Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 17:18:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance antiXSS by excluding non printable chars used to obfuscate hack

Browse Source
This commit is contained in:
Laurent Destailleur
2020-09-20 04:56:45 +02:00
parent 85aa1ab402
commit 2eb46b4900
3 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
htdocs/core/lib/functions.lib.php
View File

@@ -970,7 +970,7 @@ function dol_string_unaccent($str)
* @param array $badcharstoreplace List of forbidden characters
* @return string Cleaned string
*
* @see dol_sanitizeFilename(), dol_string_unaccent()
* @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii()
*/
function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
{
@@ -983,6 +983,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
}
/**
* Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF
* This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars.
*
* @param string $str String to clean
* @return string Cleaned string
*
* @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial()
*/
function dol_string_nounprintableascii($str)
{
return preg_replace('/[\x00-\x1F\x7F]/u', '', $str);
}
/**
* Returns text escaped for inclusion into javascript code
*