Disallow use of &# into dol_sanitizeUrl()

2025-12-08 18:48:22 +01:00 · 2021-03-14 20:31:53 +01:00
parent cd12b7c39f
commit 9aa8916a9c
2 changed files with 4 additions and 4 deletions
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -617,7 +617,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null

 		do {
 			$oldstringtoclean = $out;
-			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $out);
+			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $out);
 		} while ($oldstringtoclean != $out);

 		$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
@@ -1029,7 +1029,7 @@ function dol_sanitizeUrl($stringtoclean, $type = 1)
 	do {
 		$oldstringtoclean = $stringtoclean;

-		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $stringtoclean);
+		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $stringtoclean);
 	} while ($oldstringtoclean != $stringtoclean);

 	if ($type == 1) {