Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 01:28:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v20 - fix dol_escape_htmltag

Browse Source
This commit is contained in:
Laurent Destailleur
2024-07-22 20:12:35 +02:00
parent a735aaeb36
commit 1cb57b03ae
2 changed files with 43 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
htdocs/core/lib/functions.lib.php
View File

@@ -1962,6 +1962,7 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
$tmparrayoftags = explode(',', $noescapetags);
}
if (count($tmparrayoftags)) {
$reg = array();
$tmp = str_ireplace('__DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it.
foreach ($tmparrayoftags as $tagtoreplace) {
@@ -1970,30 +1971,37 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').' \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
// For case of tag with attribute
$reg = array();
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must never have [ ] inside the attribute string
$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
$tmpattributes = str_ireplace('href="https:', '__HREFHTTPSA', $tmpattributes);
$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;:\s=&\.-]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must avoid escaping but not remove content
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)> \/>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;:\s=&]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must avoid escaping but not remove content
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+) \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
do {
$tmpold = $tmp;
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must never have [ ] inside the attribute string
$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
$tmpattributes = str_ireplace('href="https:', '__HREFHTTPSA', $tmpattributes);
$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)\s+\/>/', $tmp, $reg)) {
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content.
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'\s+\/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
}
$diff = strcmp($tmpold, $tmp);
} while ($diff);
}
}
$result = htmlentities($tmp, ENT_COMPAT, 'UTF-8'); // Convert & into &amp; and more...
//print $result;
if (count($tmparrayoftags)) {
foreach ($tmparrayoftags as $tagtoreplace) {
$result = str_ireplace('__BEGINTAGTOREPLACE'.$tagtoreplace.'__', '<'.$tagtoreplace.'>', $result);