Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX dol_string_onlythesehtmltags can keep html comments

Browse Source
This commit is contained in:
Laurent Destailleur
2022-04-12 14:57:12 +02:00
parent b1cc271ad5
commit 599c90ae6b
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/lib/functions.lib.php
View File

@@ -6521,7 +6521,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
{ {
$allowed_tags = array( $allowed_tags = array(
"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link", "html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6" "ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6",
"comment" // this tags is added to manage comment <!--...--> that are replaced into <comment>...</comment>
); );
if ($allowiframe) { if ($allowiframe) {
$allowed_tags[] = "iframe"; $allowed_tags[] = "iframe";
@@ -6534,7 +6535,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
$stringtoclean = dol_string_nounprintableascii($stringtoclean, 0); $stringtoclean = dol_string_nounprintableascii($stringtoclean, 0);
$stringtoclean = preg_replace('/<!--[^>]*-->/', '', $stringtoclean); //$stringtoclean = preg_replace('/<!--[^>]*-->/', '', $stringtoclean);
$stringtoclean = preg_replace('/<!--([^>]*)-->/', '<comment>\1</comment>', $stringtoclean);
$stringtoclean = preg_replace('/&colon;/i', ':', $stringtoclean); $stringtoclean = preg_replace('/&colon;/i', ':', $stringtoclean);
$stringtoclean = preg_replace('/&#58;|&#0+58|&#x3A/i', '', $stringtoclean); // refused string ':' encoded (no reason to have a : encoded like this) to disable 'javascript:...' $stringtoclean = preg_replace('/&#58;|&#0+58|&#x3A/i', '', $stringtoclean); // refused string ':' encoded (no reason to have a : encoded like this) to disable 'javascript:...'
@@ -6557,6 +6559,9 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
$temp = str_replace('__!DOCTYPE_HTML__', '<!DOCTYPE html>', $temp); // Restore the DOCTYPE $temp = str_replace('__!DOCTYPE_HTML__', '<!DOCTYPE html>', $temp); // Restore the DOCTYPE
$temp = preg_replace('/<comment>([^>]*)<\/comment>/', '<!--\1-->', $temp); // Restore html comments
return $temp; return $temp;
} }

5
htdocs/modulebuilder/index.php
View File

@@ -1641,6 +1641,7 @@ if ($action == 'savefile' && empty($cancel)) {
$content = GETPOST('editfilecontent', $check); $content = GETPOST('editfilecontent', $check);
// Save file on disk // Save file on disk
if ($content) { if ($content) {
dol_delete_file($pathoffile); dol_delete_file($pathoffile);
@@ -2128,7 +2129,9 @@ if ($module == 'initmodule') {
print '<tr><td>'; print '<tr><td>';
print $langs->trans("EditorUrl"); print $langs->trans("EditorUrl");
print '</td><td>'; print '</td><td>';
print $moduleobj->editor_url; if (!empty($moduleobj->editor_url)) {
print '<a href="'.$moduleobj->editor_url.'" class="_blank" rel="noopener">'.$moduleobj->editor_url.' '.img_picto('', 'globe').'</a>';
}
print '</td></tr>'; print '</td></tr>';
print '<tr><td>'; print '<tr><td>';