From 4a2f26415e819c563e91847779cff10cf644a4e2 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 4 Feb 2021 23:36:41 +0100
Subject: [PATCH] Fix GETPOST accept < if followed with a number

---
 htdocs/core/lib/functions.lib.php |  4 ++--
 test/phpunit/SecurityTest.php     | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 99a66a9a682..b1129dcfb4f 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5786,8 +5786,8 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
 		// Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
 		$temp = preg_replace($pattern, "", $temp); // pass 1 - $temp after pass 1: <a href="/myurl" title="A title">0000-021
 		$temp = preg_replace($pattern, "", $temp); // pass 2 - $temp after pass 2: 0000-021
-		// removed '<' into non closing html tags like '<a'
-		$temp = preg_replace('/<(\w+)/', '\1', $temp);
+		// Remove '<' into remainging, so non closing html tags like '<abc'. Note: '<123abc' is not a html tag (can be kept), but '<abc123' is (must be removed).
+		$temp = preg_replace('/<([a-z]+)/i', '\1', $temp);
 	}
 
 	$temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto);
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index f485102e06e..78fdb0b1419 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -295,6 +295,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
     	$_POST["param8a"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'";	// html tag is not closed so it is not detected as html tag but is still harmfull
     	$_POST['param8b']='<img src=x onerror=alert(document.location) t=';		// this is html obfuscated by non closing tag
     	$_POST['param8c']='< with space after is ok';
+    	$_POST['param8d']='<abc123 is html to clean';
+    	$_POST['param8e']='<123abc is not html to clean';
     	$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
     	$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
     	$_POST["param11"]=' Name <email@email.com> ';
@@ -371,6 +373,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
     	print __METHOD__." result=".$result."\n";
     	$this->assertEquals($_POST['param8c'], $result, 'Test a string with non closing html tag with alphanohtml');
 
+    	$result=GETPOST("param8d", 'alphanohtml');
+    	print __METHOD__." result=".$result."\n";
+    	$this->assertEquals('abc123 is html to clean', $result, 'Test a string with non closing html tag with alphanohtml');
+
+    	$result=GETPOST("param8e", 'alphanohtml');
+    	print __METHOD__." result=".$result."\n";
+    	$this->assertEquals($_POST['param8e'], $result, 'Test a string with non closing html tag with alphanohtml');
+
     	$result=GETPOST("param9", 'alphanohtml');
     	print __METHOD__." result=".$result."\n";
     	$this->assertEquals($_POST["param9"], $result);