diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index a5555f6d7a3..c9a31cc4d8a 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7296,15 +7296,16 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
do {
$oldstringtoclean = $out;
+ libxml_use_internal_errors(false); // Avoid to fill memory with xml errors
+
if (!empty($out) && !empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
try {
$dom = new DOMDocument;
// Add a trick to solve pb with text without parent tag
- // like 'Foo
bar
' that wrongly ends up without the trick into 'Foo
bar
'
- // like 'abc' that wrongly ends up without the tric into with 'abc
'
+ // like 'Foo
bar
' that wrongly ends up, without the trick, with 'Foo
bar
'
+ // like 'abc' that wrongly ends up, without the trick, with 'abc
'
$out = ''.$out.'
';
-
- $dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
+ $dom->loadHTML($out, LIBXML_HTML_NODEFDTD|LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
$out = trim($dom->saveHTML());
// Remove the trick added to solve pb with text without parent tag
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index 4a0b65333ff..1138e06d3b2 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -390,6 +390,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param13b"]='n n > < " XSS';
$_POST["param14"]="Text with ' encoded with the numeric html entity converted into text entity ' (like when submited by CKEditor)";
$_POST["param15"]="![]()
src=>0xbeefed";
+ //$_POST["param15b"]="Example HTML- Item 1
- Item 2
";
$_POST["param16"]='abc';
$_POST["param17"]='abc';
$_POST["param18"]='abc';
@@ -559,8 +560,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param15", 'restricthtml'); // param15 = ![]()
src=>0xbeefed that is a dangerous string
print __METHOD__." result=".$result."\n";
- $this->assertEquals('InvalidHTMLString', $result, 'Test 15b');
- //$this->assertEquals('![]()
src=>0xbeefed', $result, 'Test 15b');
+ $this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); // With some PHP and libxml version, we got this when parsong invalid HTML
+ //$this->assertEquals('![]()
src=>0xbeefed', $result, 'Test 15b'); // On other we got a HTML that has been cleaned
unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML);
@@ -779,12 +780,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow
print __METHOD__." url=".$url."\n";
- $this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without following -> 301');
+ $this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without a follow -> 301');
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200
print __METHOD__." url=".$url."\n";
- $this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with following -> 200 but we get '.$tmp['http_code']);
+ $this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with a follow -> 200 but we get '.$tmp['http_code']);
$url = 'http://localhost';
$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL