Disallow use of &# into dol_sanitizeUrl()

2025-12-10 19:41:26 +01:00 · 2021-03-14 20:31:53 +01:00
parent cd12b7c39f
commit 9aa8916a9c
2 changed files with 4 additions and 4 deletions
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -617,7 +617,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null

 		do {
 			$oldstringtoclean = $out;
-			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $out);
+			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $out);
 		} while ($oldstringtoclean != $out);

 		$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
@@ -1029,7 +1029,7 @@ function dol_sanitizeUrl($stringtoclean, $type = 1)
 	do {
 		$oldstringtoclean = $stringtoclean;

-		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $stringtoclean);
+		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $stringtoclean);
 	} while ($oldstringtoclean != $stringtoclean);

 	if ($type == 1) {
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
 		$result=GETPOST("backtopage");
 		print __METHOD__." result=".$result."\n";
-		$this->assertEquals(' alert(1)', $result, 'Test for backtopage param');
+		$this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');

 		return $result;
 	}
@@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase

 		$test = 'javascripT&javascript#x3a alert(1)';
 		$result=dol_sanitizeUrl($test);
-		$this->assertEquals(' alert(1)', $result, 'Test on dol_sanitizeUrl A');
+		$this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');

 		$test = 'javajavascriptscript&cjavascriptolon;alert(1)';
 		$result=dol_sanitizeUrl($test);