Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Accept img src=data into dolPrintHTML

Browse Source
This commit is contained in:
Laurent Destailleur (aka Eldy)
2025-01-27 10:16:28 +01:00
parent 2bf034fe07
commit a99b132c34
2 changed files with 33 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
htdocs/core/lib/functions.lib.php
View File

@@ -1064,15 +1064,15 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
// Check type of variable and make sanitization according to this
if (preg_match('/^array/', $check)) { // If 'array' or 'array:restricthtml' or 'array:aZ09' or 'array:intcomma'
if (!is_array($out) || empty($out)) {
$out = explode(',', $out);
$tmpcheck = 'alphanohtml';
if (empty($out)) {
$out = array();
} elseif (!is_array($out)) {
$out = explode(',', $out);
} else {
$tmparray = explode(':', $check);
if (!empty($tmparray[1])) {
$tmpcheck = $tmparray[1];
} else {
$tmpcheck = 'alphanohtml';
}
}
foreach ($out as $outkey => $outval) {
@@ -2193,52 +2193,47 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
}
if (count($tmparrayoftags)) {
// Now we will protect tags (defined into $tmparrayoftags) that we want to keep untouched
$reg = array();
$tmp = str_ireplace('__DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it.
// Remove reserved keywords. They are forbidden in a source string
$tmp = str_ireplace(array('__DOUBLEQUOTE', '__BEGINTAGTOREPLACE', '__ENDTAGTOREPLACE', '__BEGINENDTAGTOREPLACE'), '', $tmp);
foreach ($tmparrayoftags as $tagtoreplace) {
// For case of tag without attributes '<abc>', '</abc>', '<abc />', we protect them to avoid transformation by htmlentities() later
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
$tmp = str_ireplace('</'.$tagtoreplace.'>', '__ENDTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').' \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
// For case of tag with attribute
// For case of tag with attributes
do {
$tmpold = $tmp;
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must never have [ ] inside the attribute string
$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
$tmpattributes = str_ireplace('href="https:', '__HREFHTTPSA', $tmpattributes);
$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'(\s+)([^>]+)>/', $tmp, $reg)) {
// We want to protect the attribute part ... in '<xxx ...>' to avoid transformation by htmlentities() later
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[2]); // We must never have [ ] inside the attribute string
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_%,\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)\s+\/>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content.
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'\s+\/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
$tmp = str_replace('<'.$tagtoreplace.$reg[1].$reg[2].'>', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
$diff = strcmp($tmpold, $tmp);
} while ($diff);
}
$tmp = str_ireplace('&quot', '__DOUBLEQUOT', $tmp);
$tmp = str_ireplace('&quot', '__DOUBLEQUOTE', $tmp);
$tmp = str_ireplace('&lt', '__LESSTAN', $tmp);
$tmp = str_ireplace('&gt', '__GREATERTHAN', $tmp);
}
// Warning: htmlentities encode HTML tags like <abc>, but not &lt; &gt; &quotes; &apos; &#39; &amp; that remains untouched.
$result = htmlentities($tmp, ENT_COMPAT, 'UTF-8'); // Convert & into &amp; and more...
// Warning: htmlentities encode HTML tags like <abc> & into &amp; and more (but not &lt; &gt; &quotes; &apos; &#39; &amp; that remains untouched).
$result = htmlentities($tmp, ENT_COMPAT, 'UTF-8');
//print $result;
if (count($tmparrayoftags)) {
// Restore protected tags
foreach ($tmparrayoftags as $tagtoreplace) {
$result = str_ireplace('__BEGINTAGTOREPLACE'.$tagtoreplace.'__', '<'.$tagtoreplace.'>', $result);
$result = preg_replace('/__BEGINTAGTOREPLACE'.$tagtoreplace.'\[([^\]]*)\]__/', '<'.$tagtoreplace.' \1>', $result);
@@ -2247,19 +2242,13 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
$result = preg_replace('/__BEGINENDTAGTOREPLACE'.$tagtoreplace.'\[([^\]]*)\]__/', '<'.$tagtoreplace.' \1 />', $result);
}
$result = str_ireplace('__HREFHTTPA', 'href="http:', $result);
$result = str_ireplace('__HREFHTTPSA', 'href="https:', $result);
$result = str_ireplace('__SRCHTTPIMG', 'src="http:', $result);
$result = str_ireplace('__SRCHTTPSIMG', 'src="https:', $result);
$result = str_ireplace('__DOUBLEQUOTE', '"', $result);
$result = str_ireplace('__LESSTAN', '&lt', $result);
$result = str_ireplace('__GREATERTHAN', '&gt', $result);
}
$result = str_ireplace('__SIMPLEQUOTE', '&#39;', $result);
$result = str_ireplace('__DOUBLEQUOT', '&quot', $result);
$result = str_ireplace('__LESSTAN', '&lt', $result);
$result = str_ireplace('__GREATERTHAN', '&gt', $result);
//$result="\n\n\n".var_export($tmp, true)."\n\n\n".var_export($result, true);
return $result;

12
test/phpunit/FunctionsLibTest.php
View File

@@ -1133,6 +1133,18 @@ class FunctionsLibTest extends CommonClassTest
$result = dol_escape_htmltag($input, 1);
$this->assertEquals('x&amp;&lt;b&gt;#&lt;/b&gt;,&quot;', $result);
$input = '<img alt="" src="https://github.githubassets.com/assets/GitHub%20Mark-ea2971cee799.png">'; // & and " are converted into html entities, <b> are not removed
$result = dol_escape_htmltag($input, 1, 1, 'common', 0, 1);
$this->assertEquals('<img alt="" src="https://github.githubassets.com/assets/GitHub%20Mark-ea2971cee799.png">', $result);
$input = '<img src="data:image/png;base64, 123/456+789==" style="height: 123px; width:456px">'; // & and " are converted into html entities, <b> are not removed
$result = dol_escape_htmltag($input, 1, 1, 'common');
$this->assertEquals('<img src="data:image/png;base64, 123/456+789==" style="height: 123px; width:456px">', $result);
$input = '<img src="data:image/png;base64, 123/456+789==" style="height: 123px; width:456px">'; // & and " are converted into html entities, <b> are not removed
$result = dol_escape_htmltag($input, 1);
$this->assertEquals('&lt;img src=&quot;data:image/png;base64, 123/456+789==&quot; style=&quot;height: 123px; width:456px&quot;&gt;', $result);
$input = '<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">'; // & and " are converted into html entities, <b> are not removed
$result = dol_escape_htmltag($input, 1, 1, 'common', 0, 1);
$this->assertEquals('<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">', $result);