Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '10.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source
This commit is contained in:
Laurent Destailleur
2019-08-31 01:15:04 +02:00
parent 8eae59945d 8938573f68
commit a3e221468a
3 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -942,11 +942,15 @@ function dol_escape_js($stringtoescape, $mode = 0, $noescapebackslashn = 0)
* @param string $stringtoescape String to escape
* @param int $keepb 1=Preserve b tags (otherwise, remove them)
* @param int $keepn 1=Preserve \r\n strings (otherwise, replace them with escaped value). Set to 1 when escaping for a <textarea>.
* @param string $keepmoretags '' or 'common' or list of tags
* @return string Escaped string
* @see dol_string_nohtmltag(), dol_string_nospecial(), dol_string_unaccent()
*/
function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0)
function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $keepmoretags = '')
{
if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
// TODO Implement $keepmoretags
// escape quotes and backslashes, newlines, etc.
$tmp=html_entity_decode($stringtoescape, ENT_COMPAT, 'UTF-8'); // TODO Use htmlspecialchars_decode instead, that make only required change for html tags
if (! $keepb) $tmp=strtr($tmp, array("<b>"=>'','</b>'=>''));
@@ -5564,7 +5568,7 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
/**
* This function is called to encode a string into a HTML string but differs from htmlentities because
* a detection is done before to see if text is already HTML or not. Also, all entities but &,<,> are converted.
* a detection is done before to see if text is already HTML or not. Also, all entities but &,<,>," are converted.
* This permits to encode special chars to entities with no double encoding for already encoded HTML strings.
* This function also remove last EOL or BR if $removelasteolbr=1 (default).
* For PDF usage, you can show text by 2 ways:

16
htdocs/main.inc.php
View File

@@ -90,13 +90,15 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)>
$inj += preg_match('/onloadstart\s*=/i', $val); // onload can be set on audio tag <audio onloadstart=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be on textarea
// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp
$inj += preg_match('/onmouse([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/ondrag([a-z]*)\s*=/i', $val); //
$inj += preg_match('/ontouch([a-z]*)\s*=/i', $val); //
$inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $val);
$inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $val);
$inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|offline|online|pagehide|pageshow)\s*=/i', $val);
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $val);
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val);
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
//if ($type == 1)

4
htdocs/user/group/card.php
View File

@@ -135,7 +135,7 @@ if (empty($reshook)) {
} else {
$object->name = trim(GETPOST("nom", 'nohtml'));
$object->nom = $object->name; // For backward compatibility
$object->note = trim(GETPOST("note", 'none'));
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'none')));
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels, $object);
@@ -218,7 +218,7 @@ if (empty($reshook)) {
$object->name = trim(GETPOST("group", 'nohtml'));
$object->nom = $object->name; // For backward compatibility
$object->note = dol_htmlcleanlastbr(GETPOST("note", 'none'));
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'none')));
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels, $object);