diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index e0faf71594b..83a161e35d6 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -520,9 +520,9 @@ function hideMessage(fieldId,message) { * Used by button to set on/off. * Call url then make complementary action (like show/hide, enable/disable or set another option). * - * @param string url Url + * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token) * @param string code Code - * @param string intput Input + * @param string intput Array of complementary actions to do if success * @param int entity Entity * @param int strict Strict * @param int forcereload Force reload @@ -575,7 +575,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke $.each(data, function(key, value) { $("#set_" + key).hide(); $("#del_" + key).show(); - $.post( $url, { + $.post( url, { action: "set", name: key, value: value, @@ -595,9 +595,9 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke * Used by button to set on/off * Call url then make complementary action (like show/hide, enable/disable or set another option). * - * @param string url Url + * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token) * @param string code Code - * @param string intput Input + * @param string intput Array of complementary actions to do if success * @param int entity Entity * @param int strict Strict * @param int forcereload Force reload @@ -647,7 +647,7 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke $.each(data, function(key, value) { $("#del_" + value).hide(); $("#set_" + value).show(); - $.post( $url, { + $.post( url, { action: "del", name: value, entity: entity, diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 92c519c5a66..e2889c4d6d3 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -5833,6 +5833,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = '<'.$allowed_tags_string.'>'; + $stringtoclean = str_replace('', '__!DOCTYPE_HTML__', $stringtoclean); // Replace DOCTYPE to avoid to have it removed by the strip_tags + $stringtoclean = dol_string_nounprintableascii($stringtoclean, 0); $stringtoclean = preg_replace('/:/i', ':', $stringtoclean); @@ -5855,6 +5857,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $temp = preg_replace('/javascript\s*:/i', '', $temp); } + $temp = str_replace('__!DOCTYPE_HTML__', '', $temp); // Restore the DOCTYPE + return $temp; } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 78fdb0b1419..bca1aace56a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -300,6 +300,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param11"]=' Name '; + $_POST["param12"]='aaa'; $result=GETPOST('id', 'int'); // Must return nothing print __METHOD__." result=".$result."\n"; @@ -397,6 +398,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt'); + $result=GETPOST("param12", 'restricthtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml'); + return $result; }