forked from Wavyzz/dolibarr
Merge pull request #30915 from MaximilienR-easya/18.0_Backport_yogosha
Backport #yogosha18281
This commit is contained in:
Laurent Destailleur
@@ -580,7 +580,7 @@ class Translate
|
|||||||
*/
|
*/
|
||||||
private function getTradFromKey($key)
|
private function getTradFromKey($key)
|
||||||
{
|
{
|
||||||
global $conf, $db;
|
global $db;
|
||||||
|
|
||||||
if (!is_string($key)) {
|
if (!is_string($key)) {
|
||||||
//xdebug_print_function_stack('ErrorBadValueForParamNotAString');
|
//xdebug_print_function_stack('ErrorBadValueForParamNotAString');
|
||||||
@@ -660,7 +660,7 @@ class Translate
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Crypt string into HTML
|
// Encode string into HTML
|
||||||
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
|
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
|
||||||
|
|
||||||
// Restore reliable HTML tags into original translation string
|
// Restore reliable HTML tags into original translation string
|
||||||
@@ -670,6 +670,10 @@ class Translate
|
|||||||
$str
|
$str
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// Remove dangerous sequence we should never have. Not needed into a translated response.
|
||||||
|
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
|
||||||
|
$str = str_replace(array('%27', '''), '', $str);
|
||||||
|
|
||||||
if ($maxsize) {
|
if ($maxsize) {
|
||||||
$str = dol_trunc($str, $maxsize);
|
$str = dol_trunc($str, $maxsize);
|
||||||
}
|
}
|
||||||
@@ -739,6 +743,10 @@ class Translate
|
|||||||
$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
|
$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Remove dangerous sequence we should never have. Not needed into a translated response.
|
||||||
|
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
|
||||||
|
$str = str_replace(array('%27', '''), '', $str);
|
||||||
|
|
||||||
return $str;
|
return $str;
|
||||||
} else {
|
} else {
|
||||||
/*if ($key[0] == '$') {
|
/*if ($key[0] == '$') {
|
||||||
|
|||||||
@@ -996,7 +996,7 @@ function document_preview(file, type, title)
|
|||||||
var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
|
var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
|
||||||
var showOriginalSizeButton = false;
|
var showOriginalSizeButton = false;
|
||||||
|
|
||||||
console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
|
console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);
|
||||||
|
|
||||||
if ($.inArray(type, ValidImageTypes) < 0) {
|
if ($.inArray(type, ValidImageTypes) < 0) {
|
||||||
/* Not an image */
|
/* Not an image */
|
||||||
|
|||||||
@@ -10363,7 +10363,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
|
|||||||
|
|
||||||
if ($alldata == 1) {
|
if ($alldata == 1) {
|
||||||
if ($isAllowedForPreview) {
|
if ($isAllowedForPreview) {
|
||||||
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
|
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
|
||||||
} else {
|
} else {
|
||||||
return array();
|
return array();
|
||||||
}
|
}
|
||||||
@@ -10371,7 +10371,14 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
|
|||||||
|
|
||||||
// old behavior, return a string
|
// old behavior, return a string
|
||||||
if ($isAllowedForPreview) {
|
if ($isAllowedForPreview) {
|
||||||
return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
|
$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
|
||||||
|
$title = $langs->transnoentities("Preview");
|
||||||
|
//$title = '%27-alert(document.domain)-%27';
|
||||||
|
//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");
|
||||||
|
|
||||||
|
// We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
|
||||||
|
// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
|
||||||
|
return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.rawurlencode(dol_escape_js($title)).'\')';
|
||||||
} else {
|
} else {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user