Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #yogosha5757

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-29 14:11:51 +02:00
parent 50635cea89
commit 4cacca413e
6 changed files with 48 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
test/phpunit/SecurityTest.php
View File

@@ -316,6 +316,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_GET["param4"]='../dir';
$_GET["param5"]="a_1-b";
$_POST["param6"]="&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
$_POST["param6b"]='<<<../>../>../svg><<<../>../>../animate =alert(1)>abc';
$_GET["param7"]='"c:\this is a path~1\aaa&#110;" abc<bad>def</bad>';
$_POST["param8a"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'"; // html tag is not closed so it is not detected as html tag but is still harmfull
$_POST['param8b']='<img src=x onerror=alert(document.location) t='; // this is html obfuscated by non closing tag
@@ -386,6 +387,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals('">', $result);
$result=GETPOST("param6b");
print __METHOD__." result=".$result."\n";
$this->assertEquals('abc', $result);
// With restricthtml we must remove html open/close tag and content but not htmlentities like &#110;
$result=GETPOST("param7", 'restricthtml');