Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Report by Ricardo Matias

Browse Source 
Conflicts:
	test/phpunit/SecurityTest.php
This commit is contained in:
Laurent Destailleur
2021-01-25 22:46:09 +01:00
parent 84bab7169e
commit 13378897a8
5 changed files with 141 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/core/lib/functions.lib.php
View File

@@ -686,7 +686,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
$out = dol_string_nohtmltag($out, 0);
}
break;
case 'alphawithlgt': // No " and no ../ but we keep < > tags. Can be used for email string like "Name <email>"
case 'alphawithlgt': // No " and no ../ but we keep balanced < > tags with no special chars inside. Can be used for email string like "Name <email>"
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
@@ -5762,7 +5762,7 @@ function picto_required()
* @param string $stringtoclean String to clean
* @param integer $removelinefeed 1=Replace all new lines by 1 space, 0=Only ending new lines are removed others are replaced with \n, 2=Ending new lines are removed but others are kept with a same number of \n than nb of <br> when there is both "...<br>\n..."
* @param string $pagecodeto Encoding of input/output string
* @param integer $strip_tags 0=Use internal strip, 1=Use strip_tags() php function (bugged when text contains a < char that is not for a html tag)
* @param integer $strip_tags 0=Use internal strip, 1=Use strip_tags() php function (bugged when text contains a < char that is not for a html tag or when tags is not closed like '<img onload=aaa')
* @param integer $removedoublespaces Replace double space into one space
* @return string String cleaned
*
@@ -5783,10 +5783,10 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
} else {
$pattern = "/<[^<>]+>/";
// Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
$temp = preg_replace($pattern, "", $temp); // pass 1
// $temp after pass 1: <a href="/myurl" title="A title">0000-021
$temp = preg_replace($pattern, "", $temp); // pass 2
// $temp after pass 2: 0000-021
$temp = preg_replace($pattern, "", $temp); // pass 1 - $temp after pass 1: <a href="/myurl" title="A title">0000-021
$temp = preg_replace($pattern, "", $temp); // pass 2 - $temp after pass 2: 0000-021
// removed '<' into non closing html tags like '<a'
$temp = preg_replace('/<([^\s<]+)/', '\1', $temp);
}
$temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto);