Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-27 03:03:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix cleaning html tags with trans and with GETPOST.

Browse Source
This commit is contained in:
Laurent Destailleur
2020-12-06 17:30:27 +01:00
parent 1f83e22aea
commit de61a7cfd3
7 changed files with 42 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
test/phpunit/SecurityTest.php
View File

@@ -285,9 +285,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param6"]="&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
$_GET["param7"]='"c:\this is a path~1\aaa&#110;" abc<bad>def</bad>';
$_POST["param8"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'"; // html tag is not closed so it is not detected as html tag but is still harmfull
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
// Test int
$result=GETPOST('id', 'int'); // Must return nothing
$result=GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, '');
@@ -347,6 +348,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals("Hacker<svg onload='console.log(123)'", $result);
$result=GETPOST("param9", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST["param9"], $result);
$result=GETPOST("param10", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10');
return $result;
}