            echo "<td class='center'>" . $mapping->fields['name'] . "</td>";
-            echo "<td class='center'>";
+            ob_start();
             $options = ['primary_type' => $model->fields['itemtype']];
             PluginDatainjectionInjectionType::dropdownLinkedTypes($mapping, $options);
-            echo "</td>";
-            echo "<td class='center'><span id='span_field_$mappings_id'>";
-            echo "</span></td>";
-            echo "<td class='center'><span id='span_mandatory_$mappings_id'></span></td>";
-        }
+            $dropdown_html = ob_get_clean();
 
-        if ($canedit) {
-            echo "<tr> <td class='tab_bg_2 center' colspan='4'>";
-            echo "<input type='hidden' name='models_id' value='" . $model->fields['id'] . "'>";
-            echo "<input type='submit' name='update' value='" . _sx('button', 'Save') . "' class='submit'>";
-            echo "</td></tr>";
+            $mappings[] = [
+                'id'            => $mapping->getID(),
+                'name'          => $mapping->fields['name'],
+                'dropdown_html' => $dropdown_html,
+            ];
         }
-        echo "</table>";
-        Html::closeForm();
+
+        TemplateRenderer::getInstance()->display('@datainjection/mappings_form.html.twig', [
+            'form_action'  => Toolbox::getItemTypeFormURL(self::class),
+            'show_preview' => $show_preview,
+            'preview_url'  => $preview_url,
+            'mappings'     => $mappings,
+            'canedit'      => $canedit,
+            'model_id'     => $model->fields['id'],
+        ]);
     }
 
 

inc/mappingcollection.class.php

@@ -58,8 +58,6 @@ public function load($models_id)
         $this->mappingCollection = [];
 
         foreach ($data = $DB->doQuery($sql) as $data) {
-            // Addslashes to conform to value return by PluginDatainjectionBackendcsv::parseLine
-            $data["name"]              = addslashes($data["name"]);
             $mapping                   = new PluginDatainjectionMapping();
             $mapping->fields           = $data;
             $this->mappingCollection[] = $mapping;

inc/model.class.php

@@ -1180,11 +1180,11 @@ public function isFileCorrect()
                 //If name of the mapping is not equal in the csv file header and in the DB
                 $name_from_file = trim(
                     mb_strtoupper(
-                        stripslashes($header[$mapping->getRank()]),
+                        $header[$mapping->getRank()],
                         'UTF-8',
                     ),
                 );
-                $name_from_db   = trim(mb_strtoupper(stripslashes($mapping->getName()), 'UTF-8'));
+                $name_from_db   = trim(mb_strtoupper($mapping->getName(), 'UTF-8'));
 
                 if ($name_from_db != $name_from_file) {
                     if ($error['error_message'] == '') {
@@ -1331,7 +1331,7 @@ public static function showPreviewMappings($models_id)
                 echo "<tr class='tab_bg_1'>";
 
                 foreach ($mappings as $mapping) {
-                    echo"<th style='height:40px'>" . stripslashes($mapping->getMappingName()) . "</th>";
+                    echo"<th style='height:40px'>" . htmlescape($mapping->getMappingName()) . "</th>";
                 }
                 echo "</tr>";
                 unset($lines[0]);
@@ -1340,7 +1340,7 @@ public static function showPreviewMappings($models_id)
             foreach ($lines as $line) {
                 echo "<tr class='tab_bg_2'>";
                 foreach ($line[0] as $value) {
-                    echo "<td>" . $value . "</td>";
+                    echo "<td>" . htmlescape($value) . "</td>";
                 }
                 echo "</tr>";
             }

templates/mappings_form.html.twig

@@ -0,0 +1,70 @@
+{#
+ # -------------------------------------------------------------------------
+ # DataInjection plugin for GLPI
+ # -------------------------------------------------------------------------
+ #
+ # LICENSE
+ #
+ # This file is part of DataInjection.
+ #
+ # DataInjection is free software; you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation; either version 2 of the License, or
+ # (at your option) any later version.
+ #
+ # DataInjection is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with DataInjection. If not, see <http://www.gnu.org/licenses/>.
+ # -------------------------------------------------------------------------
+ # @copyright Copyright (C) 2007-2023 by DataInjection plugin team.
+ # @license   GPLv2 https://www.gnu.org/licenses/gpl-2.0.html
+ # @link      https://github.com/pluginsGLPI/datainjection
+ # -------------------------------------------------------------------------
+ #}
+
+<form method="post" name="form" action="{{ form_action }}">
+   <input type="hidden" name="_glpi_csrf_token" value="{{ csrf_token() }}">
+   {% if show_preview %}
+      <table class="tab_cadre_fixe">
+         <tr class="tab_bg_1">
+            <td class="center">
+               <a href="#" onclick="var w = window.open('{{ preview_url }}', 'glpipopup', 'height=400, width=600, top=100, left=100, scrollbars=yes'); w.focus(); return false;">
+                  {{ __('See the file', 'datainjection') }}
+               </a>
+            </td>
+         </tr>
+      </table>
+   {% endif %}
+
+   <table class="tab_cadre_fixe">
+      <tr>
+         <th>{{ __('Header of the file', 'datainjection') }}</th>
+         <th>{{ __('Tables', 'datainjection') }}</th>
+         <th>{{ _n('Field', 'Fields', 2) }}</th>
+         <th>{{ __('Link field', 'datainjection') }}</th>
+      </tr>
+
+      {% for mapping in mappings %}
+         <tr class="tab_bg_1">
+            <td class="center">{{ mapping.name }}</td>
+            <td class="center">{{ mapping.dropdown_html|raw }}</td>
+            <td class="center"><span id="span_field_{{ mapping.id }}"></span></td>
+            <td class="center"><span id="span_mandatory_{{ mapping.id }}"></span></td>
+         </tr>
+      {% endfor %}
+
+      {% if canedit %}
+         <tr>
+            <td class="tab_bg_2 center" colspan="4">
+               <input type="hidden" name="models_id" value="{{ model_id }}">
+               <input type="submit" name="update" value="{{ __('Save') }}" class="btn btn-primary">
+            </td>
+         </tr>
+      {% endif %}
+   </table>
+</form>
+