Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-08 02:28:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #30915 from MaximilienR-easya/18.0_Backport_yogosha

Browse Source 
Backport #yogosha18281
This commit is contained in:
Laurent Destailleur
2024-12-30 04:58:37 +01:00
committed by GitHub
parent 92963af09f bad8ee865d
commit e65ee097a5
3 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/core/lib/functions.lib.php
View File

@@ -10363,7 +10363,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
if ($alldata == 1) {
if ($isAllowedForPreview) {
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
} else {
return array();
}
@@ -10371,7 +10371,14 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
// old behavior, return a string
if ($isAllowedForPreview) {
return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
$title = $langs->transnoentities("Preview");
//$title = '%27-alert(document.domain)-%27';
//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");
// We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.rawurlencode(dol_escape_js($title)).'\')';
} else {
return '';
}