lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New: Another method to allow style tags into email.

Browse Source 
Preivous one was using encoding, but this create data to not be stored
correctly into database. Old method is still available by adding
'_encoded' at end of toolbar name.
This commit is contained in:
Laurent Destailleur 2013-03-24 19:00:58 +01:00
parent 3ef8bf55fa
commit b3d4811b6f
5 changed files with 98 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
htdocs/comm/mailing/fiche.php
View File

@ -23,6 +23,8 @@
* \brief Fiche mailing, onglet general
*/
if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1');
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/emailing.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@ -768,7 +770,7 @@ else
$linkback = '<a href="'.DOL_URL_ROOT.'/comm/mailing/liste.php">'.$langs->trans("BackToList").'</a>';
print '<tr><td width="15%">'.$langs->trans("Ref").'</td>';
print '<tr><td width="25%">'.$langs->trans("Ref").'</td>';
print '<td colspan="3">';
print $form->showrefnav($object,'id', $linkback);
print '</td></tr>';
@ -789,10 +791,10 @@ else
print '</td></tr>';
// Status
print '<tr><td width="15%">'.$langs->trans("Status").'</td><td colspan="3">'.$object->getLibStatut(4).'</td></tr>';
print '<tr><td>'.$langs->trans("Status").'</td><td colspan="3">'.$object->getLibStatut(4).'</td></tr>';
// Nb of distinct emails
print '<tr><td width="15%">';
print '<tr><td>';
print $langs->trans("TotalNbOfDistinctRecipients");
print '</td><td colspan="3">';
$nbemail = ($object->nbemail?$object->nbemail:img_warning('').' <font class="warning">'.$langs->trans("NoTargetYet").'</font>');
@ -979,7 +981,7 @@ else
print '<table class="border" width="100%">';
// Subject
print '<tr><td width="15%">'.$langs->trans("MailTopic").'</td><td colspan="3">'.$object->sujet.'</td></tr>';
print '<tr><td width="25%">'.$langs->trans("MailTopic").'</td><td colspan="3">'.$object->sujet.'</td></tr>';
// Joined files
print '<tr><td>'.$langs->trans("MailFile").'</td><td colspan="3">';
@ -1007,7 +1009,14 @@ else
// Message
print '<tr><td valign="top">'.$langs->trans("MailMessage").'</td>';
print '<td colspan="3" bgcolor="'.($object->bgcolor?(preg_match('/^#/',$object->bgcolor)?'':'#').$object->bgcolor:'white').'">';
print dol_htmlentitiesbr($object->body);
if (empty($object->bgcolor) || strtolower($object->bgcolor) == 'ffffff')
{
// Editeur wysiwyg
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
$doleditor=new DolEditor('body',$object->body,'',320,'dolibarr_readonly','',false,true,empty($conf->global->FCKEDITOR_ENABLE_MAILING)?0:1,20,70);
$doleditor->Create();
}
else print dol_htmlentitiesbr($object->body);
print '</td>';
print '</tr>';
@ -1040,7 +1049,7 @@ else
print '<tr><td width="25%">';
print $langs->trans("TotalNbOfDistinctRecipients");
print '</td><td colspan="3">';
$nbemail = ($object->nbemail?$object->nbemail:'<font class="error">'.$langs->trans("NoTargetYet").'</font>');
$nbemail = ($object->nbemail?$object->nbemail:img_warning('').' <font class="warning">'.$langs->trans("NoTargetYet").'</font>');
if (!empty($conf->global->MAILING_LIMIT_SENDBYWEB) && is_numeric($nbemail) && $conf->global->MAILING_LIMIT_SENDBYWEB < $nbemail)
{
$text=$langs->trans('LimitSendingEmailing',$conf->global->MAILING_LIMIT_SENDBYWEB);
@ -1142,13 +1151,13 @@ else
$doleditor->Create();
print '</td></tr>';
print '<tr><td colspan="4" align="center">';
print '</table>';
print '<br><center>';
print '<input type="submit" class="button" value="'.$langs->trans("Save").'" name="save">';
print ' &nbsp; ';
print '<input type="submit" class="button" value="'.$langs->trans("Cancel").'" name="cancel">';
print '</td></tr>';
print '</table>';
print '</center>';
print '</form>';
print '<br>';

