From bdde592ee3caaa4294c8aea1aa7c1812867e7801 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Tue, 22 Oct 2024 14:53:35 +0200
Subject: [PATCH] Prevent double escaping of multiline when cloning an item

fixes #18123
---
 phpunit/functional/ProjectTest.php | 35 ++++++++++++++++++++++++++++++
 src/Features/Clonable.php          |  9 ++++----
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/phpunit/functional/ProjectTest.php b/phpunit/functional/ProjectTest.php
index 88f904e09e5..330a9d88509 100644
--- a/phpunit/functional/ProjectTest.php
+++ b/phpunit/functional/ProjectTest.php
@@ -37,6 +37,7 @@
 
 use DbTestCase;
 use Glpi\Team\Team;
+use Glpi\Toolbox\Sanitizer;
 use ProjectState;
 use ProjectTask;
 use ProjectTeam;
@@ -453,6 +454,40 @@ public function testClone()
         $this->assertEquals($expected, $tasks_clone);
     }
 
+    public function testCloneWithOverridenInput()
+    {
+        $project = $this->createItem(
+            'Project',
+            [
+                'name' => __FUNCTION__,
+            ]
+        );
+
+        $raw_description = <<<PLAINTEXT
+            > a
+            > multiline
+            > description
+PLAINTEXT;
+
+        $sanitized_description = <<<PLAINTEXT
+            &#62; a
+            &#62; multiline
+            &#62; description
+PLAINTEXT;
+
+        // Clone with raw input
+        $projects_id_clone = $project->clone(['content' => $raw_description]);
+        $project_clone = new \Project();
+        $this->assertTrue($project_clone->getFromDB($projects_id_clone));
+        $this->assertEquals($sanitized_description, $project_clone->fields['content']);
+
+        // Clone with already sanitized input
+        $projects_id_clone = $project->clone(Sanitizer::sanitize(['content' => $raw_description]));
+        $project_clone = new \Project();
+        $this->assertTrue($project_clone->getFromDB($projects_id_clone));
+        $this->assertEquals($sanitized_description, $project_clone->fields['content']);
+    }
+
     /**
      * Functional test to ensure that project's states colors are shown in
      * the search results
diff --git a/src/Features/Clonable.php b/src/Features/Clonable.php
index 19d5cf688fa..f52e68e5306 100644
--- a/src/Features/Clonable.php
+++ b/src/Features/Clonable.php
@@ -37,8 +37,8 @@
 
 use CommonDBConnexity;
 use CommonDBTM;
+use Glpi\Toolbox\Sanitizer;
 use Session;
-use Toolbox;
 
 /**
  * Clonable objects
@@ -230,10 +230,9 @@ public function clone(array $override_input = [], bool $history = true)
             return false;
         }
         $new_item = new static();
-        $input = Toolbox::addslashes_deep($this->fields);
-        foreach ($override_input as $key => $value) {
-            $input[$key] = Toolbox::addslashes_deep($value);
-        }
+
+        $input = array_merge($this->fields, $override_input);
+        $input = Sanitizer::sanitize($input);
         $input = $new_item->cleanCloneInput($input);
 
         // Do not compute a clone name if a new name is specified (Like creating from template)