diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3bf47b7da7a..4ded311f7ed 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -680,7 +680,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '"', '../'), '', trim($out)); + $out = str_replace(array('"', '"'), "''", trim($out)); + $out = str_replace(array('../'), '', $out); // keep lines feed $out = dol_string_nohtmltag($out, 0); } diff --git a/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php b/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php index 6698495f983..f3cffecdd9c 100644 --- a/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php +++ b/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php @@ -365,14 +365,15 @@ class pdf_rouget extends ModelePdfExpedition $tab_top_alt = $tab_top; $pdf->SetFont('', 'B', $default_font_size - 2); - $pdf->writeHTMLCell(60, 4, $this->posxdesc - 1, $tab_top - 1, $outputlangs->transnoentities("TrackingNumber")." : ".$object->tracking_number, 0, 1, false, true, 'L'); - $tab_top_alt = $pdf->GetY(); //$tab_top_alt += 1; // Tracking number if (!empty($object->tracking_number)) { + $pdf->writeHTMLCell(60, 4, $this->posxdesc - 1, $tab_top - 1, $outputlangs->transnoentities("TrackingNumber")." : ".$object->tracking_number, 0, 1, false, true, 'L'); + $tab_top_alt = $pdf->GetY(); + $object->getUrlTrackingStatus($object->tracking_number); if (!empty($object->tracking_url)) { diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 3eda8354113..d2405e9609d 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -294,20 +294,20 @@ class SecurityTest extends PHPUnit\Framework\TestCase $result=GETPOST("param1", 'int'); print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 222); + $this->assertEquals($result, 222, 'Test on param1 with no 3rd param'); $result=GETPOST("param1", 'int', 2); print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 333); + $this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2'); // Test alpha $result=GETPOST("param2", 'alpha'); print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, $_GET["param2"]); + $this->assertEquals($result, $_GET["param2"], 'Test on param2'); $result=GETPOST("param3", 'alpha'); // Must return string sanitized from char " print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc'); + $this->assertEquals($result, '\'\'na/b#e(pr)qq-rr\cc', 'Test on param3'); $result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; @@ -346,7 +346,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase // With alphanohtml, we must convert the html entities like n $result=GETPOST("param8", 'alphanohtml'); print __METHOD__." result=".$result."\n"; - $this->assertEquals("HackerassertEquals("Hacker