diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 4083a95002d..3f4c27799cd 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -915,8 +915,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options try { $dom = new DOMDocument; // Add a trick to solve pb with text without parent tag - // like '

Foo

bar

' that ends up with '

Foo

bar

' - // like 'abc' that ends up with '

abc

' + // like '

Foo

bar

' that wrongly ends up without the trick into '

Foo

bar

' + // like 'abc' that wrongly ends up without the tric into with '

abc

' $out = '
'.$out.'
'; $dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL); @@ -925,6 +925,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options // Remove the trick added to solve pb with text without parent tag $out = preg_replace('/^
/', '', $out); $out = preg_replace('/<\/div>$/', '', $out); + var_dump('xxx'); + var_dump($out); } catch (Exception $e) { //print $e->getMessage(); return 'InvalidHTMLString'; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index cadf8a7504f..7a965337c96 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -537,16 +537,19 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals("Text with ' encoded with the numeric html entity converted into text entity ' (like when submited by CKEditor)", $result, 'Test 14'); - $result=GETPOST("param15", 'restricthtml'); // src=>0xbeefed + $result=GETPOST("param15", 'restricthtml'); // param15 = src=>0xbeefed that is a dangerous string print __METHOD__." result=".$result."\n"; $this->assertEquals("0xbeefed", $result, 'Test 15'); // The GETPOST return a harmull string - // Test with restricthtml + MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES to test disabling of bad atrributes + // Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML to test disabling of bad atrributes $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1; - $result=GETPOST("param15", 'restricthtml'); + + $result=GETPOST("param15", 'restricthtml'); // param15 = src=>0xbeefed that is a dangerous string print __METHOD__." result=".$result."\n"; - $this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); + //$this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); + $this->assertEquals(' src=>0xbeefed', $result, 'Test 15b'); + unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML); @@ -555,7 +558,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase $result=GETPOST("param15", 'restricthtml'); print __METHOD__." result=".$result."\n"; - $this->assertEquals('0xbeefed', $result, 'Test 15b'); + $this->assertEquals('0xbeefed', $result, 'Test 15c'); $result=GETPOST('param16', 'restricthtml'); print __METHOD__." result=".$result."\n"; @@ -836,6 +839,36 @@ class SecurityTest extends PHPUnit\Framework\TestCase $this->assertEquals('google.com', $result, 'Test on dol_sanitizeUrl C'); } + /** + * testDolSanitizeEmail + * + * @return void + */ + public function testDolSanitizeEmail() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + $test = 'aaa@mycompany.com , bbb@mycompany.com '; + $result=dol_sanitizeEmail($test); + $this->assertEquals($test, $result, 'Test on dol_sanitizeEmail A'); + + $test = "aaa@mycompany.com ,\nbbb@mycompany.com "; + $result=dol_sanitizeEmail($test); + $this->assertEquals('aaa@mycompany.com ,bbb@mycompany.com ', $result, 'Test on dol_sanitizeEmail B'); + + $test = 'aaa@mycompany.com ,\nbbb@mycompany.com '; + $result=dol_sanitizeEmail($test); + $this->assertEquals('aaa@mycompany.com ,nbbb@mycompany.com ', $result, 'Test on dol_sanitizeEmail C'); + + $test = 'aaa@mycompany.com , "bcc:bbb"@mycompany.com '; + $result=dol_sanitizeEmail($test); + $this->assertEquals('aaa@mycompany.com , bccbbb@mycompany.com ', $result, 'Test on dol_sanitizeEmail D'); + } + /** * testDolSanitizeFileName *