Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-23 09:51:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix phpunit

Browse Source
This commit is contained in:
Laurent Destailleur
2023-11-30 00:06:05 +01:00
parent 7809b66688
commit c417949a7e
3 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/admin/system/security.php
View File

@@ -641,7 +641,7 @@ print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 1)
print '<br>'; print '<br>';
print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(getDolGlobalString('MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES') ? '1' : '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>'); print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(getDolGlobalString('MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES') ? '1' : '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>');
print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").": 1)</span><br>"; print ' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").": 1 - does not work on HTML5 with some old libxml libs)</span><br>";
print '<br>'; print '<br>';
print '<strong>MAIN_DISALLOW_URL_INTO_DESCRIPTIONS</strong> = '.getDolGlobalString('MAIN_DISALLOW_URL_INTO_DESCRIPTIONS', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>')."<br>"; print '<strong>MAIN_DISALLOW_URL_INTO_DESCRIPTIONS</strong> = '.getDolGlobalString('MAIN_DISALLOW_URL_INTO_DESCRIPTIONS', '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>')."<br>";

11
htdocs/core/lib/functions.lib.php
View File

@@ -7384,11 +7384,20 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
* *
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags() * @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags()
*/ */
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width")) function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = null)
{ {
if (is_null($allowed_attributes)) {
$allowed_attributes = array(
"allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width",
// HTML5
"header", "footer", "nav", "section", "menu", "menuitem"
);
}
if (class_exists('DOMDocument') && !empty($stringtoclean)) { if (class_exists('DOMDocument') && !empty($stringtoclean)) {
$stringtoclean = '<?xml encoding="UTF-8"><html><body>'.$stringtoclean.'</body></html>'; $stringtoclean = '<?xml encoding="UTF-8"><html><body>'.$stringtoclean.'</body></html>';
// Warning: loadHTML does not support HTML5 on old libxml versions.
$dom = new DOMDocument(null, 'UTF-8'); $dom = new DOMDocument(null, 'UTF-8');
$dom->loadHTML($stringtoclean, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL); $dom->loadHTML($stringtoclean, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);

14
test/phpunit/SecurityTest.php
View File

@@ -1152,12 +1152,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase
global $conf; global $conf;
// Set options for cleaning data // Set options for cleaning data
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0; // disabled, does not work on HTML5 $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0; // disabled, does not work on HTML5 and some libxml versions
// Enabled option MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY if possible // Enabled option MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY if possible
if (extension_loaded('tidy') && class_exists("tidy")) { if (extension_loaded('tidy') && class_exists("tidy")) {
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1; $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
} }
$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 1; $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0; // disabled, does not work on HTML5 and some libxml versions
@@ -1176,7 +1176,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
// For a string that is already HTML (contains HTML tags) with special tags but badly formated // For a string that is already HTML (contains HTML tags) with special tags but badly formated
$stringtotest = "testA\n<h1>hhhh</h1><z>ddd</z><header>aaa</header><footer>bbb</footer>"; $stringtotest = "testA\n<h1>hhhh</h1><z>ddd</z><header>aaa</header><footer>bbb</footer>";
if (getDolGlobalString("MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY")) { if (getDolGlobalString("MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY")) {
$stringfixed = "testA\n<h1>hhhh</h1>\nddd\n<header>aaa</header>\n<footer>bbb</footer>"; $stringfixed = "testA\n<h1>hhhh</h1>\nddd\n<header>aaa</header>\n<footer>bbb</footer>\n";
} else { } else {
$stringfixed = "testA\n<h1>hhhh</h1>ddd<header>aaa</header><footer>bbb</footer>"; $stringfixed = "testA\n<h1>hhhh</h1>ddd<header>aaa</header><footer>bbb</footer>";
} }
@@ -1186,19 +1186,19 @@ class SecurityTest extends PHPUnit\Framework\TestCase
//$result = dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0)), 1, 1, 'common', 0, 1); //$result = dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0)), 1, 1, 'common', 0, 1);
$result = dolPrintHTML($stringtotest); $result = dolPrintHTML($stringtotest);
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($stringfixed, $result, 'Error'); // Expected '' because should failed because login 'auto' does not exists $this->assertEquals($stringfixed, $result, 'Error');
// For a string that is already HTML (contains HTML tags) but badly formated // For a string that is already HTML (contains HTML tags) but badly formated
$stringtotest = "testB\n<h1>hhh</h1>\n<td>td alone</td><h1>iii</h1>"; $stringtotest = "testB\n<h1>hhh</h1>\n<td>td alone</td><h1>iii</h1>";
if (getDolGlobalString("MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY")) { if (getDolGlobalString("MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY")) {
$stringfixed = "testB\n<h1>hhh</h1>\n<h1>iii</h1>\n<table>\n<tr>\n<td>td alone</td>\n</tr>\n</table>"; $stringfixed = "testB\n<h1>hhh</h1>\n<h1>iii</h1>\n<table>\n<tr>\n<td>td alone</td>\n</tr>\n</table>\n";
} else { } else {
$stringfixed = "testB\n<h1>hhh</h1>\n<td>td alone</td><h1>iii</h1>"; $stringfixed = "testB\n<h1>hhh</h1>\n<td>td alone</td><h1>iii</h1>";
} }
$result = dolPrintHTML($stringtotest); $result = dolPrintHTML($stringtotest);
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($stringfixed, $result, 'Error'); // Expected '' because should failed because login 'auto' does not exists $this->assertEquals($stringfixed, $result, 'Error');
// For a string with no HTML tags // For a string with no HTML tags
@@ -1206,7 +1206,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$stringfixed = "testC<br>\ntest"; $stringfixed = "testC<br>\ntest";
$result = dolPrintHTML($stringtotest); $result = dolPrintHTML($stringtotest);
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($stringfixed, $result, 'Error'); // Expected '' because should failed because login 'auto' does not exists $this->assertEquals($stringfixed, $result, 'Error');
return 0; return 0;
} }