mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-09 02:58:23 +01:00
Enhance sanitizing of data
This commit is contained in:
Laurent Destailleur
@@ -170,7 +170,8 @@ class DolEditor
|
|||||||
readOnly : '.($this->readonly ? 'true' : 'false').',
|
readOnly : '.($this->readonly ? 'true' : 'false').',
|
||||||
htmlEncodeOutput :'.$htmlencode_force.',
|
htmlEncodeOutput :'.$htmlencode_force.',
|
||||||
allowedContent :'.($disallowAnyContent ? 'false' : 'true').',
|
allowedContent :'.($disallowAnyContent ? 'false' : 'true').',
|
||||||
extraAllowedContent : \'\',
|
extraAllowedContent : \'a[target];div{float,display}\', /* Add the style float and display into div to default other allowed tags */
|
||||||
|
disallowedContent : '.($disallowAnyContent ? '\'\'' : '\'\'').',
|
||||||
fullPage : '.($fullpage ? 'true' : 'false').',
|
fullPage : '.($fullpage ? 'true' : 'false').',
|
||||||
toolbar: \''.$this->toolbarname.'\',
|
toolbar: \''.$this->toolbarname.'\',
|
||||||
toolbarStartupExpanded: '.($this->toolbarstartexpanded ? 'true' : 'false').',
|
toolbarStartupExpanded: '.($this->toolbarstartexpanded ? 'true' : 'false').',
|
||||||
|
|||||||
@@ -3515,12 +3515,12 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $
|
|||||||
'object_technic', 'object_ticket', 'object_trip', 'object_user', 'object_group', 'object_member',
|
'object_technic', 'object_ticket', 'object_trip', 'object_user', 'object_group', 'object_member',
|
||||||
'object_phoning', 'object_phoning_mobile', 'object_phoning_fax', 'object_email', 'object_website', 'object_movement',
|
'object_phoning', 'object_phoning_mobile', 'object_phoning_fax', 'object_email', 'object_website', 'object_movement',
|
||||||
'off', 'on', 'order',
|
'off', 'on', 'order',
|
||||||
'paiment', 'play', 'pdf', 'playdisabled', 'previous', 'poll', 'pos', 'printer', 'product', 'propal', 'projecttask', 'stock', 'resize', 'service', 'stats', 'trip',
|
'paiment', 'play', 'pdf', 'playdisabled', 'previous', 'poll', 'pos', 'printer', 'product', 'propal', 'stock', 'resize', 'service', 'stats', 'trip',
|
||||||
'setup', 'share-alt', 'sign-out', 'split', 'stripe', 'stripe-s', 'switch_off', 'switch_on', 'tools', 'unlink', 'uparrow', 'user', 'vcard', 'wrench',
|
'setup', 'share-alt', 'sign-out', 'split', 'stripe', 'stripe-s', 'switch_off', 'switch_on', 'tools', 'unlink', 'uparrow', 'user', 'vcard', 'wrench',
|
||||||
'github', 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp',
|
'github', 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp',
|
||||||
'chevron-left', 'chevron-right', 'chevron-down', 'chevron-top', 'commercial', 'companies',
|
'chevron-left', 'chevron-right', 'chevron-down', 'chevron-top', 'commercial', 'companies',
|
||||||
'generic', 'home', 'hrm', 'members', 'products', 'invoicing',
|
'generic', 'home', 'hrm', 'members', 'products', 'invoicing',
|
||||||
'payment', 'pencil-ruler', 'preview', 'project', 'projectpub', 'refresh', 'salary', 'shipment', 'supplier_invoice', 'technic', 'ticket',
|
'payment', 'pencil-ruler', 'preview', 'project', 'projectpub', 'projecttask', 'refresh', 'salary', 'shipment', 'supplier_invoice', 'technic', 'ticket',
|
||||||
'error', 'warning',
|
'error', 'warning',
|
||||||
'recruitmentcandidature', 'recruitmentjobposition', 'resource',
|
'recruitmentcandidature', 'recruitmentjobposition', 'resource',
|
||||||
