diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index d6b67088e78..c5b58bace4b 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -675,7 +675,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = case 'nohtml': $out = dol_string_nohtmltag($out, 0); break; - case 'alpha': // No html and no " and no ../ + case 'alpha': // No html and no ../ and " replaced with '' case 'alphanohtml': // Recommended for most scalar parameters and search parameters if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. @@ -686,6 +686,14 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = $out = dol_string_nohtmltag($out, 0); } break; + case 'alphawithlgt': // No " and no ../ but we keep < > tags + if (!is_array($out)) { + // '"' is dangerous because param in url can close the href= or src= and add javascript functions. + // '../' is dangerous because it allows dir transversals + $out = str_replace(array('"', '"'), "", trim($out)); + $out = str_replace(array('../'), '', $out); + } + break; case 'restricthtml': // Recommended for most html textarea $out = dol_string_onlythesehtmltags($out, 0, 1, 1); break; diff --git a/htdocs/core/tpl/card_presend.tpl.php b/htdocs/core/tpl/card_presend.tpl.php index 92a767a23ea..5d3381b2719 100644 --- a/htdocs/core/tpl/card_presend.tpl.php +++ b/htdocs/core/tpl/card_presend.tpl.php @@ -196,7 +196,7 @@ if ($action == 'presend') } $formmail->withto = $liste; - $formmail->withtofree = (GETPOSTISSET('sendto') ? (GETPOST('sendto') ? GETPOST('sendto') : '1') : '1'); + $formmail->withtofree = (GETPOSTISSET('sendto') ? (GETPOST('sendto', 'alphawithlgt') ? GETPOST('sendto', 'alphawithlgt') : '1') : '1'); $formmail->withtocc = $liste; $formmail->withtoccc = $conf->global->MAIN_EMAIL_USECCC; $formmail->withtopic = $topicmail; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index d2405e9609d..a1459c22e27 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -287,6 +287,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_POST["param8"]="Hackerobjnotdefined\''; + $_POST["param11"]=' Name '; $result=GETPOST('id', 'int'); // Must return nothing print __METHOD__." result=".$result."\n"; @@ -334,6 +335,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals($_GET["param5"], $result); + $result=GETPOST("param6", 'alpha'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals('\'\'>', $result); + $result=GETPOST("param6", 'nohtml'); print __METHOD__." result=".$result."\n"; $this->assertEquals('">', $result); @@ -356,6 +361,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10'); + $result=GETPOST("param11", 'alphanohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals("Name", $result, 'Test an email string with alphanohtml'); + + $result=GETPOST("param11", 'alphawithlgt'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt'); + return $result; }