FIX #15546
This commit is contained in:
Laurent Destailleur
parent
5d9098795f
commit
b3b511a6d4
@ -589,16 +589,15 @@ class Translate
|
||||
|
||||
/**
|
||||
* Return text translated of text received as parameter (and encode it into HTML)
|
||||
* If there is no match for this text, we look in alternative file and if still not found,
|
||||
* it is returned as it is
|
||||
* The parameters of this method can contain HTML tags
|
||||
* If there is no match for this text, we look in alternative file and if still not found, it is returned as it is.
|
||||
* The parameters of this method should not contain HTML tags. If there is, they will be htmlencoded to have no effect.
|
||||
*
|
||||
* @param string $key Key to translate
|
||||
* @param string $param1 param1 string
|
||||
* @param string $param2 param2 string
|
||||
* @param string $param3 param3 string
|
||||
* @param string $param4 param4 string
|
||||
* @param int $maxsize Max length of text
|
||||
* @param int $maxsize Max length of text. Warning: Will not work if paramX has HTML content. deprecated.
|
||||
* @return string Translated string (encoded into HTML entities and UTF8)
|
||||
*/
|
||||
public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = '', $maxsize = 0)
|
||||
@ -621,25 +620,33 @@ class Translate
|
||||
}
|
||||
}
|
||||
|
||||
// We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities because
|
||||
// we want to keep '"' '<b>' '</b>' '<strong' '</strong>' '<a ' '</a>' '<br>' '< ' '<span' '</span>' that are reliable HTML tags inside translation strings.
|
||||
$str = str_replace(
|
||||
array('"', '<b>', '</b>', '<strong>', '</strong>', '<a ', '</a>', '<br>', '<span', '</span>', '< ', '>'), // We accept '< ' but not '<'. We can accept however '>'
|
||||
array('__quot__', '__tagbold__', '__tagboldend__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
|
||||
$str
|
||||
);
|
||||
|
||||
if (strpos($key, 'Format') !== 0)
|
||||
{
|
||||
$str = sprintf($str, $param1, $param2, $param3, $param4); // Replace %s and %d except for FormatXXX strings.
|
||||
}
|
||||
|
||||
// Crypt string into HTML
|
||||
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
|
||||
|
||||
// Restore reliable HTML tags into original translation string
|
||||
$str = str_replace(
|
||||
array('__quot__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
|
||||
array('"', '<b>', '</b>', '<a ', '</a>', '<br>', '<span', '</span>', '< ', '> '),
|
||||
$str
|
||||
);
|
||||
|
||||
if ($maxsize) $str = dol_trunc($str, $maxsize);
|
||||
|
||||
// We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities
|
||||
$str = str_replace(array('<', '>', '"',), array('__lt__', '__gt__', '__quot__'), $str);
|
||||
|
||||
// Crypt string into HTML
|
||||
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are enmbraced by "). Use dol_escape_htmltag around text in HTML content
|
||||
|
||||
// Restore HTML tags
|
||||
$str = str_replace(array('__lt__', '__gt__', '__quot__'), array('<', '>', '"',), $str);
|
||||
|
||||
return $str;
|
||||
} else // Translation is not available
|
||||
{
|
||||
} else { // Translation is not available
|
||||
//if ($key[0] == '$') { return dol_eval($key,1); }
|
||||
return $this->getTradFromKey($key);
|
||||
}
|
||||
|
||||
@ -1060,7 +1060,7 @@ function dol_escape_json($stringtoescape)
|
||||
* Returns text escaped for inclusion in HTML alt or title tags, or into values of HTML input fields.
|
||||
*
|
||||
* @param string $stringtoescape String to escape
|
||||
* @param int $keepb 1=Preserve b tags (otherwise, remove them)
|
||||
* @param int $keepb 1=Keep b tags and escape them, 0=remove them
|
||||
* @param int $keepn 1=Preserve \r\n strings (otherwise, replace them with escaped value). Set to 1 when escaping for a <textarea>.
|
||||
* @param string $keepmoretags '' or 'common' or list of tags
|
||||
* @param int $escapeonlyhtmltags 1=Escape only html tags, not the special chars like accents.
|
||||
@ -1069,7 +1069,7 @@ function dol_escape_json($stringtoescape)
|
||||
*/
|
||||
function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $keepmoretags = '', $escapeonlyhtmltags = 0)
|
||||
{
|
||||
if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
|
||||
if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,b,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
|
||||
// TODO Implement $keepmoretags
|
||||
|
||||
// escape quotes and backslashes, newlines, etc.
|
||||
|
||||
@ -1672,7 +1672,7 @@ AdvancedEditor=Advanced editor
|
||||
ActivateFCKeditor=Activate advanced editor for:
|
||||
FCKeditorForCompany=WYSIWIG creation/edition of elements description and note (except products/services)
|
||||
FCKeditorForProduct=WYSIWIG creation/edition of products/services description and note
|
||||
FCKeditorForProductDetails=WYSIWIG creation/edition of products details lines for all entities (proposals, orders, invoices, etc...). <font class="warning">Warning: Using this option for this case is seriously not recommended as it can create problems with special characters and page formatting when building PDF files.</font>
|
||||
FCKeditorForProductDetails=WYSIWIG creation/edition of products details lines for all entities (proposals, orders, invoices, etc...). <span class="warning">Warning: Using this option for this case is seriously not recommended as it can create problems with special characters and page formatting when building PDF files.</span>
|
||||
FCKeditorForMailing= WYSIWIG creation/edition for mass eMailings (Tools->eMailing)
|
||||
FCKeditorForUserSignature=WYSIWIG creation/edition of user signature
|
||||
FCKeditorForMail=WYSIWIG creation/edition for all mail (except Tools->eMailing)
|
||||
|
||||
@ -203,4 +203,27 @@ class LangTest extends PHPUnit\Framework\TestCase
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
/**
|
||||
* testTrans
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function testTrans()
|
||||
{
|
||||
global $conf,$user,$langs,$db;
|
||||
$conf=$this->savconf;
|
||||
$user=$this->savuser;
|
||||
$langs=$this->savlangs;
|
||||
$db=$this->savdb;
|
||||
|
||||
$tmplangs=new Translate('', $conf);
|
||||
$langcode='en_US';
|
||||
$tmplangs->setDefaultLang($langcode);
|
||||
$tmplangs->load("main");
|
||||
|
||||
$result = $tmplangs->trans("FilterOnInto", "<input autofocus onfocus='alert(1337)' <--!");
|
||||
print __METHOD__." result trans FilterOnInto = ".$result."\n";
|
||||
$this->assertEquals($result, "Search criteria '<b><input autofocus onfocus='alert(1337)' <--!</b>' into fields ", 'Result of lang->trans must have original translation string with its original HTML tag, but inserted values must be fully encoded.');
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user