lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Vulnerability in module from modulebuilder. Only fields with type

Browse Source 
html can contains HTML.
This commit is contained in:
Laurent Destailleur 2020-02-16 18:14:10 +01:00
parent 5b87b12e64
commit ac7a077c77
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/actions_addupdatedelete.inc.php
View File

@ -76,7 +76,7 @@ if ($action == 'add' && !empty($permissiontoadd))
} elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) {
$value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup
} else {
$value = GETPOST($key, 'alpha');
$value = GETPOST($key, 'alphanohtml');
}
if (preg_match('/^integer:/i', $object->fields[$key]['type']) && $value == '-1') $value = ''; // This is an implicit foreign key field
if (!empty($object->fields[$key]['foreignkey']) && $value == '-1') $value = ''; // This is an explicit foreign key field