Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-24 10:21:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v18

Browse Source
This commit is contained in:
Laurent Destailleur
2023-08-05 12:37:25 +02:00
parent 463d24d50c
commit b47a640f0b
3 changed files with 121 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/lib/functions.lib.php
View File

@@ -955,8 +955,6 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
*/
function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options = null)
{
global $conf;
// TODO : use class "Validate" to perform tests (and add missing tests) if needed for factorize
// Check is done after replacement
switch ($check) {
@@ -1044,8 +1042,9 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
case 'nohtml': // No html
$out = dol_string_nohtmltag($out, 0);
break;
case 'restricthtml': // Recommended for most html textarea
case 'restricthtmlnolink':
case 'restricthtml': // Recommended for most html textarea
case 'restricthtmlallowclass':
case 'restricthtmlallowunvalid':
$out = dol_htmlwithnojs($out, 1, $check);
break;
@@ -7356,7 +7355,7 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
*
* @param string $stringtoencode String to encode
* @param int $nouseofiframesandbox Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing
* @param string $check 'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowunvalid'
* @param string $check 'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowclass' or 'restricthtmlallowunvalid'
* @return string HTML sanitized
*/
function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = 'restricthtml')
@@ -7415,7 +7414,7 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
$out = preg_replace('/&#x?[0-9]+/i', '', $out); // For example if we have j&#x61vascript with an entities without the ; to hide the 'a' of 'javascript'.
// Keep only some html tags and remove also some 'javascript:' strings
$out = dol_string_onlythesehtmltags($out, 0, 1, 1);
$out = dol_string_onlythesehtmltags($out, 0, ($check == 'restricthtmlallowclass' ? 0 : 1), 1);
// We should also exclude non expected HTML attributes and clean content of some attributes (keep only alt=, title=...).
if (!empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)) {