'shapes', 'supplier_proposal', 'supplier_order', 'supplier_invoice',
|
'shapes', 'supplier_proposal', 'supplier_order', 'supplier_invoice',
|
||||||
@@ -3563,7 +3563,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $
|
|||||||
'intervention'=>'ambulance', 'invoice'=>'file-invoice-dollar', 'multicurrency'=>'dollar-sign', 'order'=>'file-invoice',
|
'intervention'=>'ambulance', 'invoice'=>'file-invoice-dollar', 'multicurrency'=>'dollar-sign', 'order'=>'file-invoice',
|
||||||
'error'=>'exclamation-triangle', 'warning'=>'exclamation-triangle',
|
'error'=>'exclamation-triangle', 'warning'=>'exclamation-triangle',
|
||||||
'other'=>'square',
|
'other'=>'square',
|
||||||
'playdisabled'=>'play', 'pdf'=>'file-pdf', 'poll'=>'check-double', 'pos'=>'cash-register', 'preview'=>'binoculars', 'project'=>'sitemap', 'projectpub'=>'sitemap', 'projecttask'=>'tasks', 'propal'=>'file-signature',
|
'playdisabled'=>'play', 'pdf'=>'file-pdf', 'poll'=>'check-double', 'pos'=>'cash-register', 'preview'=>'binoculars', 'project'=>'project-diagram', 'projectpub'=>'project-diagram', 'projecttask'=>'tasks', 'propal'=>'file-signature',
|
||||||
'payment'=>'money-check-alt', 'phoning'=>'phone', 'phoning_mobile'=>'mobile-alt', 'phoning_fax'=>'fax', 'previous'=>'arrow-alt-circle-left', 'printer'=>'print', 'product'=>'cube', 'service'=>'concierge-bell',
|
'payment'=>'money-check-alt', 'phoning'=>'phone', 'phoning_mobile'=>'mobile-alt', 'phoning_fax'=>'fax', 'previous'=>'arrow-alt-circle-left', 'printer'=>'print', 'product'=>'cube', 'service'=>'concierge-bell',
|
||||||
'recruitmentjobposition'=>'id-card-alt', 'recruitmentcandidature'=>'id-badge',
|
'recruitmentjobposition'=>'id-card-alt', 'recruitmentcandidature'=>'id-badge',
|
||||||
'resize'=>'crop', 'supplier_order'=>'dol-order_supplier', 'supplier_proposal'=>'file-signature',
|
'resize'=>'crop', 'supplier_order'=>'dol-order_supplier', 'supplier_proposal'=>'file-signature',
|
||||||
@@ -6253,10 +6253,6 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
|||||||
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6"
|
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6"
|
||||||
);
|
);
|
||||||
|
|
||||||
$allowed_attributes = array(
|
|
||||||
"class", "href", "src", "style", "id", "name", "data-html"
|
|
||||||
);
|
|
||||||
|
|
||||||
$allowed_tags_string = join("><", $allowed_tags);
|
$allowed_tags_string = join("><", $allowed_tags);
|
||||||
$allowed_tags_string = '<'.$allowed_tags_string.'>';
|
$allowed_tags_string = '<'.$allowed_tags_string.'>';
|
||||||
|
|
||||||
@@ -6301,7 +6297,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
|||||||
*
|
*
|
||||||
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags()
|
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags()
|
||||||
*/
|
*/
|
||||||
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("class", "href", "src", "style", "id", "name", "data-html"))
|
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("alt", "class", "contenteditable", "data-html", "href", "id", "name", "src", "style", "target", "title"))
|
||||||
{
|
{
|
||||||
if (class_exists('DOMDocument')) {
|
if (class_exists('DOMDocument')) {
|
||||||
$dom = new DOMDocument();
|
$dom = new DOMDocument();
|
||||||
|
|||||||
@@ -4619,6 +4619,11 @@ span[phptag] {
|
|||||||
border: none;
|
border: none;
|
||||||
font-weight: normal;
|