12
htdocs/core/class/doleditor.class.php
View File

@ -51,7 +51,7 @@ class DolEditor
* @param string $content Content of WYSIWIG field
* @param int $width Width in pixel of edit area (auto by default)
* @param int $height Height in pixel of edit area (200px by default)
* @param string $toolbarname Name of bar set to use ('Full', 'dolibarr_notes', 'dolibarr_details', 'dolibarr_mailings')
* @param string $toolbarname Name of bar set to use ('Full', 'dolibarr_notes[_encoded]', 'dolibarr_details[_encoded]', 'dolibarr_mailings[_encoded]', ')
* @param string $toolbarlocation Where bar is stored :
* 'In' each window has its own toolbar
* 'Out:name' share toolbar into the div called 'name'
@ -69,6 +69,7 @@ class DolEditor
if (! $rows) $rows=round($height/20);
if (! $cols) $cols=($width?round($width/6):80);
$shorttoolbarname=preg_replace('/_encoded$/','',$toolbarname);
// Name of extended editor to use (FCKEDITOR_EDITORNAME can be 'ckeditor' or 'fckeditor')
$defaulteditor='ckeditor';
@ -97,7 +98,7 @@ class DolEditor
$this->editor->Value = $content;
$this->editor->Height = $height;
if (! empty($width)) $this->editor->Width = $width;
$this->editor->ToolbarSet = $toolbarname;
$this->editor->ToolbarSet = $shorttoolbarname;
$this->editor->Config['AutoDetectLanguage'] = 'true';
$this->editor->Config['ToolbarLocation'] = $toolbarlocation ? $toolbarlocation : 'In';
$this->editor->Config['ToolbarStartExpanded'] = $toolbarstartexpanded;
@ -124,7 +125,7 @@ class DolEditor
{
$this->content = $content;
$this->htmlname = $htmlname;
$this->toolbarname = $toolbarname;
$this->toolbarname = $shorttoolbarname;
$this->toolbarstartexpanded = $toolbarstartexpanded;
$this->rows = max(ROWS_3,$rows);
$this->cols = max(40,$cols);
@ -169,9 +170,8 @@ class DolEditor
//$skin='office2003';
//$skin='v2';
$skin='kama';
if ($this->toolbarname=='dolibarr_mailings') {$htmlencode_force='true';}
else {$htmlencode_force='false';}
$htmlencode_force=preg_match('/_encoded$/',$this->toolbarname)?'true':'false';
$out.= '<script type="text/javascript">
$(document).ready(function () {

10
htdocs/main.inc.php
View File

@ -93,7 +93,7 @@ function test_sql_and_script_inject($val, $type)
// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
$sql_inj += preg_match('/<style/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/i', $val);
if ($type == 1)
{
@ -101,8 +101,8 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/vbscript:/i', $val);
}
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
return $sql_inj;
}
@ -1569,13 +1569,13 @@ function left_menu($menu_array_before, $helppagename='', $moresearchform='', $me
$appli='Dolibarr';
if (! empty($conf->global->MAIN_APPLICATION_TITLE)) { $appli=$conf->global->MAIN_APPLICATION_TITLE; $doliurl=''; }
$appli.=" ".DOL_VERSION;
print '<div id="blockvmenuhelp" class="blockvmenuhelp">';
if ($doliurl) print '<a class="help" target="_blank" href="'.$doliurl.'">';
print $appli;
if ($doliurlx) print '</a>';
print '</div>';
print "</div>\n";
print "<!-- End left menu -->\n";

7
htdocs/theme/eldy/ckeditor/config.js
View File

@ -82,4 +82,11 @@ CKEDITOR.editorConfig = function( config )
['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'],
['Link','Unlink','SpecialChar']
];
// Used for mailing fields
config.toolbar_dolibarr_readonly =
[
['Source','Maximize'],
['Find']
];
};

