Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Disallow use of &# into dol_sanitizeUrl()

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-14 20:31:53 +01:00
parent cd12b7c39f
commit 9aa8916a9c
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/functions.lib.php
View File

@@ -617,7 +617,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
do { do {
$oldstringtoclean = $out; $oldstringtoclean = $out;
$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $out); $out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $out);
} while ($oldstringtoclean != $out); } while ($oldstringtoclean != $out);
$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out); $out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
@@ -1029,7 +1029,7 @@ function dol_sanitizeUrl($stringtoclean, $type = 1)
do { do {
$oldstringtoclean = $stringtoclean; $oldstringtoclean = $stringtoclean;
$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $stringtoclean); $stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $stringtoclean);
} while ($oldstringtoclean != $stringtoclean); } while ($oldstringtoclean != $stringtoclean);
if ($type == 1) { if ($type == 1) {

4
test/phpunit/SecurityTest.php
View File

@@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)'; $_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
$result=GETPOST("backtopage"); $result=GETPOST("backtopage");
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals(' alert(1)', $result, 'Test for backtopage param'); $this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');
return $result; return $result;
} }
@@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$test = 'javascripT&javascript#x3a alert(1)'; $test = 'javascripT&javascript#x3a alert(1)';
$result=dol_sanitizeUrl($test); $result=dol_sanitizeUrl($test);
$this->assertEquals(' alert(1)', $result, 'Test on dol_sanitizeUrl A'); $this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
$test = 'javajavascriptscript&cjavascriptolon;alert(1)'; $test = 'javajavascriptscript&cjavascriptolon;alert(1)';
$result=dol_sanitizeUrl($test); $result=dol_sanitizeUrl($test);