lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source
This commit is contained in:
Laurent Destailleur 2021-01-06 20:48:23 +01:00
commit 07ca12b26d
3 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/functions.lib.php
View File

@ -680,7 +680,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('"', '"', '../'), '', trim($out));
$out = str_replace(array('"', '"'), "''", trim($out));
$out = str_replace(array('../'), '', $out);
// keep lines feed
$out = dol_string_nohtmltag($out, 0);
}

5
htdocs/core/modules/expedition/doc/pdf_rouget.modules.php
View File

@ -365,14 +365,15 @@ class pdf_rouget extends ModelePdfExpedition
$tab_top_alt = $tab_top;
$pdf->SetFont('', 'B', $default_font_size - 2);
$pdf->writeHTMLCell(60, 4, $this->posxdesc - 1, $tab_top - 1, $outputlangs->transnoentities("TrackingNumber")." : ".$object->tracking_number, 0, 1, false, true, 'L');
$tab_top_alt = $pdf->GetY();
//$tab_top_alt += 1;
// Tracking number
if (!empty($object->tracking_number))
{
$pdf->writeHTMLCell(60, 4, $this->posxdesc - 1, $tab_top - 1, $outputlangs->transnoentities("TrackingNumber")." : ".$object->tracking_number, 0, 1, false, true, 'L');
$tab_top_alt = $pdf->GetY();
$object->getUrlTrackingStatus($object->tracking_number);
if (!empty($object->tracking_url))
{

10
test/phpunit/SecurityTest.php
View File

@ -294,20 +294,20 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param1", 'int');
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 222);
$this->assertEquals($result, 222, 'Test on param1 with no 3rd param');
$result=GETPOST("param1", 'int', 2);
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 333);
$this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2');
// Test alpha
$result=GETPOST("param2", 'alpha');
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, $_GET["param2"]);
$this->assertEquals($result, $_GET["param2"], 'Test on param2');
$result=GETPOST("param3", 'alpha'); // Must return string sanitized from char "
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'na/b#e(pr)qq-rr\cc');
$this->assertEquals($result, '\'\'na/b#e(pr)qq-rr\cc', 'Test on param3');
$result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n";
@ -346,7 +346,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
// With alphanohtml, we must convert the html entities like n
$result=GETPOST("param8", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals("Hacker<svg onload='console.log(123)'", $result);
$this->assertEquals("Hacker<svg onload='console.log(''123'')'", $result);
$result=GETPOST("param9", 'alphanohtml');
print __METHOD__." result=".$result."\n";