Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-12 12:31:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix missing par $check

Browse Source
This commit is contained in:
Laurent Destailleur
2023-04-25 15:31:14 +02:00
parent 5cfe40a4bc
commit 13aeb45429
2 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
htdocs/core/lib/functions.lib.php
View File

@@ -908,7 +908,7 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
break; break;
case 'restricthtml': // Recommended for most html textarea case 'restricthtml': // Recommended for most html textarea
case 'restricthtmlallowunvalid': case 'restricthtmlallowunvalid':
$out = dol_htmlwithnojs($out, 1); $out = dol_htmlwithnojs($out, 1, $check);
break; break;
case 'custom': case 'custom':
if (!empty($out)) { if (!empty($out)) {
@@ -7098,9 +7098,10 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
* *
* @param string $stringtoencode String to encode * @param string $stringtoencode String to encode
* @param int $nouseofiframesandbox Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing * @param int $nouseofiframesandbox Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing
* @param string $check Type of check/sanitizing
* @return string HTML sanitized * @return string HTML sanitized
*/ */
function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0) function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = 'restricthtml')
{ {
global $conf; global $conf;
@@ -7116,15 +7117,16 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0)
do { do {
$oldstringtoclean = $out; $oldstringtoclean = $out;
libxml_use_internal_errors(false); // Avoid to fill memory with xml errors
if (!empty($out) && !empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') { if (!empty($out) && !empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
try { try {
$dom = new DOMDocument; $dom = new DOMDocument;
// Add a trick to solve pb with text without parent tag // Add a trick to solve pb with text without parent tag
// like '<h1>Foo</h1><p>bar</p>' that wrongly ends up without the trick into '<h1>Foo<p>bar</p></h1>' // like '<h1>Foo</h1><p>bar</p>' that wrongly ends up, without the trick, with '<h1>Foo<p>bar</p></h1>'
// like 'abc' that wrongly ends up without the tric into with '<p>abc</p>' // like 'abc' that wrongly ends up, without the trick, with '<p>abc</p>'
$out = '<div class="tricktoremove">'.$out.'</div>'; $out = '<div class="tricktoremove">'.$out.'</div>';
$dom->loadHTML($out, LIBXML_HTML_NODEFDTD|LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
$out = trim($dom->saveHTML()); $out = trim($dom->saveHTML());
// Remove the trick added to solve pb with text without parent tag // Remove the trick added to solve pb with text without parent tag

9
test/phpunit/SecurityTest.php
View File

@@ -382,6 +382,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param13b"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61vascript:alert(document.domain)\">XSS</a>'; $_POST["param13b"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61vascript:alert(document.domain)\">XSS</a>';
$_POST["param14"]="Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)"; $_POST["param14"]="Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)";
$_POST["param15"]="<img onerror<=alert(document.domain)> src=>0xbeefed"; $_POST["param15"]="<img onerror<=alert(document.domain)> src=>0xbeefed";
//$_POST["param15b"]="<html><head><title>Example HTML</title></head><body><div><p>This is a paragraph.</div><ul><li>Item 1</li><li>Item 2</li></ol></body><html>";
$_POST["param16"]='<a style="z-index: 1000">abc</a>'; $_POST["param16"]='<a style="z-index: 1000">abc</a>';
$_POST["param17"]='<span style="background-image: url(logout.php)">abc</span>'; $_POST["param17"]='<span style="background-image: url(logout.php)">abc</span>';
$_POST["param18"]='<span style="background-image: url(...?...action=aaa)">abc</span>'; $_POST["param18"]='<span style="background-image: url(...?...action=aaa)">abc</span>';
@@ -547,8 +548,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string $result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); $this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); // With some PHP and libxml version, we got this when parsong invalid HTML
//$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b'); //$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b'); // On other we got a HTML that has been cleaned
unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML); unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML);
@@ -767,12 +768,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page $url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow $tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow
print __METHOD__." url=".$url."\n"; print __METHOD__." url=".$url."\n";
$this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without following -> 301'); $this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without a follow -> 301');
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page $url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200 $tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200
print __METHOD__." url=".$url."\n"; print __METHOD__." url=".$url."\n";
$this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with following -> 200 but we get '.$tmp['http_code']); $this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with a follow -> 200 but we get '.$tmp['http_code']);
$url = 'http://localhost'; $url = 'http://localhost';
$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL