FIX missing token and save of survey description

2020-03-19 11:59:57 +01:00 · 2020-03-19 11:59:57 +01:00 · 7eb4522636
commit 7eb4522636
parent 8e1ffa5144
3 changed files with 7 additions and 4 deletions
--- a/htdocs/admin/modules.php
+++ b/htdocs/admin/modules.php
@ -930,7 +930,7 @@ if ($mode == 'marketplace')

 	    ?>
 	            <form method="POST" class="centpercent" id="searchFormList" action="<?php echo $dolistore->url ?>">
-					<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken'] ?>">
+					<input type="hidden" name="token" value="<?php echo newToken(); ?>">
 	            	<input type="hidden" name="mode" value="marketplace">
 	                <div class="divsearchfield"><?php echo $langs->trans('Keyword') ?>:
 	                    <input name="search_keyword" placeholder="<?php echo $langs->trans('Chercher un module') ?>" id="search_keyword" type="text" size="50" value="<?php echo $options['search'] ?>"><br>
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@ -508,6 +508,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
 	// We do this only if var is a GET. If it is a POST, may be we want to post the text with vars as the setup text.
 	if (!is_array($out) && empty($_POST[$paramname]) && empty($noreplace))
 	{
+		$reg = array();
 		$maxloop = 20; $loopnb = 0; // Protection against infinite loop
 		while (preg_match('/__([A-Z0-9]+_?[A-Z0-9]+)__/i', $out, $reg) && ($loopnb < $maxloop))    // Detect '__ABCDEF__' as key 'ABCDEF' and '__ABC_DEF__' as key 'ABC_DEF'. Detection is also correct when 2 vars are side by side.
 		{
@ -5579,7 +5580,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
 	$allowed_tags_string = '<'.$allowed_tags_string.'>';

 	if ($cleanalsosomestyles) {
-		$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean);	// Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
+		$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean);	// Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
 	}

 	$temp = strip_tags($stringtoclean, $allowed_tags_string);
--- a/htdocs/opensurvey/card.php
+++ b/htdocs/opensurvey/card.php
@ -113,8 +113,8 @@ if (empty($reshook))
    	if (!$error)
    	{
    		$object->titre = GETPOST('nouveautitre', 'nohtml');
-    		$object->commentaires = GETPOST('nouveauxcommentaires', 'nohtml');
-    		$object->description = GETPOST('nouveauxcommentaires', 'nohtml');
+    		$object->commentaires = GETPOST('nouveauxcommentaires', 'restricthtml');
+    		$object->description = GETPOST('nouveauxcommentaires', 'restricthtml');
    		$object->mail_admin = GETPOST('nouvelleadresse', 'alpha');
    		$object->date_fin = $expiredate;
    		$object->allow_comments = GETPOST('cancomment', 'alpha') == 'on' ? true : false;
@ -208,6 +208,7 @@ $toutsujet = str_replace("@", "<br>", $toutsujet);
 $toutsujet = str_replace("°", "'", $toutsujet);

 print '<form name="updatesurvey" action="'.$_SERVER["PHP_SELF"].'?id='.$numsondage.'" method="POST">'."\n";
+print '<input type="hidden" name="token" value="'.newToken().'">';
 print '<input type="hidden" name="action" value="update">';

 $head = opensurvey_prepare_head($object);
@ -395,6 +396,7 @@ print '<br>';


 print '<form name="formulaire5" action="#" method="POST">'."\n";
+print '<input type="hidden" name="token" value="'.newToken().'">';

 print load_fiche_titre($langs->trans("CommentsOfVoters"), '', '');