From f871ade5452630ad12bab6608eb53e18fcdb870e Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Mon, 7 Dec 2020 15:15:41 +0100 Subject: [PATCH 1/2] FIX 12.0 - the stringent XSS prodection provided by 'alphanohtml' causes problems with some clients who used basic tags (bold, italic, underline) in product labels. Using 'restricthtml' instead could be a good compromise. --- htdocs/product/card.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 8b4654ba921..8659e5bcc23 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -201,7 +201,7 @@ if (empty($reshook)) { $error = 0; - if (!GETPOST('label', 'alphanohtml')) + if (!GETPOST('label', 'restricthtml')) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors'); $action = "create"; @@ -225,7 +225,7 @@ if (empty($reshook)) $units = GETPOST('units', 'int'); $object->ref = $ref; - $object->label = GETPOST('label', 'alphanohtml'); + $object->label = GETPOST('label', 'restricthtml'); $object->price_base_type = GETPOST('price_base_type', 'aZ09'); if ($object->price_base_type == 'TTC') @@ -406,7 +406,7 @@ if (empty($reshook)) $object->oldcopy = clone $object; $object->ref = $ref; - $object->label = GETPOST('label', 'alphanohtml'); + $object->label = GETPOST('label', 'restricthtml'); $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); $object->url = GETPOST('url'); if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB)) @@ -1005,7 +1005,7 @@ else print ''; // Label - print ''.$langs->trans("Label").''; + print ''.$langs->trans("Label").''; // On sell print ''.$langs->trans("Status").' ('.$langs->trans("Sell").')'; From 617c9f7ea93a30714c70238958a63cb1933c6592 Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Tue, 8 Dec 2020 09:30:31 +0100 Subject: [PATCH 2/2] FIX: enable HTML in product labels depending on conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML --- htdocs/product/card.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 8659e5bcc23..d6f62b34769 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -86,6 +86,9 @@ $accountancy_code_buy = GETPOST('accountancy_code_buy', 'alpha'); $accountancy_code_buy_intra = GETPOST('accountancy_code_buy_intra', 'alpha'); $accountancy_code_buy_export = GETPOST('accountancy_code_buy_export', 'alpha'); +// by default 'alphanohtml' (better security); hidden conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML allows basic html +$label_security_check = empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML) ? 'alphanohtml' : 'restricthtml'; + if (!empty($user->socid)) $socid = $user->socid; $object = new Product($db); @@ -201,7 +204,7 @@ if (empty($reshook)) { $error = 0; - if (!GETPOST('label', 'restricthtml')) + if (!GETPOST('label', $label_security_check)) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors'); $action = "create"; @@ -225,7 +228,7 @@ if (empty($reshook)) $units = GETPOST('units', 'int'); $object->ref = $ref; - $object->label = GETPOST('label', 'restricthtml'); + $object->label = GETPOST('label', $label_security_check); $object->price_base_type = GETPOST('price_base_type', 'aZ09'); if ($object->price_base_type == 'TTC') @@ -406,7 +409,7 @@ if (empty($reshook)) $object->oldcopy = clone $object; $object->ref = $ref; - $object->label = GETPOST('label', 'restricthtml'); + $object->label = GETPOST('label', $label_security_check); $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); $object->url = GETPOST('url'); if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB)) @@ -1005,7 +1008,7 @@ else print ''; // Label - print ''.$langs->trans("Label").''; + print ''.$langs->trans("Label").''; // On sell print ''.$langs->trans("Status").' ('.$langs->trans("Sell").')';