FIX #16393 Do not sanitize <!DOCTYPE html>

htdocs/core/lib/functions.lib.php

@@ -5833,6 +5833,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
 	$allowed_tags_string = join("><", $allowed_tags);
 	$allowed_tags_string = '<'.$allowed_tags_string.'>';
 
+	$stringtoclean = str_replace('<!DOCTYPE html>', '__!DOCTYPE_HTML__', $stringtoclean);	// Replace DOCTYPE to avoid to have it removed by the strip_tags
+
 	$stringtoclean = dol_string_nounprintableascii($stringtoclean, 0);
 	$stringtoclean = preg_replace('/&colon;/i', ':', $stringtoclean);
 
@@ -5855,6 +5857,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
 		$temp = preg_replace('/javascript\s*:/i', '', $temp);
 	}
 
+	$temp = str_replace('__!DOCTYPE_HTML__', '<!DOCTYPE html>', $temp);	// Restore the DOCTYPE
+
 	return $temp;
 }
 

test/phpunit/SecurityTest.php

@@ -300,6 +300,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
     	$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
     	$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
     	$_POST["param11"]=' Name <email@email.com> ';
+		$_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
 
     	$result=GETPOST('id', 'int');              // Must return nothing
     	print __METHOD__." result=".$result."\n";
@@ -397,6 +398,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
     	print __METHOD__." result=".$result."\n";
     	$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
 
+    	$result=GETPOST("param12", 'restricthtml');
+    	print __METHOD__." result=".$result."\n";
+    	$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
+
     	return $result;
     }