Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Do not transform [__XXX__] string when

Browse Source 
MAIN_RESTRICTHTML_ONLY_VALID_HTML is on.
This commit is contained in:
Laurent Destailleur
2025-12-01 13:54:27 +01:00
parent ebacc05fe3
commit 41fc03c63b
3 changed files with 35 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
test/phpunit/SecurityGETPOSTTest.php
View File

@@ -129,7 +129,6 @@ class SecurityGETPOSTTest extends CommonClassTest
$_GET["param20"] = '<link rel="dns-prefetch" href="//cdnjs.cloudflare.com" />';
$result = GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n";
$this->assertEquals('', $result);
@@ -316,6 +315,13 @@ class SecurityGETPOSTTest extends CommonClassTest
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
$_POST["pagecontentwithaconstantvarinurl"] = '<a href="https://[__aaa__]/aaa.html">https://[__aaa__]/aaa.html</a>';
$result = GETPOST("pagecontentwithaconstantvarinurl", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('<a href="https://[__aaa__]/aaa.html">https://[__aaa__]/aaa.html</a>', $result, 'Test on HTML content with url with constant');
//$_POST["param0"] = 'A real string with <a href="rrr" title="aabb">aaa</a> and " inside content';
$result = GETPOST("param0", 'restricthtml');
$resultexpected = 'A real string with <a href="rrr" title=\'aa"bb\'>aaa</a> and " and \' and &amp; inside content';
@@ -456,6 +462,7 @@ class SecurityGETPOSTTest extends CommonClassTest
print __METHOD__." result=".$result."\n";
$this->assertEquals('x3aalert(1)', $result, 'Test for backtopage param');
// Test with restricthtml + MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT to test limit of external links
$conf->global->MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT = 3;
$_POST["pagecontentwithlinks"] = '<img src="aaa"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>';
@@ -498,7 +505,6 @@ class SecurityGETPOSTTest extends CommonClassTest
print __METHOD__." result=".$result."\n";
$this->assertEquals('ErrorHTMLExternalLinksNotAllowed (Example: http://ddd)', $result, 'Test on MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1 (no links to http allowed)');
// Test substitution in GET url
$user->fk_user = 999;
$mysoc->country_id = 1;