From 7b512587aadc3eca9e3565eed17f46c36498c643 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 18 Sep 2019 14:15:20 +0200
Subject: [PATCH 1/5] FIX XSS

---
 htdocs/admin/mails_templates.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index e0dfcd75277..573d4c5fbaa 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -50,7 +50,7 @@ $confirm    = GETPOST('confirm','alpha');												// Result of a confirmation
 
 $id			= GETPOST('id','int');
 $rowid		= GETPOST('rowid','alpha');
-$search_label=GETPOST('search_label','alpha');
+$search_label=GETPOST('search_label', 'alphanohtml');                                    // Must allow value like 'Abc Def' or '(MyTemplateName)'
 $search_type_template=GETPOST('search_type_template','alpha');
 $search_lang=GETPOST('search_lang','alpha');
 $search_fk_user=GETPOST('search_fk_user','intcomma');
@@ -262,6 +262,7 @@ if (empty($reshook))
             {
             	//var_dump($i.' - '.$listfieldvalue[$i].' - '.$_POST[$listfieldvalue[$i]].' - '.$value);
             	$keycode=$listfieldvalue[$i];
+            	if ($value == 'label') $_POST[$keycode] = dol_escape_htmltag($_POST[$keycode]);
             	if ($value == 'lang') $keycode='langcode';
                 if ($value == 'entity') $_POST[$keycode] = $conf->entity;
                 if ($i) $sql.=",";
@@ -666,8 +667,6 @@ if ($resql)
     print '<tr class="liste_titre">';
     foreach ($fieldlist as $field => $value)
     {
-        // Determine le nom du champ par rapport aux noms possibles
-        // dans les dictionnaires de donnees
         $showfield=1;							  	// By defaut
         $align="left";
         $sortable=1;
@@ -694,7 +693,7 @@ if ($resql)
 		if ($fieldlist[$field]=='content')         { $valuetoshow=$langs->trans("Content"); $showfield=0;}
 		if ($fieldlist[$field]=='content_lines')   { $valuetoshow=$langs->trans("ContentLines"); $showfield=0; }
 
-        // Affiche nom du champ
+        // Show fields
         if ($showfield)
         {
             if (! empty($tabhelp[$id][$value]))
@@ -812,6 +811,10 @@ if ($resql)
                         $showfield=1;
                     	$align="left";
                         $valuetoshow=$obj->{$fieldlist[$field]};
+                        if ($value == 'label' || $value == 'topic')
+                        {
+                            $valuetoshow = dol_escape_htmltag($valuetoshow);
+                        }
                         if ($value == 'type_template')
                         {
                             $valuetoshow = isset($elementList[$valuetoshow])?$elementList[$valuetoshow]:$valuetoshow;

From 345ac28c8999d53ed541fb14cd08f4692e21aec6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 30 Aug 2019 16:22:24 +0200
Subject: [PATCH 2/5] Fix js injection

Conflicts:
	htdocs/core/lib/functions.lib.php
	htdocs/user/group/card.php
---
 htdocs/core/lib/functions.lib.php |  8 ++++++--
 htdocs/main.inc.php               | 16 +++++++++-------
 htdocs/user/group/card.php        |  4 ++--
 3 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 20930ca52c4..bf79b2070d5 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -966,11 +966,15 @@ function dol_escape_js($stringtoescape, $mode=0, $noescapebackslashn=0)
  *  @param      string		$stringtoescape		String to escape
  *  @param		int			$keepb				1=Preserve b tags (otherwise, remove them)
  *  @param      int         $keepn              1=Preserve \r\n strings (otherwise, replace them with escaped value). Set to 1 when escaping for a <textarea>.
+ *  @param		string		$keepmoretags		'' or 'common' or list of tags
  *  @return     string     				 		Escaped string
  *  @see		dol_string_nohtmltag, dol_string_nospecial, dol_string_unaccent
  */
-function dol_escape_htmltag($stringtoescape, $keepb=0, $keepn=0)
+function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $keepmoretags = '')
 {
+	if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
+	// TODO Implement $keepmoretags
+
 	// escape quotes and backslashes, newlines, etc.
 	$tmp=html_entity_decode($stringtoescape, ENT_COMPAT, 'UTF-8');		// TODO Use htmlspecialchars_decode instead, that make only required change for html tags
 	if (! $keepb) $tmp=strtr($tmp, array("<b>"=>'','</b>'=>''));
@@ -5539,7 +5543,7 @@ function dol_nl2br($stringtoencode,$nl2brmode=0,$forxml=false)
 
