Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 09:38:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14360 from ATM-Consulting/FIX_12.0_dol_string_onlythesehtmltags_remove_class_by_default

Browse Source 
FIX 12.0 - dol_string_onlythesehtmltags(): remove class attribute by default
This commit is contained in:
Laurent Destailleur
2020-08-04 12:27:31 +02:00
committed by GitHub
parent 2fd59fd0c9 ce18a4f029
commit c09827248b
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@@ -5507,12 +5507,13 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
* Clean a string to keep only desirable HTML tags.
*
* @param string $stringtoclean String to clean
* @param string $cleanalsosomestyles Clean also some tags
* @param boolean $cleanalsosomestyles Remove absolute/fixed positioning from inline styles
* @param boolean $removeclassattribute Remove the class attribute from tags
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
*/
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1)
{
$allowed_tags = array(
"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
@@ -5524,7 +5525,10 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
$allowed_tags_string = '<'.$allowed_tags_string.'>';
if ($cleanalsosomestyles) {
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/i', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
}
if ($removeclassattribute) {
$stringtoclean = preg_replace('/(<[^>]+)\s+class=((["\']).*?\\3|\\w*)/i', '\\1', $stringtoclean);
}
$temp = strip_tags($stringtoclean, $allowed_tags_string);