Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 17:48:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX XSS

Browse Source
This commit is contained in:
Laurent Destailleur
2017-05-10 11:47:34 +02:00
parent 2fc64b8e11
commit c4722e3694
4 changed files with 35 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -302,7 +302,7 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
break;
case 'aZ09':
$out=trim($out);
if (preg_match('/[^a-z0-9_]+/i',$out)) $out='';
if (preg_match('/[^a-z0-9_\-]+/i',$out)) $out='';
break;
case 'array':
if (! is_array($out) || empty($out)) $out=array();
@@ -2937,7 +2937,7 @@ function dol_print_error($db='',$error='',$errors=null)
if ($_SERVER['DOCUMENT_ROOT']) // Mode web
{
$out.="<b>".$langs->trans("DatabaseTypeManager").":</b> ".$db->type."<br>\n";
$out.="<b>".$langs->trans("RequestLastAccessInError").":</b> ".($db->lastqueryerror()?$db->lastqueryerror():$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<b>".$langs->trans("RequestLastAccessInError").":</b> ".($db->lastqueryerror()?dol_escape_htmltag($db->lastqueryerror()):$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<b>".$langs->trans("ReturnCodeLastAccessInError").":</b> ".($db->lasterrno()?$db->lasterrno():$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<b>".$langs->trans("InformationLastAccessInError").":</b> ".($db->lasterror()?$db->lasterror():$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<br>\n";
@@ -2945,7 +2945,9 @@ function dol_print_error($db='',$error='',$errors=null)
else // Mode CLI
{
$out.='> '.$langs->transnoentities("DatabaseTypeManager").":\n".$db->type."\n";
$out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?$db->lastqueryerror():$langs->trans("ErrorNoRequestInError"))."\n";
$out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?dol_escape_htmltag($db->lastqueryerror()):$langs->trans("ErrorNoRequestInError"))."\n";
// To make detection of xss vulnerabilities or sql injection easier with a scanner, replace line with this one:
//$out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?$db->lastqueryerror:$langs->trans("ErrorNoRequestInError"))."\n";
$out.='> '.$langs->transnoentities("ReturnCodeLastAccessInError").":\n".($db->lasterrno()?$db->lasterrno():$langs->trans("ErrorNoRequestInError"))."\n";
$out.='> '.$langs->transnoentities("InformationLastAccessInError").":\n".($db->lasterror()?$db->lasterror():$langs->trans("ErrorNoRequestInError"))."\n";