 /**
  *	This function is called to encode a string into a HTML string but differs from htmlentities because
- * 	a detection is done before to see if text is already HTML or not. Also, all entities but &,<,> are converted.
+ * 	a detection is done before to see if text is already HTML or not. Also, all entities but &,<,>," are converted.
  *  This permits to encode special chars to entities with no double encoding for already encoded HTML strings.
  * 	This function also remove last EOL or BR if $removelasteolbr=1 (default).
  *  For PDF usage, you can show text by 2 ways:
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d76b64ba9b5..c99723684bf 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -127,13 +127,15 @@ function testSqlAndScriptInject($val, $type)
 	$inj += preg_match('/Set\.constructor/i', $val);	// ECMA script 6
 	if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
 	$inj += preg_match('/base[\s]+href/si', $val);
-	$inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
-	$inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
-	$inj += preg_match('/onfocus\s*=/i', $val);       // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
-	$inj += preg_match('/onload\s*=/i', $val);        // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)>
-	$inj += preg_match('/onloadstart\s*=/i', $val);   // onload can be set on audio tag <audio onloadstart=alert(1)>
-	$inj += preg_match('/onclick\s*=/i', $val);       // onclick can be set on img text html tag like <img onclick = alert(1)>
-	$inj += preg_match('/onscroll\s*=/i', $val);      // onscroll can be on textarea
+	// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp
+	$inj += preg_match('/onmouse([a-z]*)\s*=/i', $val);       // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
+	$inj += preg_match('/ondrag([a-z]*)\s*=/i', $val);        //
+	$inj += preg_match('/ontouch([a-z]*)\s*=/i', $val);        //
+	$inj += preg_match('/on(abort|afterprint[beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $val);
+	$inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $val);
+	$inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|offline|online|pagehide|pageshow)\s*=/i', $val);
+	$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|submit|suspend)\s*=/i', $val);
+	$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val);
 	//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val);   // To lock event handlers onAbort(), ...
 	$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val);		// refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
 	//if ($type == 1)
diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php
index fd497e6986a..d4b7c65f4dd 100644
--- a/htdocs/user/group/card.php
+++ b/htdocs/user/group/card.php
@@ -135,7 +135,7 @@ if (empty($reshook)) {
 			} else {
 				$object->name	= trim(GETPOST("nom",'nohtml'));
 				$object->nom	= $object->name;	// For backward compatibility
-				$object->note	= trim(GETPOST("note",'none'));
+				$object->note	= dol_htmlcleanlastbr(trim(GETPOST("note", 'none')));
 
 				// Fill array 'array_options' with data from add form
 				$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -218,7 +218,7 @@ if (empty($reshook)) {
 
 			$object->name	= trim(GETPOST("group",'nohtml'));
 			$object->nom	= $object->name;			// For backward compatibility
-			$object->note	= dol_htmlcleanlastbr(GETPOST("note",'none'));
+			$object->note	= dol_htmlcleanlastbr(trim(GETPOST("note", 'none')));
 
 			// Fill array 'array_options' with data from add form
 			$ret = $extrafields->setOptionalsFromPost($extralabels,$object);

From 771104bc6882cd5c7c0c8545b9d7c1650321d5c5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 18 Sep 2019 14:25:53 +0200
Subject: [PATCH 3/5] Fix XSS

