Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-21 00:41:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX sanitizing with GETPOST(alphanohtml) #yogosha5629

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-14 15:38:10 +01:00
parent 72766c830d
commit 74a61d559f
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/lib/functions.lib.php
View File

@@ -6167,12 +6167,13 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
if ($strip_tags) { if ($strip_tags) {
$temp = strip_tags($temp); $temp = strip_tags($temp);
} else { } else {
$temp = str_replace('<>', '', $temp); // No reason to have this into a text, except if value is to try bypass the next html cleaning
$pattern = "/<[^<>]+>/"; $pattern = "/<[^<>]+>/";
// Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a> // Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
$temp = preg_replace($pattern, "", $temp); // pass 1 - $temp after pass 1: <a href="/myurl" title="A title">0000-021 $temp = preg_replace($pattern, "", $temp); // pass 1 - $temp after pass 1: <a href="/myurl" title="A title">0000-021
$temp = preg_replace($pattern, "", $temp); // pass 2 - $temp after pass 2: 0000-021 $temp = preg_replace($pattern, "", $temp); // pass 2 - $temp after pass 2: 0000-021
// Remove '<' into remainging, so non closing html tags like '<abc'. Note: '<123abc' is not a html tag (can be kept), but '<abc123' is (must be removed). // Remove '<' into remainging, so remove non closing html tags like '<abc' or '<<abc'. Note: '<123abc' is not a html tag (can be kept), but '<abc123' is (must be removed).
$temp = preg_replace('/<([a-z]+)/i', '\1', $temp); $temp = preg_replace('/<+([a-z]+)/i', '\1', $temp);
} }
$temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto); $temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto);

5
test/phpunit/SecurityTest.php
View File

@@ -322,6 +322,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST['param8c']='< with space after is ok'; $_POST['param8c']='< with space after is ok';
$_POST['param8d']='<abc123 is html to clean'; $_POST['param8d']='<abc123 is html to clean';
$_POST['param8e']='<123abc is not html to clean'; $_POST['param8e']='<123abc is not html to clean';
$_POST['param8f']='abc<<svg <><<animate onbegin=alert(document.domain) a';
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\''; $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> '; $_POST["param11"]=' Name <email@email.com> ';
@@ -411,6 +412,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST['param8e'], $result, 'Test a string with non closing html tag with alphanohtml'); $this->assertEquals($_POST['param8e'], $result, 'Test a string with non closing html tag with alphanohtml');
$result=GETPOST("param8f", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('abcsvg animate onbegin=alert(document.domain) a', $result, 'Test a string with html tag open with several <');
$result=GETPOST("param9", 'alphanohtml'); $result=GETPOST("param9", 'alphanohtml');
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST["param9"], $result); $this->assertEquals($_POST["param9"], $result);