mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2026-01-04 08:02:22 +01:00
Better sanitization of url and email
This commit is contained in:
Laurent Destailleur
@@ -335,7 +335,7 @@ if (empty($reshook)) {
|
||||
$object->phone_perso = trim(GETPOST("phone_perso", 'alpha'));
|
||||
$object->phone_mobile = trim(GETPOST("phone_mobile", 'alpha'));
|
||||
$object->email = preg_replace('/\s+/', '', GETPOST("member_email", 'alpha'));
|
||||
$object->url = trim(GETPOST('member_url', 'custom', 0, FILTER_SANITIZE_URL));
|
||||
$object->url = trim(GETPOST('member_url', 'url'));
|
||||
$object->socialnetworks = array();
|
||||
foreach ($socialnetworks as $key => $value) {
|
||||
if (GETPOSTISSET($key) && GETPOST($key, 'alphanohtml') != '') {
|
||||
@@ -485,7 +485,7 @@ if (empty($reshook)) {
|
||||
$phone_perso = GETPOST("phone_perso", 'alpha');
|
||||
$phone_mobile = GETPOST("phone_mobile", 'alpha');
|
||||
$email = preg_replace('/\s+/', '', GETPOST("member_email", 'aZ09arobase'));
|
||||
$url = trim(GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL));
|
||||
$url = trim(GETPOST('url', 'url'));
|
||||
$login = GETPOST("member_login", 'alphanohtml');
|
||||
$pass = GETPOST("password", 'password'); // For password, we use 'none'
|
||||
$photo = GETPOST("photo", 'alphanohtml');
|
||||
|
||||
@@ -240,7 +240,7 @@ if (empty($reshook)) {
|
||||
}
|
||||
}
|
||||
}
|
||||
$object->email = (string) GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
|
||||
$object->email = (string) GETPOST('email', 'email');
|
||||
$object->no_email = GETPOSTINT("no_email");
|
||||
$object->phone_pro = (string) GETPOST("phone_pro", 'alpha');
|
||||
$object->phone_perso = (string) GETPOST("phone_perso", 'alpha');
|
||||
@@ -358,13 +358,13 @@ if (empty($reshook)) {
|
||||
$action = 'edit';
|
||||
}
|
||||
|
||||
if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT("no_email") == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) {
|
||||
if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT("no_email") == -1 && !empty(GETPOST('email', 'email'))) {
|
||||
$error++;
|
||||
$errors[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email"));
|
||||
$action = 'edit';
|
||||
}
|
||||
|
||||
if (!empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL)) && !isValidEmail(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) {
|
||||
if (!empty(GETPOST('email', 'email')) && !isValidEmail(GETPOST('email', 'email'))) {
|
||||
$langs->load("errors");
|
||||
$error++;
|
||||
$errors[] = $langs->trans("ErrorBadEMail", GETPOST('email', 'alpha'));
|
||||
|
||||
@@ -829,6 +829,7 @@ function GETPOSTISARRAY($paramname, $method = 0)
|
||||
* '' or 'none'=no check (deprecated)
|
||||
* 'password'=allow characters for a password
|
||||
* 'email'=allow characters for an email "email@domain.com"
|
||||
* 'url'=allow characters for an url
|
||||
* 'array', 'array:restricthtml' or 'array:aZ09' to check it's an array
|
||||
* 'int'=check it's numeric (integer or float)
|
||||
* 'intcomma'=check it's integer+comma ('1,2,3,4...')
|
||||
@@ -1317,6 +1318,11 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
|
||||
case 'email':
|
||||
$out = filter_var($out, FILTER_SANITIZE_EMAIL);
|
||||
break;
|
||||
case 'url':
|
||||
//$out = filter_var($out, FILTER_SANITIZE_URL); // Not reliable, replaced with FILTER_VALIDATE_URL
|
||||
$out = preg_replace('/[^:\/\[\]a-z0-9@\$\'\*\~\.\-_,;\?\!=%&+#]+/i', '', $out);
|
||||
// TODO Allow ( ) but only into password of https://login:password@domain...