---
 htdocs/user/card.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 072d7f287a3..93fd39d8607 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -209,7 +209,7 @@ if (empty($reshook)) {
 			$object->facebook = GETPOST("facebook", 'alphanohtml');
 
 			$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
-			$object->job = GETPOST("job", 'alpha');
+			$object->job = GETPOST("job", 'alphanohtml');
 			$object->signature = GETPOST("signature", 'none');
 			$object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml');
 			$object->note = GETPOST("note", 'none');
@@ -358,7 +358,7 @@ if (empty($reshook)) {
 				$object->twitter = GETPOST("twitter", 'alpha');
 				$object->facebook = GETPOST("facebook", 'alpha');
 				$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
-				$object->job = GETPOST("job", 'alpha');
+				$object->job = GETPOST("job", 'alphanohtml');
 				$object->signature = GETPOST("signature",'none');
 				$object->accountancy_code = GETPOST("accountancy_code",'alpha');
 				$object->openid = GETPOST("openid",'alpha');
@@ -1156,7 +1156,7 @@ if ($action == 'create' || $action == 'adduserldap')
 	// Position/Job
 	print '<tr><td class="titlefieldcreate">'.$langs->trans("PostOrFunction").'</td>';
 	print '<td>';
-	print '<input class="maxwidth200" type="text" name="job" value="'.GETPOST('job').'">';
+	print '<input class="maxwidth200" type="text" name="job" value="'.GETPOST('job', 'alphanohtml').'">';
 	print '</td></tr>';
 
 

From e52788eb75d6a1ebb56b3a78271f14bbb209abb3 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 18 Sep 2019 14:31:03 +0200
Subject: [PATCH 4/5] Fix xss

---
 htdocs/user/card.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 93fd39d8607..ef0ed3743dd 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -209,7 +209,7 @@ if (empty($reshook)) {
 			$object->facebook = GETPOST("facebook", 'alphanohtml');
 
 			$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
-			$object->job = GETPOST("job", 'alphanohtml');
+			$object->job = GETPOST("job", 'nohtml');
 			$object->signature = GETPOST("signature", 'none');
 			$object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml');
 			$object->note = GETPOST("note", 'none');
@@ -358,7 +358,7 @@ if (empty($reshook)) {
 				$object->twitter = GETPOST("twitter", 'alpha');
 				$object->facebook = GETPOST("facebook", 'alpha');
 				$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
-				$object->job = GETPOST("job", 'alphanohtml');
+				$object->job = GETPOST("job", 'nohtml');
 				$object->signature = GETPOST("signature",'none');
 				$object->accountancy_code = GETPOST("accountancy_code",'alpha');
 				$object->openid = GETPOST("openid",'alpha');
@@ -1156,7 +1156,7 @@ if ($action == 'create' || $action == 'adduserldap')
 	// Position/Job
 	print '<tr><td class="titlefieldcreate">'.$langs->trans("PostOrFunction").'</td>';
 	print '<td>';
-	print '<input class="maxwidth200" type="text" name="job" value="'.GETPOST('job', 'alphanohtml').'">';
+	print '<input class="maxwidth200" type="text" name="job" value="'.GETPOST('job', 'nohtml').'">';
 	print '</td></tr>';
 
 

From 00d5cff00dcb03949948d494573b119b23f22f0c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 18 Sep 2019 14:44:31 +0200
Subject: [PATCH 5/5] Fix XSS injection into textarea

---
 htdocs/main.inc.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index c99723684bf..14b1d581986 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -116,6 +116,8 @@ function testSqlAndScriptInject($val, $type)
 		$inj += preg_match('/union.+select/i', 	 $val);
 		$inj += preg_match('/(\.\.%2f)+/i',		 $val);
 	}
+	// For XSS Injection done by closing textarea to exucute content into a textarea field
+	$inj += preg_match('/<\/textarea/i', $val);
 	// For XSS Injection done by adding javascript with script
 	// This is all cases a browser consider text is javascript:
 	// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers