FIX javascript xss injection and a translation

test/phpunit/CoreTest.php

@@ -219,7 +219,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
 
         print __METHOD__." DOL_MAIN_URL_ROOT=".DOL_MAIN_URL_ROOT."\n";
         print __METHOD__." DOL_URL_ROOT=".DOL_URL_ROOT."\n";
-        $this->assertEquals(DOL_URL_ROOT,$expectedresult);
+        $this->assertEquals($expectedresult, DOL_URL_ROOT);
 
         return true;
     }
@@ -245,7 +245,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
         global $dolibarr_main_db_prefix;
 
 
-        // This is code copied from main.inc.php
+        // This is code copied from main.inc.php !!!!!!!!!!!!!!!
 
         /**
          * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
@@ -258,14 +258,16 @@ class CoreTest extends PHPUnit_Framework_TestCase
         {
             $sql_inj = 0;
             // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
-            if ($type != 2) {
-                $sql_inj += preg_match('/delete[\s]+from/i', $val);
-                $sql_inj += preg_match('/create[\s]+table/i', $val);
-                $sql_inj += preg_match('/update.+set.+=/i', $val);
-                $sql_inj += preg_match('/insert[\s]+into/i', $val);
-                $sql_inj += preg_match('/select.+from/i', $val);
-                $sql_inj += preg_match('/union.+select/i', $val);
-                $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+            if ($type != 2)
+            {
+                $sql_inj += preg_match('/delete\s+from/i',	 $val);
+                $sql_inj += preg_match('/create\s+table/i',	 $val);
+                $sql_inj += preg_match('/update.+set.+=/i',  $val);
+                $sql_inj += preg_match('/insert\s+into/i', 	 $val);
+                $sql_inj += preg_match('/select.+from/i', 	 $val);
+                $sql_inj += preg_match('/union.+select/i', 	 $val);
+                $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
+                $sql_inj += preg_match('/(\.\.%2f)+/i',		 $val);
             }
             // For XSS Injection done by adding javascript with script
             // This is all cases a browser consider text is javascript:
@@ -273,22 +275,40 @@ class CoreTest extends PHPUnit_Framework_TestCase
             // All examples on page: http://ha.ckers.org/xss.html#XSScalc
             $sql_inj += preg_match('/<script/i', $val);
             if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
-            $sql_inj += preg_match('/base[\s]+href/i', $val);
-            if ($type == 1) {
+            $sql_inj += preg_match('/base[\s]+href/si', $val);
+            $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+            $sql_inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
+            if ($type == 1)
+            {
                 $sql_inj += preg_match('/javascript:/i', $val);
                 $sql_inj += preg_match('/vbscript:/i', $val);
             }
             // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
             if ($type == 1) $sql_inj += preg_match('/"/i', $val);		// We refused " in GET parameters value
-            if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val);	// PHP_SELF is an url and must match url syntax
+            if ($type == 2) $sql_inj += preg_match('/[;"]/', $val);		// PHP_SELF is a file system path. It can contains spaces.
             return $sql_inj;
         }
 
-        //type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
+        // Run tests
+        
         $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
-        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"],2);
+        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
+        $expectedresult=0;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1a');
+        
+        $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
+        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
         $expectedresult=1;
-
-        $this->assertEquals($result,$expectedresult);
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1b');
+        
+        $_GET['aaa']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+        $result=test_sql_and_script_inject($_GET['aaa'], 0);
+        $expectedresult=1;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 2');
+        
+        $_POST['bbb']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+        $result=test_sql_and_script_inject($_POST['bbb'], 2);
+        $expectedresult=1;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 3');
     }
 }