|
||||
break;
|
||||
case 'aZ':
|
||||
if (!is_array($out)) {
|
||||
$out = trim($out);
|
||||
|
||||
@@ -561,7 +561,7 @@ class PartnershipUtils
|
||||
$url = $href->getAttribute('href');
|
||||
$url = filter_var($url, FILTER_SANITIZE_URL);
|
||||
if (!(!filter_var($url, FILTER_VALIDATE_URL))) {
|
||||
$webcontent .= $url;
|
||||
$webcontent .= $url; // $webcontent is used for a test only, so having content not completely sanitized is not a problem.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -202,7 +202,7 @@ if (empty($reshook) && $action == 'add') { // Test on permission not required he
|
||||
$societe->country_id = GETPOSTINT('country_id');
|
||||
$societe->phone = GETPOST('phone', 'alpha');
|
||||
$societe->fax = GETPOST('fax', 'alpha');
|
||||
$societe->email = trim(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL));
|
||||
$societe->email = trim(GETPOST('email', 'email'));
|
||||
$societe->client = 2 ; // our client is a prospect
|
||||
$societe->code_client = '-1';
|
||||
$societe->name_alias = GETPOST('name_alias', 'alphanohtml');
|
||||
|
||||
@@ -310,12 +310,12 @@ if (empty($reshook)) {
|
||||
$error++;
|
||||
}
|
||||
|
||||
if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) {
|
||||
if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'email'))) {
|
||||
$error++;
|
||||
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email")), null, 'errors');
|
||||
}
|
||||
|
||||
if (isModEnabled('mailing') && GETPOSTINT("private") == 1 && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) {
|
||||
if (isModEnabled('mailing') && GETPOSTINT("private") == 1 && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'email'))) {
|
||||
$error++;
|
||||
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email")), null, 'errors');
|
||||
}
|
||||
@@ -333,6 +333,7 @@ if (empty($reshook)) {
|
||||
|
||||
$object->name = dolGetFirstLastname(GETPOST('firstname', 'alphanohtml'), GETPOST('name', 'alphanohtml'));
|
||||
$object->civility_id = GETPOST('civility_id', 'alphanohtml'); // Note: civility id is a code, not an int
|
||||
$object->civility_code = GETPOST('civility_id', 'alphanohtml'); // Note: civility id is a code, not an int
|
||||
// Add non official properties
|
||||
$object->name_bis = GETPOST('name', 'alphanohtml');
|
||||
$object->firstname = GETPOST('firstname', 'alphanohtml');
|
||||
@@ -360,9 +361,9 @@ if (empty($reshook)) {
|
||||
$object->phone = GETPOST('phone', 'alpha');
|
||||
$object->phone_mobile = (string) GETPOST("phone_mobile", 'alpha');
|
||||
$object->fax = GETPOST('fax', 'alpha');
|
||||
$object->email = trim(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL));
|
||||
$object->email = trim(GETPOST('email', 'email'));
|
||||
$object->no_email = GETPOSTINT("no_email");
|
||||
$object->url = trim(GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL));
|
||||
$object->url = trim(GETPOST('url', 'url'));
|
||||
$object->idprof1 = trim(GETPOST('idprof1', 'alphanohtml'));
|
||||
$object->idprof2 = trim(GETPOST('idprof2', 'alphanohtml'));
|
||||
$object->idprof3 = trim(GETPOST('idprof3', 'alphanohtml'));
|
||||
@@ -433,7 +434,7 @@ if (empty($reshook)) {
|
||||
$object->default_lang = GETPOST('default_lang');
|
||||
|
||||
// Webservices url/key
|
||||
$object->webservices_url = GETPOST('webservices_url', 'custom', 0, FILTER_SANITIZE_URL);
|
||||
$object->webservices_url = GETPOST('webservices_url', 'url');
|
||||
$object->webservices_key = GETPOST('webservices_key', 'san_alpha');
|
||||
|
||||
if (GETPOSTISSET('accountancy_code_sell')) {
|
||||
@@ -1083,8 +1084,8 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio
|
||||
$object->phone = GETPOST('phone', 'alpha');
|
||||
$object->phone_mobile = (string) GETPOST("phone_mobile", 'alpha');
|
||||
$object->fax = GETPOST('fax', 'alpha');
|
||||
$object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
|
||||
$object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
|
||||
$object->email = GETPOST('email', 'email');
|
||||
$object->url = GETPOST('url', 'url');
|
||||
$object->capital = GETPOSTFLOAT('capital');
|
||||
$paymentTermId = GETPOSTINT('cond_reglement_id'); // can be set by default values on create page and not already in get or post variables
|
||||
if (empty($paymentTermId) && !GETPOSTISSET('cond_reglement_id')) {
|
||||
@@ -2081,9 +2082,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio
|
||||
$object->phone = GETPOST('phone', 'alpha');
|
||||
$object->phone_mobile = (string) GETPOST('phone_mobile', 'alpha');
|
||||
$object->fax = GETPOST('fax', 'alpha');
|
||||
$object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
|
||||
$object->email = GETPOST('email', 'email');
|
||||
$object->no_email = GETPOSTINT("no_email");
|
||||
$object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
|
||||
$object->url = GETPOST('url', 'url');
|
||||
$object->capital = GETPOSTFLOAT('capital');
|
||||
$object->idprof1 = GETPOST('idprof1', 'alphanohtml');
|
||||
$object->idprof2 = GETPOST('idprof2', 'alphanohtml');
|
||||
@@ -2103,7 +2104,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio
|
||||
$object->status = GETPOSTINT('status');
|
||||
|
||||
// Webservices url/key
|
||||
$object->webservices_url = GETPOST('webservices_url', 'custom', 0, FILTER_SANITIZE_URL);
|
||||
$object->webservices_url = GETPOST('webservices_url', 'url');
|
||||
$object->webservices_key = GETPOST('webservices_key', 'san_alpha');
|
||||
|
||||
if (GETPOSTISSET('accountancy_code_sell')) {
|
||||
|
||||
Reference in New Issue
Block a user