diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ffa7c47bdff..c35ccbf5994 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -51,12 +51,15 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) /** * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). * - * @param string $val Value + * @param string $val Value brut found int $_GET, $_POST or PHP_SELF * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) * @return int >0 if there is an injection, 0 if none */ function testSqlAndScriptInject($val, $type) { + $val=html_entity_decode($val, ENT_QUOTES); // So email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->note = GETPOST("note", 'restricthtml'); @@ -388,7 +388,7 @@ if (empty($reshook)) { } } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->openid = GETPOST("openid", 'alphanohtml'); @@ -1183,7 +1183,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print '
'.$langs->trans("PostOrFunction").''; print ''; - print '
'; if ((!empty($conf->salaries->enabled) && !empty($user->rights->salaries->read)) @@ -1570,7 +1570,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print '
'.$langs->trans("PostOrFunction").''; - print ''.$object->job.''; + print ''.dol_escape_htmltag($object->job).''; print '
'."\n"; //$childids = $user->getAllChildIds(1); @@ -2606,10 +2606,10 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print ''; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 161dcd935b3..6c4d2270d1a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -173,11 +173,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_GET["param1"]="222"; $_POST["param1"]="333"; $_GET["param2"]='a/b#e(pr)qq-rr\cc'; - $_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + " + $_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n $_GET["param4"]='../dir'; $_GET["param5"]="a_1-b"; - $_POST["param6"]="">assertEquals($result, 'a/b#e(pr)qq-rr\cc'); + $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc'); $result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; @@ -230,9 +231,15 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals('">', $result); + // With restricthtml we must remove html open/close tag and content but not htmlentities like n $result=GETPOST("param7", 'restricthtml'); print __METHOD__." result=".$result."\n"; - $this->assertEquals('"c:\this is a path~1\aaa" abcdef', $result); + $this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result); + + // With alphanohtml, we must convert the html entities like n + $result=GETPOST("param8", 'alphanohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals("Hacker