Fix #yogosha6567
This commit is contained in:
Laurent Destailleur
parent
0dfa7bdbcc
commit
3dff7e29cc
@ -577,7 +577,6 @@ if (empty($reshook)) {
|
|||||||
|
|
||||||
if (!$isupload) {
|
if (!$isupload) {
|
||||||
$mesgs = array();
|
$mesgs = array();
|
||||||
|
|
||||||
$object->sujet = (string) GETPOST("sujet");
|
$object->sujet = (string) GETPOST("sujet");
|
||||||
$object->body = (string) GETPOST("bodyemail", 'restricthtml');
|
$object->body = (string) GETPOST("bodyemail", 'restricthtml');
|
||||||
$object->bgcolor = (string) GETPOST("bgcolor");
|
$object->bgcolor = (string) GETPOST("bgcolor");
|
||||||
@ -744,7 +743,7 @@ if ($action == 'create') {
|
|||||||
print '<div style="padding-top: 10px">';
|
print '<div style="padding-top: 10px">';
|
||||||
// wysiwyg editor
|
// wysiwyg editor
|
||||||
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
|
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
|
||||||
$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
|
$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtmlallowunvalid'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
|
||||||
$doleditor->Create();
|
$doleditor->Create();
|
||||||
print '</div>';
|
print '</div>';
|
||||||
|
|
||||||
|
|||||||
@ -208,6 +208,12 @@ class Mailing extends CommonObject
|
|||||||
{
|
{
|
||||||
global $conf, $langs;
|
global $conf, $langs;
|
||||||
|
|
||||||
|
// Check properties
|
||||||
|
if ($this->body === 'InvalidHTMLString') {
|
||||||
|
$this->error = 'InvalidHTMLString';
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
$this->db->begin();
|
$this->db->begin();
|
||||||
|
|
||||||
$this->title = trim($this->title);
|
$this->title = trim($this->title);
|
||||||
@ -257,6 +263,12 @@ class Mailing extends CommonObject
|
|||||||
*/
|
*/
|
||||||
public function update($user)
|
public function update($user)
|
||||||
{
|
{
|
||||||
|
// Check properties
|
||||||
|
if ($this->body === 'InvalidHTMLString') {
|
||||||
|
$this->error = 'InvalidHTMLString';
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
|
||||||
$sql .= " SET titre = '".$this->db->escape($this->title)."'";
|
$sql .= " SET titre = '".$this->db->escape($this->title)."'";
|
||||||
$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
|
$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
|
||||||
|
|||||||
@ -775,18 +775,21 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'restricthtml': // Recommended for most html textarea
|
case 'restricthtml': // Recommended for most html textarea
|
||||||
|
case 'restricthtmlallowunvalid':
|
||||||
do {
|
do {
|
||||||
$oldstringtoclean = $out;
|
$oldstringtoclean = $out;
|
||||||
|
|
||||||
if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)) {
|
if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
|
||||||
$dom = new DOMDocument;
|
|
||||||
try {
|
try {
|
||||||
|
$dom = new DOMDocument;
|
||||||
$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
|
$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
|
||||||
} catch(Exception $e) {
|
} catch(Exception $e) {
|
||||||
|
//print $e->getMessage();
|
||||||
return 'InvalidHTMLString';
|
return 'InvalidHTMLString';
|
||||||
}
|
}
|
||||||
$out = $dom->saveHTML();
|
$out = $dom->saveHTML();
|
||||||
}
|
}
|
||||||
|
//var_dump($oldstringtoclean);var_dump($out);
|
||||||
|
|
||||||
// Ckeditor use the numeric entitic for apostrophe so we force it to text entity (all other special chars are correctly
|
// Ckeditor use the numeric entitic for apostrophe so we force it to text entity (all other special chars are correctly
|
||||||
// encoded using text entities). This is a fix for CKeditor.
|
// encoded using text entities). This is a fix for CKeditor.
|
||||||
|
|||||||
@ -340,6 +340,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
|||||||
$langs=$this->savlangs;
|
$langs=$this->savlangs;
|
||||||
$db=$this->savdb;
|
$db=$this->savdb;
|
||||||
|
|
||||||
|
// Force default mode
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
|
||||||
|
$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
|
||||||
|
|
||||||
$_COOKIE["id"]=111;
|
$_COOKIE["id"]=111;
|
||||||
$_GET["param1"]="222";
|
$_GET["param1"]="222";
|
||||||
$_POST["param1"]="333";
|
$_POST["param1"]="333";
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user