Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix option restricthtmlallowlinkscript of GETPOST

Browse Source
This commit is contained in:
Laurent Destailleur
2024-09-09 15:56:47 +02:00
parent 3d1f4f9696
commit b8aa7e2511
3 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@@ -8333,7 +8333,9 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
}
}
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && $check != 'restricthtmlallowunvalid') {
if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && !in_array($check, array('restricthtmlallowunvalid', 'restricthtmlallowlinkscript'))) {
// Tidy can't be used for restricthtmlallowunvalid and restricthtmlallowlinkscript
// TODO Try to implement a hack for restricthtmlallowlinkscript by renaming tag <link> and <script> ?
try {
// Try cleaning using tidy
if (extension_loaded('tidy') && class_exists("tidy")) {
@@ -8696,7 +8698,7 @@ function dol_textishtml($msg, $option = 0)
}
if ($option == 1) {
if (preg_match('/<html/i', $msg)) {
if (preg_match('/<(html|link|script)/i', $msg)) {
return true;
} elseif (preg_match('/<body/i', $msg)) {
return true;
@@ -8711,9 +8713,7 @@ function dol_textishtml($msg, $option = 0)
} else {
// Remove all urls because 'http://aa?param1=abc&amp;param2=def' must not be used inside detection
$msg = preg_replace('/https?:\/\/[^"\'\s]+/i', '', $msg);
if (preg_match('/<html/i', $msg)) {
return true;
} elseif (preg_match('/<body/i', $msg)) {
if (preg_match('/<(html|link|script|body)/i', $msg)) {
return true;
} elseif (preg_match('/<\/textarea/i', $msg)) {
return true;

2
htdocs/website/index.php
View File

@@ -2038,7 +2038,7 @@ if ($action == 'updatemeta' && $usercanedit) {
$objectpage->image = GETPOST('WEBSITE_IMAGE', 'alpha');
$objectpage->keywords = str_replace(array('<', '>'), '', GETPOST('WEBSITE_KEYWORDS', 'alphanohtml'));
$objectpage->allowed_in_frames = GETPOST('WEBSITE_ALLOWED_IN_FRAMES', 'aZ09');
$objectpage->htmlheader = trim(GETPOST('htmlheader', 'none')); // Must accept tags like '<script>' and '<link>'
$objectpage->htmlheader = trim(GETPOST('htmlheader', 'restricthtmlallowlinkscript')); // Must accept tags like '<script>' and '<link>'
$objectpage->fk_page = (GETPOSTINT('pageidfortranslation') > 0 ? GETPOSTINT('pageidfortranslation') : 0);
$objectpage->author_alias = trim(GETPOST('WEBSITE_AUTHORALIAS', 'alphanohtml'));
$objectpage->object_type = GETPOST('WEBSITE_OBJECTCLASS', 'alpha');

42
test/phpunit/SecurityTest.php
View File

@@ -1116,6 +1116,8 @@ class SecurityTest extends CommonClassTest
print "result16 = ".$result."\n";
$this->assertFalse($result);
$leftmenu = 'XXX';
$conf->global->MAIN_FEATURES_LEVEL = 1; // Force for the case option is -1
$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
$result = dol_eval($string, 1, 1, '1');
print "result17 = ".$result."\n";
@@ -1343,6 +1345,46 @@ class SecurityTest extends CommonClassTest
$this->assertEquals('<img src="x">', $result, 'Test example');
}
// For a string with js and link with restricthtmlallowlinkscript
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
print __METHOD__." result=".$result."\n";
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
// For a string with js and link with restricthtmlallowlinkscript
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
print __METHOD__." result=".$result."\n";
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
// For a string with js and link with restricthtmlallowlinkscript
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
$result = dol_htmlwithnojs($s, 1, 'restricthtmlallowlinkscript');
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $sav1;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $sav2;
print __METHOD__." result=".$result."\n";
$this->assertEquals($s, $result, 'Test for restricthtmlallowlinkscript');
return 0;
}