From b3b511a6d4b0eedb8cbf1542ea99cf79ea1f57e3 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 26 Nov 2020 22:44:11 +0100
Subject: [PATCH] FIX #15546

---
 htdocs/core/class/translate.class.php | 37 ++++++++++++++++-----------
 htdocs/core/lib/functions.lib.php     |  4 +--
 htdocs/langs/en_US/admin.lang         |  2 +-
 test/phpunit/LangTest.php             | 23 +++++++++++++++++
 4 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
index 3c4c3ea5d36..ab7bf604446 100644
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@@ -589,16 +589,15 @@ class Translate
 
 	/**
 	 *  Return text translated of text received as parameter (and encode it into HTML)
-	 *              If there is no match for this text, we look in alternative file and if still not found,
-	 * 				it is returned as it is
-	 *              The parameters of this method can contain HTML tags
+	 *  If there is no match for this text, we look in alternative file and if still not found, it is returned as it is.
+	 *  The parameters of this method should not contain HTML tags. If there is, they will be htmlencoded to have no effect.
 	 *
 	 *  @param	string	$key        Key to translate
 	 *  @param  string	$param1     param1 string
 	 *  @param  string	$param2     param2 string
 	 *  @param  string	$param3     param3 string
 	 *  @param  string	$param4     param4 string
-	 *	@param	int		$maxsize	Max length of text
+	 *	@param	int		$maxsize	Max length of text. Warning: Will not work if paramX has HTML content. deprecated.
 	 *  @return string      		Translated string (encoded into HTML entities and UTF8)
 	 */
 	public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = '', $maxsize = 0)
@@ -621,25 +620,33 @@ class Translate
 				}
 			}
 
+			// We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities because
+			// we want to keep '"' '<b>' '</b>' '<strong' '</strong>' '<a ' '</a>' '<br>' '< ' '<span' '</span>' that are reliable HTML tags inside translation strings.
+			$str = str_replace(
+				array('"', '<b>', '</b>', '<strong>', '</strong>', '<a ', '</a>', '<br>', '<span', '</span>', '< ', '>'),	// We accept '< ' but not '<'. We can accept however '>'
+				array('__quot__', '__tagbold__', '__tagboldend__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
+				$str
+			);
+
 			if (strpos($key, 'Format') !== 0)
 			{
 				$str = sprintf($str, $param1, $param2, $param3, $param4); // Replace %s and %d except for FormatXXX strings.
 			}
 
+			// Crypt string into HTML
+			$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
+
+			// Restore reliable HTML tags into original translation string
+			$str = str_replace(
+				array('__quot__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
+				array('"', '<b>', '</b>', '<a ', '</a>', '<br>', '<span', '</span>', '< ', '> '),
+				$str
+			);
+
 			if ($maxsize) $str = dol_trunc($str, $maxsize);
 
-			// We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities
-			$str = str_replace(array('<', '>', '"',), array('__lt__', '__gt__', '__quot__'), $str);
-
-			// Crypt string into HTML
-			$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are enmbraced by "). Use dol_escape_htmltag around text in HTML content
-
-			// Restore HTML tags
-			$str = str_replace(array('__lt__', '__gt__', '__quot__'), array('<', '>', '"',), $str);
-
 			return $str;
-		} else // Translation is not available
-		{
+		} else { // Translation is not available
 			//if ($key[0] == '$') { return dol_eval($key,1); }
 			return $this->getTradFromKey($key);
 		}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f0d6ff9a53c..3eb40f96478 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1060,7 +1060,7 @@ function dol_escape_json($stringtoescape)
  *  Returns text escaped for inclusion in HTML alt or title tags, or into values of HTML input fields.
  *
  *  @param      string		$stringtoescape			String to escape
- *  @param		int			$keepb					1=Preserve b tags (otherwise, remove them)
+ *  @param		int			$keepb					1=Keep b tags and escape them, 0=remove them
  *  @param      int         $keepn              	1=Preserve \r\n strings (otherwise, replace them with escaped value). Set to 1 when escaping for a <textarea>.
  *  @param		string		$keepmoretags			'' or 'common' or list of tags
  *  @param		int			$escapeonlyhtmltags		1=Escape only html tags, not the special chars like accents.
@@ -1069,7 +1069,7 @@ function dol_escape_json($stringtoescape)
  */
 function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $keepmoretags = '', $escapeonlyhtmltags = 0)
 {
-	if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
+	if ($keepmoretags == 'common') $keepmoretags = 'html,body,a,b,em,i,u,ul,li,br,div,img,font,p,span,strong,table,tr,td,th,tbody';
 	// TODO Implement $keepmoretags
 
 	// escape quotes and backslashes, newlines, etc.
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 94d1d1b2c47..235ffcd304c 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -1672,7 +1672,7 @@ AdvancedEditor=Advanced editor
 ActivateFCKeditor=Activate advanced editor for:
 FCKeditorForCompany=WYSIWIG creation/edition of elements description and note (except products/services)
 FCKeditorForProduct=WYSIWIG creation/edition of products/services description and note
-FCKeditorForProductDetails=WYSIWIG creation/edition of products details lines for all entities (proposals, orders, invoices, etc...). <font class="warning">Warning: Using this option for this case is seriously not recommended as it can create problems with special characters and page formatting when building PDF files.</font>
+FCKeditorForProductDetails=WYSIWIG creation/edition of products details lines for all entities (proposals, orders, invoices, etc...). <span class="warning">Warning: Using this option for this case is seriously not recommended as it can create problems with special characters and page formatting when building PDF files.</span>
 FCKeditorForMailing= WYSIWIG creation/edition for mass eMailings (Tools->eMailing)
 FCKeditorForUserSignature=WYSIWIG creation/edition of user signature
 FCKeditorForMail=WYSIWIG creation/edition for all mail (except Tools->eMailing)
diff --git a/test/phpunit/LangTest.php b/test/phpunit/LangTest.php
index 5896b09888e..1c1f8ed0e8a 100644
--- a/test/phpunit/LangTest.php
+++ b/test/phpunit/LangTest.php
@@ -203,4 +203,27 @@ class LangTest extends PHPUnit\Framework\TestCase
 
         return;
     }
+
+    /**
+     * testTrans
+     *
+     * @return string
+     */
+    public function testTrans()
+    {
+    	global $conf,$user,$langs,$db;
+    	$conf=$this->savconf;
+    	$user=$this->savuser;
+    	$langs=$this->savlangs;
+    	$db=$this->savdb;
+
+    	$tmplangs=new Translate('', $conf);
+    	$langcode='en_US';
+    	$tmplangs->setDefaultLang($langcode);
+    	$tmplangs->load("main");
+
+    	$result = $tmplangs->trans("FilterOnInto", "<input autofocus onfocus='alert(1337)' <--!");
+    	print __METHOD__." result trans FilterOnInto = ".$result."\n";
+    	$this->assertEquals($result, "Search criteria '<b>&lt;input autofocus onfocus='alert(1337)' &lt;--!</b>' into fields ", 'Result of lang->trans must have original translation string with its original HTML tag, but inserted values must be fully encoded.');
+    }
 }