diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index cc866ef5ef7..13bd84b7b9c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1953,7 +1953,7 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta $tmparrayoftags = explode(',', $noescapetags); } if (count($tmparrayoftags)) { - $tmp = str_ireplace('DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it. + $tmp = str_ireplace('__DOUBLEQUOTE', '', $tmp); // The keyword DOUBLEQUOTE is forbidden. Reserved, so we removed it if we find it. foreach ($tmparrayoftags as $tagtoreplace) { $tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'__', $tmp); @@ -1964,13 +1964,15 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta $reg = array(); if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) { $tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string - $tmpattributes = str_ireplace('"', 'DOUBLEQUOTE', $tmpattributes); - $tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.]/i', '', $tmpattributes); + $tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes); + $tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes); + $tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes); + $tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.-]/i', '', $tmpattributes); $tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp); } if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)> \/>/', $tmp, $reg)) { $tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]); // We must not have [ ] inside the attribute string - $tmpattributes = str_ireplace('"', 'DOUBLEQUOTE', $tmpattributes); + $tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes); $tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&]/i', '', $tmpattributes); $tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+) \/>/', '__BEGINENDTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp); } @@ -1988,7 +1990,9 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta $result = preg_replace('/__BEGINENDTAGTOREPLACE'.$tagtoreplace.'\[(.*)\]__/', '<'.$tagtoreplace.' \1 />', $result); } - $result = str_ireplace('DOUBLEQUOTE', '"', $result); + $result = str_ireplace('__SRCHTTPIMG', 'src="http:', $result); + $result = str_ireplace('__SRCHTTPSIMG', 'src="https:', $result); + $result = str_ireplace('__DOUBLEQUOTE', '"', $result); } return $result; @@ -14149,16 +14153,16 @@ function show_actions_messaging($conf, $langs, $db, $filterobj, $objcon = null, if ($truncateLines > 0 && strlen($histo[$key]['message']) > strlen($truncatedText)) { $out .= '
'; $out .= '
'; - $out .= $truncatedText ; - $out .= ' '.$langs->trans("ReadMore").' '; + $out .= dolPrintHTML($truncatedText); + $out .= '
'.$langs->trans("ReadMore").' '; $out .= '
'; $out .= '
'; - $out .= $histo[$key]['message']; + $out .= dolPrintHTML($histo[$key]['message']); $out .= ' '.$langs->trans("ReadLess").''; $out .= '
'; $out .= '
'; } else { - $out .= $histo[$key]['message']; + $out .= dolPrintHTML($histo[$key]['message']); } $out .= ''; diff --git a/test/phpunit/FunctionsLibTest.php b/test/phpunit/FunctionsLibTest.php index 6a458699773..419db999be2 100644 --- a/test/phpunit/FunctionsLibTest.php +++ b/test/phpunit/FunctionsLibTest.php @@ -1119,6 +1119,10 @@ class FunctionsLibTest extends CommonClassTest $input = 'x&#,"'; // & and " are converted into html entities, are not removed $result = dol_escape_htmltag($input, 1); $this->assertEquals('x&<b>#</b>,"', $result); + + $input = ''; // & and " are converted into html entities, are not removed + $result = dol_escape_htmltag($input, 1, 1, 'common', 0, 1); + $this->assertEquals('', $result); }