Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Disallow use of &# into dol_sanitizeUrl()

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-14 20:31:53 +01:00
parent cd12b7c39f
commit 9aa8916a9c
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/phpunit/SecurityTest.php
View File

@@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
$result=GETPOST("backtopage");
print __METHOD__." result=".$result."\n";
$this->assertEquals(' alert(1)', $result, 'Test for backtopage param');
$this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');
return $result;
}
@@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$test = 'javascripT&javascript#x3a alert(1)';
$result=dol_sanitizeUrl($test);
$this->assertEquals(' alert(1)', $result, 'Test on dol_sanitizeUrl A');
$this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
$test = 'javajavascriptscript&cjavascriptolon;alert(1)';
$result=dol_sanitizeUrl($test);