From d4accb97c59d09a93d8b165a7fdb5daf159db4b4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 2 Apr 2022 15:26:40 +0200
Subject: [PATCH] FIX #yogosha9754

---
 htdocs/admin/fckeditor.php | 8 +++++---
 htdocs/main.inc.php        | 8 +++++++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php
index 51247ac0b35..140cd7fcfdf 100644
--- a/htdocs/admin/fckeditor.php
+++ b/htdocs/admin/fckeditor.php
@@ -110,7 +110,8 @@ if (GETPOST('save', 'alpha')) {
 
 	$fckeditor_skin = GETPOST('fckeditor_skin', 'alpha');
 	if (!empty($fckeditor_skin)) {
-		if (!dolibarr_set_const($db, 'FCKEDITOR_SKIN', $fckeditor_skin, 'chaine', 0, '', $conf->entity)) {
+		$result = dolibarr_set_const($db, 'FCKEDITOR_SKIN', $fckeditor_skin, 'chaine', 0, '', $conf->entity);
+		if ($result <= 0) {
 			$error++;
 		}
 	} else {
@@ -119,7 +120,8 @@ if (GETPOST('save', 'alpha')) {
 
 	$fckeditor_test = GETPOST('formtestfield', 'restricthtml');
 	if (!empty($fckeditor_test)) {
-		if (!dolibarr_set_const($db, 'FCKEDITOR_TEST', $fckeditor_test, 'chaine', 0, '', $conf->entity)) {
+		$result = dolibarr_set_const($db, 'FCKEDITOR_TEST', $fckeditor_test, 'chaine', 0, '', $conf->entity);
+		if ($result <= 0) {
 			$error++;
 		}
 	} else {
@@ -129,7 +131,7 @@ if (GETPOST('save', 'alpha')) {
 	if (!$error) {
 		setEventMessages($langs->trans("SetupSaved"), null, 'mesgs');
 	} else {
-		setEventMessages($langs->trans("Error"), null, 'errors');
+		setEventMessages($langs->trans("Error").' '.$db->lasterror(), null, 'errors');
 	}
 }
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 74960833469..9d96eb63a27 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -99,6 +99,7 @@ function testSqlAndScriptInject($val, $type)
 			return realCharForNumericEntities($m); }, $val);
 		// We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
 		$val = preg_replace('/<!--[^>]*-->/', '', $val);
+		$val = preg_replace('/[\r\n]/', '', $val);
 	} while ($oldval != $val);
 	//print "type = ".$type." after decoding: ".$val."\n";
 
@@ -106,7 +107,12 @@ function testSqlAndScriptInject($val, $type)
 
 	// We check string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
 	// We should use dol_string_nounprintableascii but function is not yet loaded/available
-	$newval = preg_replace('/[\x00-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
+	// Example of valid UTF8 chars:
+	// utf8=utf8mb3:    '\x0A', '\x0D', '\x7E'
+	// utf8=utf8mb3: 	'\xE0\xA0\x80'
+	// utf8mb4: 		'\xF0\x9D\x84\x9E'   (but this may be refused by the database insert if pagecode is utf8=utf8mb3)
+	$newval = preg_replace('/[\x00-\x09\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
+	// Note that $newval may also be completely empty '' when non valid UTF8 are found.
 	if ($newval != $val) {
 		// If $val has changed after removing non valid UTF8 chars, it means we have an evil string.
 		$inj += 1;