lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Injection

Browse Source
This commit is contained in:
Laurent Destailleur 2018-07-09 14:13:01 +02:00
parent 2a676b414a
commit e427496ddf
2 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
htdocs/core/class/html.form.class.php
View File

@ -190,7 +190,12 @@ class Form
$morealt=' style="width: '.$cols.'"';
$cols='';
}
$ret.='<textarea id="'.$htmlname.'" name="'.$htmlname.'" wrap="soft" rows="'.($tmp[1]?$tmp[1]:'20').'"'.($cols?' cols="'.$cols.'"':'class="quatrevingtpercent"').$morealt.'">'.($editvalue?$editvalue:$value).'</textarea>';
$valuetoshow = ($editvalue?$editvalue:$value);
$ret.='<textarea id="'.$htmlname.'" name="'.$htmlname.'" wrap="soft" rows="'.($tmp[1]?$tmp[1]:'20').'"'.($cols?' cols="'.$cols.'"':'class="quatrevingtpercent"').$morealt.'">';
$ret.=dol_string_neverthesehtmltags($valuetoshow, array('textarea'));
$ret.='</textarea>';
}
else if ($typeofdata == 'day' || $typeofdata == 'datepicker')
{

46
htdocs/core/lib/functions.lib.php
View File

@ -5014,7 +5014,7 @@ function picto_required()
* @param string $pagecodeto Encoding of input/output string
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags
* @see dol_escape_htmltag strip_tags dol_string_onlythesehtmltags dol_string_neverthesehtmltags
*/
function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-8')
{
@ -5041,6 +5041,50 @@ function dol_string_nohtmltag($stringtoclean,$removelinefeed=1,$pagecodeto='UTF-
return trim($temp);
}
/**
* Clean a string to keep only desirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_neverthesehtmltags
*/
function dol_string_onlythesehtmltags($stringtoclean)
{
$allowed_tags = array(
"html", "head", "meta", "body", "b", "br", "div", "em", "font", "img", "hr", "i", "li", "link",
"ol", "p", "s", "section", "span", "strong", "title",
"table", "tr", "th", "td", "u", "ul"
);
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = preg_replace('/^>/','',$allowed_tags_string);
$allowed_tags_string = preg_replace('/<$/','',$allowed_tags_string);
$temp = strip_tags($stringtoclean, $allowed_tags_string);
return $temp;
}
/**
* Clean a string from some undesirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
*
* @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_onlythesehtmltags
*/
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags=array('textarea'))
{
$temp = $stringtoclean;
foreach($disallowed_tags as $tagtoremove)
{
$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
}
return $temp;
}
/**
* Return first line of text. Cut will depends if content is HTML or not.