forked from Wavyzz/dolibarr
Fix option restricthtmlallowlinkscript of GETPOST
This commit is contained in:
Laurent Destailleur
@@ -8333,7 +8333,9 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && $check != 'restricthtmlallowunvalid') {
|
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && !in_array($check, array('restricthtmlallowunvalid', 'restricthtmlallowlinkscript'))) {
|
||||||
|
// Tidy can't be used for restricthtmlallowunvalid and restricthtmlallowlinkscript
|
||||||
|
// TODO Try to implement a hack for restricthtmlallowlinkscript by renaming tag <link> and <script> ?
|
||||||
try {
|
try {
|
||||||
// Try cleaning using tidy
|
// Try cleaning using tidy
|
||||||
if (extension_loaded('tidy') && class_exists("tidy")) {
|
if (extension_loaded('tidy') && class_exists("tidy")) {
|
||||||
@@ -8696,7 +8698,7 @@ function dol_textishtml($msg, $option = 0)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($option == 1) {
|
if ($option == 1) {
|
||||||
if (preg_match('/<html/i', $msg)) {
|
if (preg_match('/<(html|link|script)/i', $msg)) {
|
||||||
return true;
|
return true;
|
||||||
} elseif (preg_match('/<body/i', $msg)) {
|
} elseif (preg_match('/<body/i', $msg)) {
|
||||||
return true;
|
return true;
|
||||||
@@ -8711,9 +8713,7 @@ function dol_textishtml($msg, $option = 0)
|
|||||||
} else {
|
} else {
|
||||||
// Remove all urls because 'http://aa?param1=abc&param2=def' must not be used inside detection
|
// Remove all urls because 'http://aa?param1=abc&param2=def' must not be used inside detection
|
||||||
$msg = preg_replace('/https?:\/\/[^"\'\s]+/i', '', $msg);
|
$msg = preg_replace('/https?:\/\/[^"\'\s]+/i', '', $msg);
|
||||||
if (preg_match('/<html/i', $msg)) {
|
if (preg_match('/<(html|link|script|body)/i', $msg)) {
|
||||||
return true;
|
|
||||||
} elseif (preg_match('/<body/i', $msg)) {
|
|
||||||
return true;
|
return true;
|
||||||
} elseif (preg_match('/<\/textarea/i', $msg)) {
|
} elseif (preg_match('/<\/textarea/i', $msg)) {
|
||||||
return true;
|
return true;
|
||||||
|
|||||||
@@ -2038,7 +2038,7 @@ if ($action == 'updatemeta' && $usercanedit) {
|
|||||||
$objectpage->image = GETPOST('WEBSITE_IMAGE', 'alpha');
|
$objectpage->image = GETPOST('WEBSITE_IMAGE', 'alpha');
|
||||||
$objectpage->keywords = str_replace(array('<', '>'), '', GETPOST('WEBSITE_KEYWORDS', 'alphanohtml'));
|
$objectpage->keywords = str_replace(array('<', '>'), '', GETPOST('WEBSITE_KEYWORDS', 'alphanohtml'));
|
||||||
$objectpage->allowed_in_frames = GETPOST('WEBSITE_ALLOWED_IN_FRAMES', 'aZ09');
|
$objectpage->allowed_in_frames = GETPOST('WEBSITE_ALLOWED_IN_FRAMES', 'aZ09');
|
||||||
$objectpage->htmlheader = trim(GETPOST('htmlheader', 'none')); // Must accept tags like '<script>' and '<link>'
|
$objectpage->htmlheader = trim(GETPOST('htmlheader', 'restricthtmlallowlinkscript')); // Must accept tags like '<script>' and '<link>'
|
||||||
$objectpage->fk_page = (GETPOSTINT('pageidfortranslation') > 0 ? GETPOSTINT('pageidfortranslation') : 0);
|
$objectpage->fk_page = (GETPOSTINT('pageidfortranslation') > 0 ? GETPOSTINT('pageidfortranslation') : 0);
|
||||||
$objectpage->author_alias = trim(GETPOST('WEBSITE_AUTHORALIAS', 'alphanohtml'));
|
$objectpage->author_alias = trim(GETPOST('WEBSITE_AUTHORALIAS', 'alphanohtml'));
|
||||||
$objectpage->object_type = GETPOST('WEBSITE_OBJECTCLASS', 'alpha');
|
$objectpage->object_type = GETPOST('WEBSITE_OBJECTCLASS', 'alpha');
|
||||||
|
|||||||
@@ -1116,6 +1116,8 @@ class SecurityTest extends CommonClassTest
|
|||||||
print "result16 = ".$result."\n";
|
print "result16 = ".$result."\n";
|
||||||
$this->assertFalse($result);
|
$this->assertFalse($result);
|
||||||
|
|
||||||
|
$leftmenu = 'XXX';
|
||||||
|
$conf->global->MAIN_FEATURES_LEVEL = 1; // Force for the case option is -1
|
||||||
$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
|
$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
|
||||||
$result = dol_eval($string, 1, 1, '1');
|
$result = dol_eval($string, 1, 1, '1');
|
||||||
print "result17 = ".$result."\n";
|
print "result17 = ".$result."\n";
|
||||||
@@ -1343,6 +1345,46 @@ class SecurityTest extends CommonClassTest
|
|||||||
$this->assertEquals('<img src="x">', $result, 'Test example');
|
$this->assertEquals('<img src="x">', $result, 'Test example');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// For a string with js and link with restricthtmlallowlinkscript
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
|
||||||
|
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
|
||||||
|
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
|
||||||
|
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
|
||||||
|
print __METHOD__." result=".$result."\n";
|
||||||
|
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
|
||||||
|
|
||||||
|
// For a string with js and link with restricthtmlallowlinkscript
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
|
||||||
|
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
|
||||||
|
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
|
||||||
|
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
|
||||||
|
print __METHOD__." result=".$result."\n";
|
||||||
|
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
|
||||||
|
|
||||||
|
// For a string with js and link with restricthtmlallowlinkscript
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
|
||||||
|
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
|
||||||
|
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
|
||||||
|
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
|
||||||
|
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
|
||||||
|
print __METHOD__." result=".$result."\n";
|
||||||
|
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user