Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Clean code. Allow iframes into the external frame module.

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-25 03:44:38 +01:00
parent 45b0c4c2be
commit 594c94feb2
2 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -6277,16 +6277,20 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
* @param int $cleanalsosomestyles Remove absolute/fixed positioning from inline styles
* @param int $removeclassattribute 1=Remove the class attribute from tags
* @param int $cleanalsojavascript Remove also occurence of 'javascript:'.
* @param int $allowiframe Allow iframe tags.
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
*/
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0)
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0)
{
$allowed_tags = array(
"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6"
);
if ($allowiframe) {
$allowed_tags[] = "iframe";
}
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = '<'.$allowed_tags_string.'>';
@@ -6332,7 +6336,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags()
*/
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("alt", "class", "contenteditable", "data-html", "href", "id", "name", "src", "style", "target", "title"))
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width"))
{
if (class_exists('DOMDocument') && !empty($stringtoclean)) {
$stringtoclean = '<html><body>'.$stringtoclean.'</body></html>';

11
htdocs/externalsite/admin/externalsite.php
View File

@@ -41,8 +41,6 @@ if (!$user->admin) {
// Load translation files required by the page
$langs->loadLangs(array('admin', 'other', 'externalsite'));
$def = array();
$action = GETPOST('action', 'aZ09');
// Sauvegardes parametres
@@ -51,8 +49,11 @@ if ($action == 'update') {
$db->begin();
$label = GETPOST('EXTERNALSITE_LABEL', 'alpha');
$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
$label = GETPOST('EXTERNALSITE_LABEL', 'alphanohtml');
$exturl = GETPOST('EXTERNALSITE_URL', 'none');
$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
$exturl = dol_string_onlythesehtmlattributes($exturl);
$i += dolibarr_set_const($db, 'EXTERNALSITE_LABEL', trim($label), 'chaine', 0, '', $conf->entity);
$i += dolibarr_set_const($db, 'EXTERNALSITE_URL', trim($exturl), 'chaine', 0, '', $conf->entity);
@@ -77,7 +78,7 @@ $linkback = '<a href="'.DOL_URL_ROOT.'/admin/modules.php?restore_lastsearch_valu
print load_fiche_titre($langs->trans("ExternalSiteSetup"), $linkback, 'title_setup');
print '<br>';
print $langs->trans("Module100Desc")."<br>\n";
print '<span class="opacitymedium">'.$langs->trans("Module100Desc")."</span><br>\n";
print '<br>';
print '<form name="externalsiteconfig" action="'.$_SERVER["PHP_SELF"].'" method="POST">';