mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-06 09:38:23 +01:00
Debug v20 - fix dol_escape_htmltag
This commit is contained in:
Laurent Destailleur
@@ -1962,6 +1962,7 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
|
|||||||
$tmparrayoftags = explode(',', $noescapetags);
|
$tmparrayoftags = explode(',', $noescapetags);
|
||||||
}
|
}
|
||||||
if (count($tmparrayoftags)) {
|
if (count($tmparrayoftags)) {
|
||||||
|
$reg = array();
|
||||||
$tmp = str_ireplace('__DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it.
|
$tmp = str_ireplace('__DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it.
|
||||||
|
|
||||||
foreach ($tmparrayoftags as $tagtoreplace) {
|
foreach ($tmparrayoftags as $tagtoreplace) {
|
||||||
@@ -1970,7 +1971,9 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
|
|||||||
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').' \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
|
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').' \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'__', $tmp);
|
||||||
|
|
||||||
// For case of tag with attribute
|
// For case of tag with attribute
|
||||||
$reg = array();
|
do {
|
||||||
|
$tmpold = $tmp;
|
||||||
|
|
||||||
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
|
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
|
||||||
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must never have [ ] inside the attribute string
|
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must never have [ ] inside the attribute string
|
||||||
$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
|
$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
|
||||||
@@ -1978,22 +1981,27 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
|
|||||||
$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
|
$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
|
||||||
$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
|
$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
|
||||||
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
|
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
|
||||||
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;:\s=&\.-]/i', '', $tmpattributes);
|
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
|
||||||
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must avoid escaping but not remove content
|
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content
|
||||||
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
|
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
|
||||||
}
|
}
|
||||||
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)> \/>/', $tmp, $reg)) {
|
if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)\s+\/>/', $tmp, $reg)) {
|
||||||
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string
|
$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string
|
||||||
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
|
$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
|
||||||
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;:\s=&]/i', '', $tmpattributes);
|
$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
|
||||||
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must avoid escaping but not remove content
|
//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes); // Disabled: we must not remove content.
|
||||||
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+) \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
|
$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'\s+\/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$diff = strcmp($tmpold, $tmp);
|
||||||
|
} while ($diff);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = htmlentities($tmp, ENT_COMPAT, 'UTF-8'); // Convert & into & and more...
|
$result = htmlentities($tmp, ENT_COMPAT, 'UTF-8'); // Convert & into & and more...
|
||||||
|
|
||||||
|
//print $result;
|
||||||
|
|
||||||
if (count($tmparrayoftags)) {
|
if (count($tmparrayoftags)) {
|
||||||
foreach ($tmparrayoftags as $tagtoreplace) {
|
foreach ($tmparrayoftags as $tagtoreplace) {
|
||||||
$result = str_ireplace('__BEGINTAGTOREPLACE'.$tagtoreplace.'__', '<'.$tagtoreplace.'>', $result);
|
$result = str_ireplace('__BEGINTAGTOREPLACE'.$tagtoreplace.'__', '<'.$tagtoreplace.'>', $result);
|
||||||
|
|||||||
@@ -1123,6 +1123,18 @@ class FunctionsLibTest extends CommonClassTest
|
|||||||
$input = '<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">'; // & and " are converted into html entities, <b> are not removed
|
$input = '<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">'; // & and " are converted into html entities, <b> are not removed
|
||||||
$result = dol_escape_htmltag($input, 1, 1, 'common', 0, 1);
|
$result = dol_escape_htmltag($input, 1, 1, 'common', 0, 1);
|
||||||
$this->assertEquals('<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">', $result);
|
$this->assertEquals('<img alt="" src="https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png">', $result);
|
||||||
|
|
||||||
|
|
||||||
|
$input = '<div style="float:left; margin-left:0px; margin-right:5px">
|
||||||
|
<img id="sigPhoto" src="https://www.domain.com/aaa.png" style="height:65px; width:65px" />
|
||||||
|
</div>
|
||||||
|
<div style="margin-left:74px"><strong>A text here</strong> and more<br>
|
||||||
|
<a href="mailto:abc+def@domain.com" id="sigEmail" style="color:#428BCA;">abc+def@domain.com</a><br>
|
||||||
|
<a href="https://www.another-domain.com" id="sigWebsite" style="color:#428BCA;">https://www.another-domain.com</a><br>
|
||||||
|
</div>';
|
||||||
|
|
||||||
|
$result = dol_escape_htmltag($input, 1, 1, 'common');
|
||||||
|
$this->assertEquals($input, $result);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user