diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 7c5ef20051f..c6d4960ca3a 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -6277,16 +6277,20 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto = * @param int $cleanalsosomestyles Remove absolute/fixed positioning from inline styles * @param int $removeclassattribute 1=Remove the class attribute from tags * @param int $cleanalsojavascript Remove also occurence of 'javascript:'. + * @param int $allowiframe Allow iframe tags. * @return string String cleaned * * @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags() */ -function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0) +function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0) { $allowed_tags = array( "html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link", "ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6" ); + if ($allowiframe) { + $allowed_tags[] = "iframe"; + } $allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = '<'.$allowed_tags_string.'>'; @@ -6332,7 +6336,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, * * @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags() */ -function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("alt", "class", "contenteditable", "data-html", "href", "id", "name", "src", "style", "target", "title")) +function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width")) { if (class_exists('DOMDocument') && !empty($stringtoclean)) { $stringtoclean = ''.$stringtoclean.''; diff --git a/htdocs/externalsite/admin/externalsite.php b/htdocs/externalsite/admin/externalsite.php index 47f0a3d57be..dc9f7741463 100644 --- a/htdocs/externalsite/admin/externalsite.php +++ b/htdocs/externalsite/admin/externalsite.php @@ -41,8 +41,6 @@ if (!$user->admin) { // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'externalsite')); -$def = array(); - $action = GETPOST('action', 'aZ09'); // Sauvegardes parametres @@ -51,8 +49,11 @@ if ($action == 'update') { $db->begin(); - $label = GETPOST('EXTERNALSITE_LABEL', 'alpha'); - $exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml'); + $label = GETPOST('EXTERNALSITE_LABEL', 'alphanohtml'); + + $exturl = GETPOST('EXTERNALSITE_URL', 'none'); + $exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1); + $exturl = dol_string_onlythesehtmlattributes($exturl); $i += dolibarr_set_const($db, 'EXTERNALSITE_LABEL', trim($label), 'chaine', 0, '', $conf->entity); $i += dolibarr_set_const($db, 'EXTERNALSITE_URL', trim($exturl), 'chaine', 0, '', $conf->entity); @@ -77,7 +78,7 @@ $linkback = ''; -print $langs->trans("Module100Desc")."
\n"; +print ''.$langs->trans("Module100Desc")."
\n"; print '
'; print '
';