From b43aca0f8de0c914185f7a9af7d2d9b74de91296 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Fri, 6 Apr 2018 08:52:02 +0200
Subject: [PATCH] Fix: use dol_string_nohtmltag instead (with strip_tags)

---
 htdocs/adherents/class/adherent.class.php     |  4 +--
 .../adherents/class/adherent_type.class.php   |  2 +-
 htdocs/core/lib/functions.lib.php             | 27 +++++++++++--------
 htdocs/user/class/user.class.php              |  2 +-
 htdocs/user/class/usergroup.class.php         |  2 +-
 5 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index 6653d111363..4ababc23f73 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -2323,8 +2323,8 @@ class Adherent extends CommonObject
 		if ($this->phone_perso && ! empty($conf->global->LDAP_MEMBER_FIELD_PHONE_PERSO))		$info[$conf->global->LDAP_MEMBER_FIELD_PHONE_PERSO] = $this->phone_perso;
 		if ($this->phone_mobile && ! empty($conf->global->LDAP_MEMBER_FIELD_MOBILE))			$info[$conf->global->LDAP_MEMBER_FIELD_MOBILE] = $this->phone_mobile;
 		if ($this->fax && ! empty($conf->global->LDAP_MEMBER_FIELD_FAX))						$info[$conf->global->LDAP_MEMBER_FIELD_FAX] = $this->fax;
-		if ($this->note_private && ! empty($conf->global->LDAP_MEMBER_FIELD_DESCRIPTION))		$info[$conf->global->LDAP_MEMBER_FIELD_DESCRIPTION] = html_entity_decode(strip_tags($this->note_private));
-		if ($this->note_public && ! empty($conf->global->LDAP_MEMBER_FIELD_NOTE_PUBLIC))		$info[$conf->global->LDAP_MEMBER_FIELD_NOTE_PUBLIC] = html_entity_decode(strip_tags($this->note_public));
+		if ($this->note_private && ! empty($conf->global->LDAP_MEMBER_FIELD_DESCRIPTION))		$info[$conf->global->LDAP_MEMBER_FIELD_DESCRIPTION] = dol_string_nohtmltag($this->note_private, 0, 'UTF-8', 1);
+		if ($this->note_public && ! empty($conf->global->LDAP_MEMBER_FIELD_NOTE_PUBLIC))		$info[$conf->global->LDAP_MEMBER_FIELD_NOTE_PUBLIC] = dol_string_nohtmltag($this->note_public, 0, 'UTF-8', 1);
 		if ($this->birth && ! empty($conf->global->LDAP_MEMBER_FIELD_BIRTHDATE))				$info[$conf->global->LDAP_MEMBER_FIELD_BIRTHDATE] = dol_print_date($this->birth,'dayhourldap');
 		if (isset($this->statut) && ! empty($conf->global->LDAP_FIELD_MEMBER_STATUS))			$info[$conf->global->LDAP_FIELD_MEMBER_STATUS] = $this->statut;
 		if ($this->datefin && ! empty($conf->global->LDAP_FIELD_MEMBER_END_LASTSUBSCRIPTION))	$info[$conf->global->LDAP_FIELD_MEMBER_END_LASTSUBSCRIPTION] = dol_print_date($this->datefin,'dayhourldap');
diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php
index af5790c41db..f1b44d3f1e7 100644
--- a/htdocs/adherents/class/adherent_type.class.php
+++ b/htdocs/adherents/class/adherent_type.class.php
@@ -456,7 +456,7 @@ class AdherentType extends CommonObject
 
 		// Champs
 		if ($this->label && ! empty($conf->global->LDAP_MEMBER_TYPE_FIELD_FULLNAME)) $info[$conf->global->LDAP_MEMBER_TYPE_FIELD_FULLNAME] = $this->label;
-		if ($this->note && ! empty($conf->global->LDAP_MEMBER_TYPE_FIELD_DESCRIPTION)) $info[$conf->global->LDAP_MEMBER_TYPE_FIELD_DESCRIPTION] = html_entity_decode(strip_tags($this->note));
+		if ($this->note && ! empty($conf->global->LDAP_MEMBER_TYPE_FIELD_DESCRIPTION)) $info[$conf->global->LDAP_MEMBER_TYPE_FIELD_DESCRIPTION] = dol_string_nohtmltag($this->note, 0, 'UTF-8', 1);
 		if (! empty($conf->global->LDAP_MEMBER_TYPE_FIELD_GROUPMEMBERS))
 		{
 			$valueofldapfield=array();
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 14f147d7f48..1adefaca5ab 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5415,28 +5415,33 @@ function picto_required()
  *	@param	string	$stringtoclean		String to clean
  *	@param	integer	$removelinefeed		1=Replace also new lines by a space, 0=Only last one are removed
  *  @param  string	$pagecodeto      	Encoding of input/output string
+ *  @param	integer	$strip_tags			1=Use strip_tags php function, 0=Use internal pattern
  *	@return string	    				String cleaned
  *
  * 	@see	dol_escape_htmltag strip_tags
  */
-function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-8')
+function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-8',$strip_tags=0)
 {
-	// TODO Try to replace with  strip_tags($stringtoclean)
-	$pattern = "/<[^<>]+>/";
-	$stringtoclean = preg_replace('/<br[^>]*>/', "\n", $stringtoclean);
-	$temp = dol_html_entity_decode($stringtoclean,ENT_COMPAT,$pagecodeto);
+	if ($strip_tags) {
+		$temp = strip_tags($stringtoclean);
+	} else {
+		$pattern = "/<[^<>]+>/";
+		$temp = preg_replace('/<br[^>]*>/', "\n", $stringtoclean);
 
