diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index d801b4429c7..e03d13c29e8 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -577,7 +577,6 @@ if (empty($reshook)) { if (!$isupload) { $mesgs = array(); - $object->sujet = (string) GETPOST("sujet"); $object->body = (string) GETPOST("bodyemail", 'restricthtml'); $object->bgcolor = (string) GETPOST("bgcolor"); @@ -744,7 +743,7 @@ if ($action == 'create') { print '
'; // wysiwyg editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); + $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtmlallowunvalid'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); $doleditor->Create(); print '
'; diff --git a/htdocs/comm/mailing/class/mailing.class.php b/htdocs/comm/mailing/class/mailing.class.php index 04d2f7c17d8..d281fcb1a3a 100644 --- a/htdocs/comm/mailing/class/mailing.class.php +++ b/htdocs/comm/mailing/class/mailing.class.php @@ -208,6 +208,12 @@ class Mailing extends CommonObject { global $conf, $langs; + // Check properties + if ($this->body === 'InvalidHTMLString') { + $this->error = 'InvalidHTMLString'; + return -1; + } + $this->db->begin(); $this->title = trim($this->title); @@ -257,6 +263,12 @@ class Mailing extends CommonObject */ public function update($user) { + // Check properties + if ($this->body === 'InvalidHTMLString') { + $this->error = 'InvalidHTMLString'; + return -1; + } + $sql = "UPDATE ".MAIN_DB_PREFIX."mailing "; $sql .= " SET titre = '".$this->db->escape($this->title)."'"; $sql .= ", sujet = '".$this->db->escape($this->sujet)."'"; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index c622ebf1aba..93a33e5bd5f 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -775,18 +775,21 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = } break; case 'restricthtml': // Recommended for most html textarea + case 'restricthtmlallowunvalid': do { $oldstringtoclean = $out; - if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)) { - $dom = new DOMDocument; + if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') { try { + $dom = new DOMDocument; $dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL); } catch(Exception $e) { + //print $e->getMessage(); return 'InvalidHTMLString'; } $out = $dom->saveHTML(); } + //var_dump($oldstringtoclean);var_dump($out); // Ckeditor use the numeric entitic for apostrophe so we force it to text entity (all other special chars are correctly // encoded using text entities). This is a fix for CKeditor. diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 8e99a03021e..44b391148f5 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -340,6 +340,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase $langs=$this->savlangs; $db=$this->savdb; + // Force default mode + $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0; + $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0; + $_COOKIE["id"]=111; $_GET["param1"]="222"; $_POST["param1"]="333";