font-weight: normal;
|
||||||
}
|
}
|
||||||
|
.websitebar .button.bordertransp {
|
||||||
|
color: unset;
|
||||||
|
text-decoration: unset !important;
|
||||||
|
}
|
||||||
|
|
||||||
.websitebar {
|
.websitebar {
|
||||||
border-bottom: 1px solid #ccc;
|
border-bottom: 1px solid #ccc;
|
||||||
background: #e6e6e6;
|
background: #e6e6e6;
|
||||||
|
|||||||
@@ -119,7 +119,7 @@ div.mainmenu.mrp::before {
|
|||||||
}
|
}
|
||||||
|
|
||||||
div.mainmenu.project::before {
|
div.mainmenu.project::before {
|
||||||
content: "\f0e8";
|
content: "\f542";
|
||||||
}
|
}
|
||||||
|
|
||||||
div.mainmenu.ticket::before {
|
div.mainmenu.ticket::before {
|
||||||
|
|||||||
@@ -375,7 +375,7 @@ if (GETPOSTISSET('THEME_SATURATE_RATIO')) {
|
|||||||
content: "\f571";
|
content: "\f571";
|
||||||
}
|
}
|
||||||
.fa-dol-project:before {
|
.fa-dol-project:before {
|
||||||
content: "\f0e8";
|
content: "\f542";
|
||||||
}
|
}
|
||||||
.fa-dol-commande:before,
|
.fa-dol-commande:before,
|
||||||
.fa-dol-order_supplier:before {
|
.fa-dol-order_supplier:before {
|
||||||
|
|||||||
@@ -2230,9 +2230,10 @@ if ($action == 'generatesitemaps') {
|
|||||||
$action = 'preview';
|
$action = 'preview';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* View
|
* View
|
||||||
*/
|
*/
|
||||||
|
|
||||||
$form = new Form($db);
|
$form = new Form($db);
|
||||||
$formadmin = new FormAdmin($db);
|
$formadmin = new FormAdmin($db);
|
||||||
@@ -2428,7 +2429,8 @@ if (!GETPOST('hide_websitemenu')) {
|
|||||||
if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) {
|
if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) {
|
||||||
print ' ';
|
print ' ';
|
||||||
|
|
||||||
print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditCss")).'" name="editcss">';
|
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditCss")).'" name="editcss">';
|
||||||
|
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editcss" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans("EditCss")).'</a>';
|
||||||
|
|
||||||
$importlabel = $langs->trans("ImportSite");
|
$importlabel = $langs->trans("ImportSite");
|
||||||
$exportlabel = $langs->trans("ExportSite");
|
$exportlabel = $langs->trans("ExportSite");
|
||||||
@@ -2726,9 +2728,11 @@ if (!GETPOST('hide_websitemenu')) {
|
|||||||
|
|
||||||
print ' ';
|
print ' ';
|
||||||
|
|
||||||
print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'" name="editmeta">';
|
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'" name="editmeta">';
|
||||||
|
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editmeta" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans("EditPageMeta")).'</a>';
|
||||||
|
|
||||||
print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditHTMLSource")).'" name="editsource">';
|
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditHTMLSource")).'" name="editsource">';
|
||||||
|
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editsource" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans("EditHTMLSource")).'</a>';
|
||||||
|
|
||||||
print '<!-- button EditInLine and ShowSubcontainers -->'."\n";
|
print '<!-- button EditInLine and ShowSubcontainers -->'."\n";
|
||||||
print '<div class="websiteselectionsection inline-block">';
|
print '<div class="websiteselectionsection inline-block">';
|
||||||
|
|||||||
Reference in New Issue
Block a user