lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into

Browse Source 
fix_avoid_missing_url_and_token

Conflicts:
	htdocs/core/js/lib_head.js.php
This commit is contained in:
Regis Houssin 2021-02-23 16:55:32 +01:00
commit ec5d9983e0
3 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/core/js/lib_head.js.php
View File

@ -520,9 +520,9 @@ function hideMessage(fieldId,message) {
* Used by button to set on/off. * Used by button to set on/off.
* Call url then make complementary action (like show/hide, enable/disable or set another option). * Call url then make complementary action (like show/hide, enable/disable or set another option).
* *
* @param string url Url * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token)
* @param string code Code * @param string code Code
* @param string intput Input * @param string intput Array of complementary actions to do if success
* @param int entity Entity * @param int entity Entity
* @param int strict Strict * @param int strict Strict
* @param int forcereload Force reload * @param int forcereload Force reload
@ -575,7 +575,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
$.each(data, function(key, value) { $.each(data, function(key, value) {
$("#set_" + key).hide(); $("#set_" + key).hide();
$("#del_" + key).show(); $("#del_" + key).show();
$.post( $url, { $.post( url, {
action: "set", action: "set",
name: key, name: key,
value: value, value: value,
@ -595,9 +595,9 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
* Used by button to set on/off * Used by button to set on/off
* Call url then make complementary action (like show/hide, enable/disable or set another option). * Call url then make complementary action (like show/hide, enable/disable or set another option).
* *
* @param string url Url * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token)
* @param string code Code * @param string code Code
* @param string intput Input * @param string intput Array of complementary actions to do if success
* @param int entity Entity * @param int entity Entity
* @param int strict Strict * @param int strict Strict
* @param int forcereload Force reload * @param int forcereload Force reload
@ -647,7 +647,7 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke
$.each(data, function(key, value) { $.each(data, function(key, value) {
$("#del_" + value).hide(); $("#del_" + value).hide();
$("#set_" + value).show(); $("#set_" + value).show();
$.post( $url, { $.post( url, {
action: "del", action: "del",
name: value, name: value,
entity: entity, entity: entity,

4
htdocs/core/lib/functions.lib.php
View File

@ -5833,6 +5833,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
$allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = '<'.$allowed_tags_string.'>'; $allowed_tags_string = '<'.$allowed_tags_string.'>';
$stringtoclean = str_replace('<!DOCTYPE html>', '__!DOCTYPE_HTML__', $stringtoclean); // Replace DOCTYPE to avoid to have it removed by the strip_tags
$stringtoclean = dol_string_nounprintableascii($stringtoclean, 0); $stringtoclean = dol_string_nounprintableascii($stringtoclean, 0);
$stringtoclean = preg_replace('/&colon;/i', ':', $stringtoclean); $stringtoclean = preg_replace('/&colon;/i', ':', $stringtoclean);
@ -5855,6 +5857,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
$temp = preg_replace('/javascript\s*:/i', '', $temp); $temp = preg_replace('/javascript\s*:/i', '', $temp);
} }
$temp = str_replace('__!DOCTYPE_HTML__', '<!DOCTYPE html>', $temp); // Restore the DOCTYPE
return $temp; return $temp;
} }

5
test/phpunit/SecurityTest.php
View File

@ -300,6 +300,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\''; $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> '; $_POST["param11"]=' Name <email@email.com> ';
$_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
$result=GETPOST('id', 'int'); // Must return nothing $result=GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
@ -397,6 +398,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt'); $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
$result=GETPOST("param12", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
return $result; return $result;
} }