forked from Wavyzz/dolibarr
Merge branch '18.0' of git@github.com:Dolibarr/dolibarr.git into develop
This commit is contained in:
Laurent Destailleur
@@ -7117,7 +7117,7 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
|
||||
* @param int $allowlink Allow link tags.
|
||||
* @return string String cleaned
|
||||
*
|
||||
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
|
||||
* @see dol_htmlwithnojs() dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
|
||||
*/
|
||||
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0, $allowed_tags = array(), $allowlink = 0)
|
||||
{
|
||||
@@ -7179,7 +7179,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
||||
/**
|
||||
* Clean a string from some undesirable HTML tags.
|
||||
* Note: Complementary to dol_string_onlythesehtmltags().
|
||||
* This method is used for example when option MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES is set to 1.
|
||||
* This method is used for example by dol_htmlwithnojs() when option MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES is set to 1.
|
||||
*
|
||||
* @param string $stringtoclean String to clean
|
||||
* @param array $allowed_attributes Array of tags not allowed
|
||||
@@ -7231,7 +7231,7 @@ function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes
|
||||
}
|
||||
}
|
||||
|
||||
$return = $dom->saveHTML();
|
||||
$return = $dom->saveHTML(); // This may add a LF at end of lines, so we will trim later
|
||||
//$return = '<html><body>aaaa</p>bb<p>ssdd</p>'."\n<p>aaa</p>aa<p>bb</p>";
|
||||
|
||||
$return = preg_replace('/^'.preg_quote('<?xml encoding="UTF-8">', '/').'/', '', $return);
|
||||
@@ -7245,7 +7245,7 @@ function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes
|
||||
|
||||
/**
|
||||
* Clean a string from some undesirable HTML tags.
|
||||
* Note. Not as secured as dol_string_onlythesehtmltags().
|
||||
* Note: You should use instead dol_string_onlythesehtmltags() that is more secured if you can.
|
||||
*
|
||||
* @param string $stringtoclean String to clean
|
||||
* @param array $disallowed_tags Array of tags not allowed
|
||||
@@ -7358,7 +7358,7 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
|
||||
* Sanitize a HTML to remove js and dangerous content
|
||||
*
|
||||
* @param string $stringtoencode String to encode
|
||||
* @param int $nouseofiframesandbox Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing
|
||||
* @param int $nouseofiframesandbox 0=Default, 1=Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing (not yet working)
|
||||
* @param string $check 'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowclass' or 'restricthtmlallowunvalid'
|
||||
* @return string HTML sanitized
|
||||
*/
|
||||
@@ -7378,10 +7378,10 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
do {
|
||||
$oldstringtoclean = $out;
|
||||
|
||||
libxml_use_internal_errors(false); // Avoid to fill memory with xml errors
|
||||
|
||||
if (!empty($out) && !empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
|
||||
try {
|
||||
libxml_use_internal_errors(false); // Avoid to fill memory with xml errors
|
||||
|
||||
$dom = new DOMDocument;
|
||||
// Add a trick to solve pb with text without parent tag
|
||||
// like '<h1>Foo</h1><p>bar</p>' that wrongly ends up, without the trick, with '<h1>Foo<p>bar</p></h1>'
|
||||
@@ -7396,7 +7396,7 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
} catch (Exception $e) {
|
||||
// If error, invalid HTML string with no way to clean it
|
||||
//print $e->getMessage();
|
||||
$out = 'InvalidHTMLString';
|
||||
$out = 'InvalidHTMLStringCantBeCleaned';
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7420,9 +7420,8 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
// Keep only some html tags and remove also some 'javascript:' strings
|
||||
$out = dol_string_onlythesehtmltags($out, 0, ($check == 'restricthtmlallowclass' ? 0 : 1), 1);
|
||||
|
||||
// We should also exclude non expected HTML attributes and clean content of some attributes (keep only alt=, title=...).
|
||||
// Keep only some html attributes and exclude non expected HTML attributes and clean content of some attributes (keep only alt=, title=...).
|
||||
if (!empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)) {
|
||||
// Warning, the function may add a LF so we are forced to trim to compare with old $out without having always a difference and an infinit loop.
|
||||
$out = dol_string_onlythesehtmlattributes($out);
|
||||
}
|
||||
|
||||
@@ -7461,7 +7460,9 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
* - MultiCell -> param must not be encoded into HTML.
|
||||
* Because writeHTMLCell convert also \n into <br>, if function
|
||||
* is used to build PDF, nl2brmode must be 1.
|
||||
* When we output string on pages, we use dol_string_onlythesehtmltags(dol_htmlentitiesbr()) for notes, and use dol_escape_htmltag() for simple labels.
|
||||
* Note: When we output string on pages, we should use
|
||||
* - dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr(), 1, 1, 1)) for notes,
|
||||
* - dol_escape_htmltag() for simple labels.
|
||||
*
|
||||
* @param string $stringtoencode String to encode
|
||||
* @param int $nl2brmode 0=Adding br before \n, 1=Replacing \n by br (for use with FPDF writeHTMLCell function for example)
|
||||
|
||||
Reference in New Issue
Block a user