From 5ddd77c95068d686f1df30df74ac6cfd92a73585 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 3 Oct 2017 18:35:35 +0200 Subject: [PATCH] Fix We must use dol_escape_htmltag for input field not dol_htmlentities --- htdocs/admin/security_file.php | 4 ++-- htdocs/core/lib/functions.lib.php | 16 +++++++--------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 310c52ca3a6..1053658b191 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -178,7 +178,7 @@ if (ini_get('safe_mode') && ! empty($conf->global->MAIN_ANTIVIRUS_COMMAND)) dol_syslog("safe_mode is on, basedir is ".$basedir.", safe_mode_exec_dir is ".ini_get('safe_mode_exec_dir'), LOG_WARNING); } } -print ''; +print ''; print ""; print ''; @@ -189,7 +189,7 @@ print ''.$langs->trans("AntiVirusParam").'
'; print $langs->trans("AntiVirusParamExample"); print ''; print ''; -print ''; +print ''; print ""; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 5eeaa51c727..230d023e7aa 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -900,16 +900,15 @@ function dol_escape_js($stringtoescape, $mode=0, $noescapebackslashn=0) * @param int $keepb 1=Preserve b tags (otherwise, remove them) * @param int $keepn 1=Preserve \r\n strings (otherwise, remove them) * @return string Escaped string - * * @see dol_string_nohtmltag */ function dol_escape_htmltag($stringtoescape, $keepb=0, $keepn=0) { // escape quotes and backslashes, newlines, etc. - $tmp=dol_html_entity_decode($stringtoescape,ENT_COMPAT,'UTF-8'); + $tmp=html_entity_decode($stringtoescape, ENT_COMPAT, 'UTF-8'); // TODO Use htmlspecialchars_decode instead, that make only required change for html form content if (! $keepb) $tmp=strtr($tmp, array(""=>'',''=>'')); if (! $keepn) $tmp=strtr($tmp, array("\r"=>'\\r',"\n"=>'\\n')); - return dol_htmlentities($tmp,ENT_COMPAT,'UTF-8'); + return htmlentities($tmp, ENT_COMPAT, 'UTF-8'); // TODO Use htmlspecialchars instead, that make only required change for html form content } @@ -5050,13 +5049,13 @@ function dol_html_entity_decode($a,$b,$c='UTF-8') } /** - * Replace htmlentities functions to manage errors http://php.net/manual/en/function.htmlentities.php + * Replace htmlentities functions. * Goal of this function is to be sure to have default values of htmlentities that match what we need. * - * @param string $string The input string. - * @param int $flags Flags(see PHP doc above) - * @param string $encoding Encoding - * @param bool $double_encode When double_encode is turned off PHP will not encode existing html entities + * @param string $string The input string to encode + * @param int $flags Flags (see PHP doc above) + * @param string $encoding Encoding page code + * @param bool $double_encode When double_encode is turned off, PHP will not encode existing html entities * @return string $ret Encoded string */ function dol_htmlentities($string, $flags=null, $encoding='UTF-8', $double_encode=false) @@ -5064,7 +5063,6 @@ function dol_htmlentities($string, $flags=null, $encoding='UTF-8', $double_encod return htmlentities($string, $flags, $encoding, $double_encode); } - /** * Check if a string is a correct iso string * If not, it will we considered not HTML encoded even if it is by FPDF.