Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Injection

Browse Source
This commit is contained in:
Laurent Destailleur
2018-07-09 14:13:01 +02:00
parent 2a676b414a
commit e427496ddf
2 changed files with 51 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
htdocs/core/lib/functions.lib.php
View File

@@ -5014,7 +5014,7 @@ function picto_required()
* @param string $pagecodeto Encoding of input/output string
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags
* @see dol_escape_htmltag strip_tags dol_string_onlythesehtmltags dol_string_neverthesehtmltags
*/
function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-8')
{
@@ -5041,6 +5041,50 @@ function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-
return trim($temp);
}
/**
* Clean a string to keep only desirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_neverthesehtmltags
*/
function dol_string_onlythesehtmltags($stringtoclean)
{
$allowed_tags = array(
"html", "head", "meta", "body", "b", "br", "div", "em", "font", "img", "hr", "i", "li", "link",
"ol", "p", "s", "section", "span", "strong", "title",
"table", "tr", "th", "td", "u", "ul"
);
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = preg_replace('/^>/','',$allowed_tags_string);
$allowed_tags_string = preg_replace('/<$/','',$allowed_tags_string);
$temp = strip_tags($stringtoclean, $allowed_tags_string);
return $temp;
}
/**
* Clean a string from some undesirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_onlythesehtmltags
*/
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags=array('textarea'))
{
$temp = $stringtoclean;
foreach($disallowed_tags as $tagtoremove)
{
$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
}
return $temp;
}
/**
* Return first line of text. Cut will depends if content is HTML or not.