Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-04 16:12:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX CVE-2019–17223 FIX #13053

Browse Source
This commit is contained in:
Laurent Destailleur
2020-02-09 18:28:34 +01:00
parent 5c000159c1
commit 8645fd8946
11 changed files with 55 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
htdocs/core/lib/functions.lib.php
View File

@@ -5559,22 +5559,27 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
/**
* Clean a string to keep only desirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
* @param string $stringtoclean String to clean
* @param string $cleanalsosomestyles Clean also some tags
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
*/
function dol_string_onlythesehtmltags($stringtoclean)
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
{
$allowed_tags = array(
"html", "head", "meta", "body", "article", "a", "b", "br", "div", "em", "font", "img", "ins", "hr", "i", "li", "link",
"html", "head", "meta", "body", "article", "a", "b", "br", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
"ol", "p", "s", "section", "span", "strong", "title",
"table", "tr", "th", "td", "u", "ul"
);
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = preg_replace('/^>/', '', $allowed_tags_string);
$allowed_tags_string = preg_replace('/<$/', '', $allowed_tags_string);
$allowed_tags_string = '<'.$allowed_tags_string.'>';
if ($cleanalsosomestyles) {
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
}
$temp = strip_tags($stringtoclean, $allowed_tags_string);
@@ -5583,14 +5588,16 @@ function dol_string_onlythesehtmltags($stringtoclean)
/**
* Clean a string from some undesirable HTML tags.
* Note. Not enough secured as dol_string_onlythesehtmltags().
*
* @param string $stringtoclean String to clean
* @param array $disallowed_tags Array of tags not allowed
* @return string String cleaned
* @param string $stringtoclean String to clean
* @param array $disallowed_tags Array of tags not allowed
* @param string $cleanalsosomestyles Clean also some tags
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags()
*/
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'))
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'), $cleanalsosomestyles = 0)
{
$temp = $stringtoclean;
foreach ($disallowed_tags as $tagtoremove)
@@ -5598,6 +5605,11 @@ function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array(
$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
}
if ($cleanalsosomestyles) {
$temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $temp); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
}
return $temp;
}