Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/fourn/facture/card.php
This commit is contained in:
Laurent Destailleur
2021-01-15 19:53:46 +01:00
parent 6d455352a3 2c0f6d2984
commit c7c74e8ed1
5 changed files with 22 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@@ -672,25 +672,25 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (preg_match('/[^a-z0-9_\-\.,]+/i', $out)) $out = '';
}
break;
case 'nohtml':
case 'nohtml': // No html
$out = dol_string_nohtmltag($out, 0);
break;
case 'alpha': // No html and no ../ and " replaced with ''
case 'alpha': // No html and no ../ and "
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('"', '"'), "''", trim($out));
$out = str_replace(array('"', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
// keep lines feed
$out = dol_string_nohtmltag($out, 0);
}
break;
case 'alphawithlgt': // No " and no ../ but we keep < > tags
case 'alphawithlgt': // No " and no ../ but we keep < > tags. Can be used for email string like "Name <email>"
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('&quot;', '"'), "", trim($out));
$out = str_replace(array('&quot;', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
}
break;