118
htdocs/user/fiche.php
View File

@ -60,7 +60,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
// Define value to know what current user can do on properties of edited user
if ($id)
{
// $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edite
// $user est le user qui edite, $id est l'id de l'utilisateur edite
$caneditfield=((($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer));
$caneditpassword=((($user->id == $id) && $user->rights->user->self->password)
@ -174,18 +174,18 @@ if ($action == 'add' && $canadduser)
if (! $message)
{
$object->lastname = $_POST["lastname"];
$object->firstname = $_POST["firstname"];
$object->login = $_POST["login"];
$object->admin = $_POST["admin"];
$object->office_phone = $_POST["office_phone"];
$object->office_fax = $_POST["office_fax"];
$object->user_mobile = $_POST["user_mobile"];
$object->email = $_POST["email"];
$object->job = $_POST["job"];
$object->signature = $_POST["signature"];
$object->note = $_POST["note"];
$object->ldap_sid = $_POST["ldap_sid"];
$object->lastname = GETPOST("lastname");
$object->firstname = GETPOST("firstname");
$object->login = GETPOST("login");
$object->admin = GETPOST("admin");
$object->office_phone = GETPOST("office_phone");
$object->office_fax = GETPOST("office_fax");
$object->user_mobile = GETPOST("user_mobile");
$object->email = GETPOST("email");
$object->job = GETPOST("job");
$object->signature = GETPOST("signature");
$object->note = GETPOST("note");
$object->ldap_sid = GETPOST("ldap_sid");
// Get extra fields
foreach($_POST as $key => $value)
@ -683,7 +683,7 @@ if (($action == 'create') || ($action == 'adduserldap'))
}
print dol_set_focus('#lastname');
print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST" name="createuser">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
@ -887,15 +887,7 @@ if (($action == 'create') || ($action == 'adduserldap'))
print '<tr><td valign="top">'.$langs->trans("Signature").'</td>';
print '<td>';
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
if (!empty($conf->global->FCKEDITOR_ENABLE_USERSIGN)) {
$withfckeditor=1;
//Mailing is mandatory to have dolHTMLencode done by ckeditor
$ckeditortoolbar='dolibarr_mailings';
} else {
$withfckeditor=0;
$ckeditortoolbar='';
}
$doleditor=new DolEditor('signature',GETPOST('signature'),'',280,$ckeditortoolbar,'In',true,true,$withfckeditor,8,72);
$doleditor=new DolEditor('signature',GETPOST('signature'),'',280,'dolibarr_mailings','In',true,true,empty($conf->global->FCKEDITOR_ENABLE_USERSIGN)?0:1,8,72);
print $doleditor->Create(1);
print '</td></tr>';
@ -1205,11 +1197,7 @@ else
// Signature
print '<tr><td valign="top">'.$langs->trans('Signature').'</td><td>';
if (!empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) && dol_textishtml(dol_html_entity_decode($object->signature, ENT_COMPAT | ENT_HTML401))) {
print dol_html_entity_decode($object->signature, ENT_COMPAT | ENT_HTML401);
}else {
print dol_textishtml($object->signature)?$object->signature:dol_nl2br($object->signature,1,false);
}
print dol_htmlentitiesbr($object->signature);
print "</td></tr>\n";
// Hierarchy
@ -1546,8 +1534,7 @@ else
/*
* Fiche en mode edition
*/
if ($action == 'edit' && ($canedituser || ($user->id == $object->id)))
if ($action == 'edit' && ($canedituser || $caneditfield || $caneditpassword || ($user->id == $object->id)))
{
$rowspan=14;
@ -1613,7 +1600,15 @@ else
// Position/Job
print '<tr><td valign="top">'.$langs->trans("PostOrFunction").'</td>';
print '<td>';
print '<input size="30" type="text" name="job" value="'.$object->job.'">';
if ($caneditfield)
{
print '<input size="30" type="text" name="job" value="'.$object->job.'">';
}
else
{
print '<input type="hidden" name="job" value="'.$object->job.'">';
print $object->job;
}
print '</td></tr>';
// Login
@ -1808,17 +1803,16 @@ else
// Signature
print "<tr>".'<td valign="top">'.$langs->trans("Signature").'</td>';
print '<td>';
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
if (!empty($conf->global->FCKEDITOR_ENABLE_USERSIGN)) {
$withfckeditor=1;
//Mailing is mandatory to have dolHTMLencode done by ckeditor
$ckeditortoolbar='dolibarr_mailings';
} else {
$withfckeditor=0;
$ckeditortoolbar='';
if ($caneditfield)
{
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
$doleditor=new DolEditor('signature',$object->signature,'',280,'dolibarr_mailings','In',true,true,empty($conf->global->FCKEDITOR_ENABLE_USERSIGN)?0:1,8,72);
print $doleditor->Create(1);
}
else
{
print dol_htmlentitiesbr($object->signature);
}
$doleditor=new DolEditor('signature',$object->signature,'',280,$ckeditortoolbar,'In',true,true,$withfckeditor,8,72);
print $doleditor->Create(1);
print '</td></tr>';
// openid
@ -1841,7 +1835,17 @@ else
// Hierarchy
print '<tr><td valign="top">'.$langs->trans("HierarchicalResponsible").'</td>';
print '<td>';
print $form->select_dolusers($object->fk_user,'fk_user',1,array($object->id),0,'',0,$object->entity);
if ($caneditfield)
{
print $form->select_dolusers($object->fk_user,'fk_user',1,array($object->id),0,'',0,$object->entity);
}
else
{
print '<input type="hidden" name="fk_user" value="'.$object->fk_user.'">';
$huser=new User($db);
$huser->fetch($object->fk_user);
print $huser->getNomUrl(1);
}
print '</td>';
print "</tr>\n";
@ -1851,21 +1855,6 @@ else
print $object->getLibStatut(4);
print '</td></tr>';
// Multicompany
if (! empty($conf->multicompany->enabled))
{
if (empty($conf->multicompany->transverse_mode) && $conf->entity == 1 && $user->admin && ! $user->entity)
{
print "<tr>".'<td valign="top">'.$langs->trans("Entity").'</td>';
print "<td>".$mc->select_entities($object->entity);
print "</td></tr>\n";
}
else
{
print '<input type="hidden" name="entity" value="'.$conf->entity.'" />';
}
}
// Company / Contact
if (! empty($conf->societe->enabled))
{
@ -1912,6 +1901,21 @@ else
print "</tr>\n";
}
// Multicompany
if (! empty($conf->multicompany->enabled))
{
if (empty($conf->multicompany->transverse_mode) && $conf->entity == 1 && $user->admin && ! $user->entity)
{
print "<tr>".'<td valign="top">'.$langs->trans("Entity").'</td>';
print "<td>".$mc->select_entities($object->entity);
print "</td></tr>\n";
}
else
{
print '<input type="hidden" name="entity" value="'.$conf->entity.'" />';
}
}
// Other attributes
$parameters=array('colspan' => ' colspan="2"');
$reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action); // Note that $action and $object may have been modified by hook