From 26e8a9c7952348994c1fb0f3870596b55a8caaa9 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 15 Mar 2021 10:08:02 +0100
Subject: [PATCH] Code comment

---
 htdocs/core/lib/functions.lib.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 86130aec217..0d5e94a23f0 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1023,16 +1023,20 @@ function dol_sanitizeUrl($stringtoclean, $type = 1)
 
 	$stringtoclean = str_replace('\\', '/', $stringtoclean);
 	if ($type == 1) {
+		// removing : should disable links to external url like http:aaa)
+		// removing ';' should disable "named" html entities encode into an url (we should not have this into an url)
 		$stringtoclean = str_replace(array(':', ';', '@'), '', $stringtoclean);
 	}
 
 	do {
 		$oldstringtoclean = $stringtoclean;
-
+		// removing '&colon' should disable links to external url like http:aaa)
+		// removing '&#' should disable "numeric" html entities encode into an url (we should not have this into an url)
 		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $stringtoclean);
 	} while ($oldstringtoclean != $stringtoclean);
 
 	if ($type == 1) {
+		// removing '//' should disable links to external url like //aaa or http//)
 		$stringtoclean = preg_replace(array('/^[a-z]*\/\/+/i'), '', $stringtoclean);
 	}