Fix #yogosha4490

2020-09-18 03:07:13 +02:00 · 2020-09-18 03:07:13 +02:00 · 8d77bfacd2
commit 8d77bfacd2
parent c94b3f6584
2 changed files with 7 additions and 0 deletions
--- a/htdocs/core/filemanagerdol/browser/default/browser.php
+++ b/htdocs/core/filemanagerdol/browser/default/browser.php
@ -95,6 +95,10 @@ var sServerPath = GetUrlParam( 'ServerPath' );
 if ( sServerPath.length > 0 )
 	oConnector.ConnectorUrl += 'ServerPath=' + encodeURIComponent( sServerPath ) + '&' ;

+/* @CHANGE LDR Overwrite value coming from parameters for security purpose */
+oConnector.ConnectorUrl = '<?php echo DOL_URL_ROOT.'/core/filemanagerdol/connectors/php/connector.php?'; ?>';
+console.log('ConnectorUrl='+oConnector.ConnectorUrl);
+
 oConnector.ResourceType		= GetUrlParam( 'Type' );
 oConnector.ShowAllTypes		= ( oConnector.ResourceType.length == 0 );

--- a/test/phpunit/imgsvgwithjs.svg
+++ b/test/phpunit/imgsvgwithjs.svg
@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid meet" viewBox="0 0 640 640" width="140" height="140"><script>alert('XSS SVG')</script><defs><path d="M77.01 33.36L316.26 33.36L316.26 231.5L77.01 231.5L77.01 33.36Z" id="a8YnqIml8"></path></defs><g><g><g><use xlink:href="#a8YnqIml8" opacity="1" fill="#a462a6" fill-opacity="1"></use></g></g></g></svg>