diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index b62009c2ba6..b5f22376c16 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -50,7 +50,7 @@ $confirm = GETPOST('confirm', 'alpha'); // Result of a confirmatio $id = GETPOST('id', 'int'); $rowid = GETPOST('rowid', 'alpha'); -$search_label=GETPOST('search_label', 'alpha'); +$search_label=GETPOST('search_label', 'alphanohtml'); // Must allow value like 'Abc Def' or '(MyTemplateName)' $search_type_template=GETPOST('search_type_template', 'alpha'); $search_lang=GETPOST('search_lang', 'alpha'); $search_fk_user=GETPOST('search_fk_user', 'intcomma'); @@ -263,6 +263,7 @@ if (empty($reshook)) { //var_dump($i.' - '.$listfieldvalue[$i].' - '.$_POST[$listfieldvalue[$i]].' - '.$value); $keycode=$listfieldvalue[$i]; + if ($value == 'label') $_POST[$keycode] = dol_escape_htmltag($_POST[$keycode]); if ($value == 'lang') $keycode='langcode'; if ($value == 'entity') $_POST[$keycode] = $conf->entity; if ($i) $sql.=","; @@ -667,8 +668,6 @@ if ($resql) print ''; foreach ($fieldlist as $field => $value) { - // Determine le nom du champ par rapport aux noms possibles - // dans les dictionnaires de donnees $showfield=1; // By defaut $align="left"; $sortable=1; @@ -695,7 +694,7 @@ if ($resql) if ($fieldlist[$field]=='content') { $valuetoshow=$langs->trans("Content"); $showfield=0;} if ($fieldlist[$field]=='content_lines') { $valuetoshow=$langs->trans("ContentLines"); $showfield=0; } - // Affiche nom du champ + // Show fields if ($showfield) { if (! empty($tabhelp[$id][$value])) @@ -813,6 +812,10 @@ if ($resql) $showfield=1; $align="left"; $valuetoshow=$obj->{$fieldlist[$field]}; + if ($value == 'label' || $value == 'topic') + { + $valuetoshow = dol_escape_htmltag($valuetoshow); + } if ($value == 'type_template') { $valuetoshow = isset($elementList[$valuetoshow])?$elementList[$valuetoshow]:$valuetoshow; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 4738aa90419..0993cea8307 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -100,6 +100,8 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/union.+select/i', $val); $inj += preg_match('/(\.\.%2f)+/i', $val); } + // For XSS Injection done by closing textarea to exucute content into a textarea field + $inj += preg_match('/<\/textarea/i', $val); // For XSS Injection done by adding javascript with script // This is all cases a browser consider text is javascript: // When it found 'linkedin = GETPOST("linkedin", 'alphanohtml'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); - $object->job = GETPOST("job", 'alpha'); + $object->job = GETPOST("job", 'nohtml'); $object->signature = GETPOST("signature", 'none'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->note = GETPOST("note", 'none'); @@ -370,7 +370,7 @@ if (empty($reshook)) { $object->facebook = GETPOST("facebook", 'alpha'); $object->linkedin = GETPOST("linkedin", 'alpha'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); - $object->job = GETPOST("job", 'alpha'); + $object->job = GETPOST("job", 'nohtml'); $object->signature = GETPOST("signature", 'none'); $object->accountancy_code = GETPOST("accountancy_code", 'alpha'); $object->openid = GETPOST("openid", 'alpha'); @@ -1203,7 +1203,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print ''.$langs->trans("PostOrFunction").''; print ''; - print ''; + print ''; print ''; // Default warehouse