-	// Exemple of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
-	$temp = preg_replace($pattern,"",$temp);    // pass 1
-	// $temp after pass 1: <a href="/myurl" title="A title">0000-021
-	$temp = preg_replace($pattern,"",$temp);    // pass 2
-	// $temp after pass 2: 0000-021
+		// Exemple of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
+		$temp = preg_replace($pattern,"",$temp);    // pass 1
+		// $temp after pass 1: <a href="/myurl" title="A title">0000-021
+		$temp = preg_replace($pattern,"",$temp);    // pass 2
+		// $temp after pass 2: 0000-021
+	}
+
+	$temp = dol_html_entity_decode($temp,ENT_COMPAT,$pagecodeto);
 
 	// Supprime aussi les retours
 	if ($removelinefeed) $temp=str_replace(array("\r\n","\r","\n")," ",$temp);
 
 	// et les espaces doubles
-	while(strpos($temp,"  "))
+	while (strpos($temp,"  "))
 	{
 		$temp = str_replace("  "," ",$temp);
 	}
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 5a24baae8dd..a0a8597a535 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -2408,7 +2408,7 @@ class User extends CommonObject
 		if ($this->address && ! empty($conf->global->LDAP_FIELD_ADDRESS))			$info[$conf->global->LDAP_FIELD_ADDRESS] = $this->address;
 		if ($this->zip && ! empty($conf->global->LDAP_FIELD_ZIP))					$info[$conf->global->LDAP_FIELD_ZIP] = $this->zip;
 		if ($this->town && ! empty($conf->global->LDAP_FIELD_TOWN))					$info[$conf->global->LDAP_FIELD_TOWN] = $this->town;
-		if ($this->note_public && ! empty($conf->global->LDAP_FIELD_DESCRIPTION))	$info[$conf->global->LDAP_FIELD_DESCRIPTION] = html_entity_decode(strip_tags($this->note_public));
+		if ($this->note_public && ! empty($conf->global->LDAP_FIELD_DESCRIPTION))	$info[$conf->global->LDAP_FIELD_DESCRIPTION] = dol_string_nohtmltag($this->note_public, 0, 'UTF-8', 1);
 		if ($this->socid > 0)
 		{
 			$soc = new Societe($this->db);
diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php
index 483086574a6..d852c7ac03a 100644
--- a/htdocs/user/class/usergroup.class.php
+++ b/htdocs/user/class/usergroup.class.php
@@ -908,7 +908,7 @@ class UserGroup extends CommonObject
 		// Champs
 		if ($this->name && ! empty($conf->global->LDAP_GROUP_FIELD_FULLNAME)) $info[$conf->global->LDAP_GROUP_FIELD_FULLNAME] = $this->name;
 		//if ($this->name && ! empty($conf->global->LDAP_GROUP_FIELD_NAME)) $info[$conf->global->LDAP_GROUP_FIELD_NAME] = $this->name;
-		if ($this->note && ! empty($conf->global->LDAP_GROUP_FIELD_DESCRIPTION)) $info[$conf->global->LDAP_GROUP_FIELD_DESCRIPTION] = html_entity_decode(strip_tags($this->note));
+		if ($this->note && ! empty($conf->global->LDAP_GROUP_FIELD_DESCRIPTION)) $info[$conf->global->LDAP_GROUP_FIELD_DESCRIPTION] = dol_string_nohtmltag($this->note, 0, 'UTF-8', 1);
 		if (! empty($conf->global->LDAP_GROUP_FIELD_GROUPMEMBERS))
 		{
 			$valueofldapfield=array();