Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix option restricthtmlallowlinkscript of GETPOST

Browse Source
This commit is contained in:
Laurent Destailleur
2024-09-09 15:56:47 +02:00
parent 3d1f4f9696
commit b8aa7e2511
3 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@@ -8333,7 +8333,9 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
}
}
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && $check != 'restricthtmlallowunvalid') {
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && !in_array($check, array('restricthtmlallowunvalid', 'restricthtmlallowlinkscript'))) {
// Tidy can't be used for restricthtmlallowunvalid and restricthtmlallowlinkscript
// TODO Try to implement a hack for restricthtmlallowlinkscript by renaming tag <link> and <script> ?
try {
// Try cleaning using tidy
if (extension_loaded('tidy') && class_exists("tidy")) {
@@ -8696,7 +8698,7 @@ function dol_textishtml($msg, $option = 0)
}
if ($option == 1) {
if (preg_match('/<html/i', $msg)) {
if (preg_match('/<(html|link|script)/i', $msg)) {
return true;
} elseif (preg_match('/<body/i', $msg)) {
return true;
@@ -8711,9 +8713,7 @@ function dol_textishtml($msg, $option = 0)
} else {
// Remove all urls because 'http://aa?param1=abc&amp;param2=def' must not be used inside detection
$msg = preg_replace('/https?:\/\/[^"\'\s]+/i', '', $msg);
if (preg_match('/<html/i', $msg)) {
return true;
} elseif (preg_match('/<body/i', $msg)) {
if (preg_match('/<(html|link|script|body)/i', $msg)) {
return true;
} elseif (preg_match('/<\/textarea/i', $msg)) {
return true;