Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Debug v19 and option MAIN_DISALLOW_URL_INTO_DESCRIPTIONS

Browse Source
This commit is contained in:
Laurent Destailleur
2023-11-14 01:32:42 +01:00
parent ca3f5eaadf
commit 804ee3b517
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/core/lib/functions.lib.php
View File

@@ -7635,18 +7635,19 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
} while ($oldstringtoclean != $out);
// Check the limit of external links that are automatically executed in a Rich text content. We count:
// '<img' to avoid <img src="http...">
// '<img' to avoid <img src="http...">, we can only accept "<img src="data:..."
// 'url(' to avoid inline style like background: url(http...
// '<link' to avoid <link href="http...">
$reg = array();
preg_match_all('/(<img|url\(|<link)/i', $out, $reg);
$nbextlink = count($reg[0]);
if ($nbextlink > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
$tmpout = preg_replace('/<img src="data:/mi', '<__IMG_SRC_DATA__ src="data:', $out);
preg_match_all('/(<img|url\(|<link)/i', $tmpout, $reg);
$nblinks = count($reg[0]);
if ($nblinks > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
$out = 'ErrorTooManyLinksIntoHTMLString';
}
//
if (!empty($conf->global->MAIN_DISALLOW_URL_INTO_DESCRIPTIONS) || $check == 'restricthtmlnolink') {
if ($nbextlink > 0) {
if ($nblinks > 0) {
$out = 'ErrorHTMLLinksNotAllowed';
}
}