From b0932d2413e7b5cc7127fc89c8fa389b908669f1 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 16:26:52 +0100
Subject: [PATCH 1/2] Implement escapeComment helper

refs #10654
---
 .../views/helpers/EscapeComment.php           | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 modules/monitoring/application/views/helpers/EscapeComment.php

diff --git a/modules/monitoring/application/views/helpers/EscapeComment.php b/modules/monitoring/application/views/helpers/EscapeComment.php
new file mode 100644
index 000000000..be85a223e
--- /dev/null
+++ b/modules/monitoring/application/views/helpers/EscapeComment.php
@@ -0,0 +1,38 @@
+<?php
+/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */
+
+/**
+ * Helper for escaping comments, but preserving links
+ */
+class Zend_View_Helper_EscapeComment extends Zend_View_Helper_Abstract
+{
+    /**
+     * The purifier to use for escaping
+     *
+     * @var HTMLPurifier
+     */
+    protected static $purifier;
+
+    /**
+     * Escape any comment for being placed inside HTML, but preserve simple links (<a href="...">).
+     *
+     * @param   string  $comment
+     *
+     * @return  string
+     */
+    public function escapeComment($comment)
+    {
+        if (self::$purifier === null) {
+            require_once 'HTMLPurifier/Bootstrap.php';
+            require_once 'HTMLPurifier.php';
+            require_once 'HTMLPurifier.autoload.php';
+
+            $config = HTMLPurifier_Config::createDefault();
+            $config->set('Core.EscapeNonASCIICharacters', true);
+            $config->set('HTML.Allowed', 'a[href]');
+            $config->set('Cache.DefinitionImpl', null);
+            self::$purifier = new HTMLPurifier($config);
+        }
+        return self::$purifier->purify($comment);
+    }
+}

From af3abb76c823531ad3e5efd9b2f4a86f1040ef4d Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Tue, 16 Feb 2016 14:55:27 +0100
Subject: [PATCH 2/2] Render simple HTML links (a[href]) in acknowledgements,
 comments and downtimes

