Merge pull request #30915 from MaximilienR-easya/18.0_Backport_yogosha

Backport #yogosha18281

htdocs/core/class/translate.class.php

@@ -580,7 +580,7 @@ class Translate
 	 */
 	private function getTradFromKey($key)
 	{
-		global $conf, $db;
+		global $db;
 
 		if (!is_string($key)) {
 			//xdebug_print_function_stack('ErrorBadValueForParamNotAString');
@@ -660,7 +660,7 @@ class Translate
 				}
 			}
 
-			// Crypt string into HTML
+			// Encode string into HTML
 			$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
 
 			// Restore reliable HTML tags into original translation string
@@ -670,6 +670,10 @@ class Translate
 				$str
 			);
 
+			// Remove dangerous sequence we should never have. Not needed into a translated response.
+			// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
+			$str = str_replace(array('%27', '&#39'), '', $str);
+
 			if ($maxsize) {
 				$str = dol_trunc($str, $maxsize);
 			}
@@ -739,6 +743,10 @@ class Translate
 				$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
 			}
 
+			// Remove dangerous sequence we should never have. Not needed into a translated response.
+			// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
+			$str = str_replace(array('%27', '&#39'), '', $str);
+
 			return $str;
 		} else {
 			/*if ($key[0] == '$') {

htdocs/core/js/lib_head.js.php

@@ -996,7 +996,7 @@ function document_preview(file, type, title)
 	var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
 	var showOriginalSizeButton = false;
 
-	console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
+	console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);
 
 	if ($.inArray(type, ValidImageTypes) < 0) {
 		/* Not an image */

htdocs/core/lib/functions.lib.php

@@ -10363,7 +10363,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	if ($alldata == 1) {
 		if ($isAllowedForPreview) {
-			return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
+			return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
 		} else {
 			return array();
 		}
@@ -10371,7 +10371,14 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	// old behavior, return a string
 	if ($isAllowedForPreview) {
-		return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
+		$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
+		$title = $langs->transnoentities("Preview");
+		//$title = '%27-alert(document.domain)-%27';
+		//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");
+
+		// We need to urlencode the parameter after the dol_escape_js($tmpurl) because  $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
+		// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
+		return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.rawurlencode(dol_escape_js($title)).'\')';
 	} else {
 		return '';
 	}