lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #15894 from atm-john/11.0_fix_issue_14833

Browse Source 
Fix #14833 A security mecanism generates data loss
This commit is contained in:
Laurent Destailleur 2021-01-06 20:26:19 +01:00 committed by GitHub
commit 9e50a06f2b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
htdocs/core/lib/functions.lib.php
View File

@ -602,6 +602,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
$out = trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace('"', "''", trim($out));
if (preg_match('/"/', $out)) $out = '';
elseif (preg_match('/\.\.\//', $out)) $out = '';
$out = dol_string_nohtmltag($out);