lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX #12838

Browse Source
This commit is contained in:
Laurent Destailleur 2020-01-18 19:53:48 +01:00
parent df26bab65b
commit d9f7c4aec4
3 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/actions_setnotes.inc.php
View File

@ -33,7 +33,7 @@ if ($action == 'setnote_public' && ! empty($permissionnote) && ! GETPOST('cancel
if (empty($action) || ! is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
if (empty($object->id)) $object->fetch($id); // Fetch may not be already done
$result_update=$object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES), '_public');
$result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES, 'UTF-8', 1), '_public');
if ($result_update < 0) setEventMessages($object->error, $object->errors, 'errors');
elseif (in_array($object->table_element, array('supplier_proposal', 'propal', 'commande_fournisseur', 'commande', 'facture_fourn', 'facture')))

6
htdocs/core/class/html.form.class.php
View File

@ -213,7 +213,7 @@ class Form
$valuetoshow = price2num($editvalue ? $editvalue : $value);
$ret .= '<input type="text" id="'.$htmlname.'" name="'.$htmlname.'" value="'.($valuetoshow != '' ?price($valuetoshow) : '').'"'.($tmp[1] ? ' size="'.$tmp[1].'"' : '').'>';
}
elseif (preg_match('/^text/', $typeofdata) || preg_match('/^note/', $typeofdata))
elseif (preg_match('/^text/', $typeofdata) || preg_match('/^note/', $typeofdata)) // if wysiwyg is enabled $typeofdata = 'ckeditor'
{
$tmp = explode(':', $typeofdata);
$cols = $tmp[2];
@ -225,8 +225,10 @@ class Form
}
$valuetoshow = ($editvalue ? $editvalue : $value);
$ret .= '<textarea id="'.$htmlname.'" name="'.$htmlname.'" wrap="soft" rows="'.($tmp[1] ? $tmp[1] : '20').'"'.($cols ? ' cols="'.$cols.'"' : 'class="quatrevingtpercent"').$morealt.'">';
// textarea convert automatically entities chars into simple chars.
// So we convert & into &amp; so a string like 'a &lt; <b>b</b><br>é<br>&lt;script&gt;alert('X');&lt;script&gt;' stay a correct html and is not converted by textarea component when wysiwig is off.
$valuetoshow = str_replace('&', '&amp;', $valuetoshow);
$ret .= dol_string_neverthesehtmltags($valuetoshow, array('textarea'));
$ret .= '</textarea>';
}

17
htdocs/core/lib/functions.lib.php
View File

@ -5701,14 +5701,19 @@ function dol_htmlcleanlastbr($stringtodecode)
/**
* Replace html_entity_decode functions to manage errors
*
* @param string $a Operand a
* @param string $b Operand b (ENT_QUOTES=convert simple and double quotes)
* @param string $c Operand c
* @return string String decoded
* @param string $a Operand a
* @param string $b Operand b (ENT_QUOTES=convert simple and double quotes)
* @param string $c Operand c
* @param string $keepsomeentities Entities but &amp;, <, >, " are not converted.
* @return string String decoded
*/
function dol_html_entity_decode($a, $b, $c = 'UTF-8')
function dol_html_entity_decode($a, $b, $c = 'UTF-8', $keepsomeentities = 0)
{
return html_entity_decode($a, $b, $c);
$newstring = $a;
if ($keepsomeentities) $newstring = strtr($newstring, array('&amp;'=>'__andamp__', '&lt;'=>'__andlt__', '&gt;'=>'__andgt__', '"'=>'__dquot__'));
$newstring = html_entity_decode($newstring, $b, $c);
if ($keepsomeentities) $newstring = strtr($newstring, array('__andamp__'=>'&amp;', '__andlt__'=>'&lt;', '__andgt__'=>'&gt;', '__dquot__'=>'"'));
return $newstring;
}
/**