Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-06 00:53:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

More complete fix for #32839

Browse Source
This commit is contained in:
Laurent Destailleur
2025-01-29 01:38:11 +01:00
parent 857f972404
commit 09a282bc38
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
htdocs/core/lib/functions.lib.php
View File

@@ -2169,7 +2169,7 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
$tmp = str_ireplace('__DONOTDECODEAPOS', '&apos', $tmp);
$tmp = str_ireplace('__DONOTDECODE39', '&#39', $tmp);
$tmp = str_ireplace(''', '__SIMPLEQUOTE', $tmp); // HTML 4
$tmp = str_ireplace(''', '__SIMPLEQUOTE__', $tmp); // HTML 4
}
if (!$keepb) {
$tmp = strtr($tmp, array("<b>" => '', '</b>' => '', '<strong>' => '', '</strong>' => ''));
@@ -2210,7 +2210,7 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'(\s+)([^>]+)>/', $tmp, $reg)) {
// We want to protect the attribute part ... in '<xxx ...>' to avoid transformation by htmlentities() later
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[2]); // We must never have [ ] inside the attribute string
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE__', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_%,\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content
$tmp = str_replace('<'.$tagtoreplace.$reg[1].$reg[2].'>', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
@@ -2220,9 +2220,9 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
} while ($diff);
}
$tmp = str_ireplace('&quot', '__DOUBLEQUOTE', $tmp);
$tmp = str_ireplace('&lt', '__LESSTAN', $tmp);
$tmp = str_ireplace('&gt', '__GREATERTHAN', $tmp);
$tmp = str_ireplace('&quot', '__DOUBLEQUOTENOSEMICOLON__', $tmp);
$tmp = str_ireplace('&lt', '__LESSTHAN__', $tmp);
$tmp = str_ireplace('&gt', '__GREATERTHAN__', $tmp);
}
// Warning: htmlentities encode HTML tags like <abc> & into &amp; and more (but not &lt; &gt; &quotes; &apos; &#39; &amp; that remains untouched).
@@ -2240,12 +2240,14 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
$result = preg_replace('/__BEGINENDTAGTOREPLACE'.$tagtoreplace.'\[([^\]]*)\]__/', '<'.$tagtoreplace.' \1 />', $result);
}
$result = str_ireplace('__DOUBLEQUOTE', '"', $result);
$result = str_ireplace('__LESSTAN', '&lt', $result);
$result = str_ireplace('__GREATERTHAN', '&gt', $result);
$result = str_ireplace('__DOUBLEQUOTE__', '"', $result);
$result = str_ireplace('__DOUBLEQUOTENOSEMICOLON__', '&quot', $result);
$result = str_ireplace('__LESSTHAN__', '&lt', $result);
$result = str_ireplace('__GREATERTHAN__', '&gt', $result);
}
$result = str_ireplace('__SIMPLEQUOTE', '&#39;', $result);
$result = str_ireplace('__SIMPLEQUOTE__', '&#39;', $result);
//$result="\n\n\n".var_export($tmp, true)."\n\n\n".var_export($result, true);