refs #10654
---
 .../monitoring/application/views/scripts/downtime/show.phtml  | 2 +-
 .../views/scripts/partials/comment/comment-detail.phtml       | 2 +-
 .../views/scripts/partials/downtime/downtime-header.phtml     | 2 +-
 .../application/views/scripts/partials/event-history.phtml    | 4 +++-
 .../views/scripts/show/components/acknowledgement.phtml       | 2 +-
 .../application/views/scripts/show/components/comments.phtml  | 2 +-
 .../application/views/scripts/show/components/downtime.phtml  | 2 +-
 7 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/monitoring/application/views/scripts/downtime/show.phtml b/modules/monitoring/application/views/scripts/downtime/show.phtml
index c584540fc..b10ae9587 100644
--- a/modules/monitoring/application/views/scripts/downtime/show.phtml
+++ b/modules/monitoring/application/views/scripts/downtime/show.phtml
@@ -45,7 +45,7 @@
       </tr>
       <tr title="<?= $this->translate('A comment, as entered by the author, associated with the scheduled downtime'); ?>">
         <th><?= $this->translate('Comment') ?></th>
-        <td class="comment-text"><?= $this->nl2br($this->escape($this->downtime->comment)) ?></td>
+        <td class="comment-text"><?= $this->nl2br($this->escapeComment($this->downtime->comment)) ?></td>
       </tr>
     </tbody>
   </table>
diff --git a/modules/monitoring/application/views/scripts/partials/comment/comment-detail.phtml b/modules/monitoring/application/views/scripts/partials/comment/comment-detail.phtml
index 433b60412..0fb72c38d 100644
--- a/modules/monitoring/application/views/scripts/partials/comment/comment-detail.phtml
+++ b/modules/monitoring/application/views/scripts/partials/comment/comment-detail.phtml
@@ -56,5 +56,5 @@
     </span>
 </div>
 <p class="comment-text">
-    <?= $this->nl2br($this->escape($comment->comment)) ?>
+    <?= $this->nl2br($this->escapeComment($comment->comment)) ?>
 </p>
diff --git a/modules/monitoring/application/views/scripts/partials/downtime/downtime-header.phtml b/modules/monitoring/application/views/scripts/partials/downtime/downtime-header.phtml
index cf2cdf651..96130db7a 100644
--- a/modules/monitoring/application/views/scripts/partials/downtime/downtime-header.phtml
+++ b/modules/monitoring/application/views/scripts/partials/downtime/downtime-header.phtml
@@ -67,6 +67,6 @@
     </span>
   </div>
   <p class="comment-text">
-    <?= $this->nl2br($this->escape($downtime->comment)) ?>
+    <?= $this->nl2br($this->escapeComment($downtime->comment)) ?>
   </p>
 </td>
diff --git a/modules/monitoring/application/views/scripts/partials/event-history.phtml b/modules/monitoring/application/views/scripts/partials/event-history.phtml
index e7ae0e034..7a0cee293 100644
--- a/modules/monitoring/application/views/scripts/partials/event-history.phtml
+++ b/modules/monitoring/application/views/scripts/partials/event-history.phtml
@@ -147,7 +147,9 @@ $history->limit($limit * $page);
                     <?php if ($icon) {
                         echo $this->icon($icon, null, $iconCssClass ? array('class' => $iconCssClass) : array());
                     } ?>
-                    <?= nl2br($this->createTicketLinks($this->escape($msg)), false) ?>
+                    <?= $this->nl2br($this->createTicketLinks($this->escapeComment($msg)))
+                    // TODO(ak): this allows only a[href] in messages, but plugin output allows more
+                    ?>
                 </p>
             </td>
         </tr>
diff --git a/modules/monitoring/application/views/scripts/show/components/acknowledgement.phtml b/modules/monitoring/application/views/scripts/show/components/acknowledgement.phtml
index 289405c5b..568dc9062 100644
--- a/modules/monitoring/application/views/scripts/show/components/acknowledgement.phtml
+++ b/modules/monitoring/application/views/scripts/show/components/acknowledgement.phtml
@@ -44,7 +44,7 @@ $acknowledgement = $object->acknowledgement;
                 } ?>
             </dt>
             <dd>
-                <?= $this->nl2br($this->createTicketLinks($this->escape($acknowledgement->getComment()))) ?>
+                <?= $this->nl2br($this->createTicketLinks($this->escapeComment($acknowledgement->getComment()))) ?>
             </dd>
         </dl>
         <?php elseif (isset($removeAckForm)): ?>
diff --git a/modules/monitoring/application/views/scripts/show/components/comments.phtml b/modules/monitoring/application/views/scripts/show/components/comments.phtml
index 34b72c589..671c363d1 100644
--- a/modules/monitoring/application/views/scripts/show/components/comments.phtml
+++ b/modules/monitoring/application/views/scripts/show/components/comments.phtml
@@ -67,7 +67,7 @@ if (empty($object->comments) && ! $addLink) {
                 } ?>
             </dt>
             <dd>
-                <?= $this->nl2br($this->createTicketLinks($this->escape($comment->comment))) ?>
+                <?= $this->nl2br($this->createTicketLinks($this->escapeComment($comment->comment))) ?>
             </dd>
         <?php endforeach ?>
         </dl>
diff --git a/modules/monitoring/application/views/scripts/show/components/downtime.phtml b/modules/monitoring/application/views/scripts/show/components/downtime.phtml
index 7da27f2bf..5655da4c4 100644
--- a/modules/monitoring/application/views/scripts/show/components/downtime.phtml
+++ b/modules/monitoring/application/views/scripts/show/components/downtime.phtml
@@ -96,7 +96,7 @@ if (empty($object->comments) && ! $addLink) {
                 } ?>
             </dt>
             <dd>
-                <?= $this->nl2br($this->createTicketLinks($this->escape($downtime->comment))) ?>
+                <?= $this->nl2br($this->createTicketLinks($this->escapeComment($downtime->comment))) ?>
             </dd>
         <?php endforeach ?>
         </dl>