lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix GETPOST

Browse Source
This commit is contained in:
Laurent Destailleur 2021-01-15 19:23:56 +01:00
parent ea266c1f2d
commit 80ed651c5e
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@ -672,15 +672,15 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (preg_match('/[^a-z0-9_\-\.,]+/i', $out)) $out = '';
}
break;
case 'nohtml':
case 'nohtml': // No html
$out = dol_string_nohtmltag($out, 0);
break;
case 'alpha': // No html and no ../ and " replaced with ''
case 'alpha': // No html and no ../ and "
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('"', '"'), "''", trim($out));
$out = str_replace(array('"', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
// keep lines feed
$out = dol_string_nohtmltag($out, 0);
@ -690,7 +690,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('"', '"'), "", trim($out));
$out = str_replace(array('"', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
}
break;