From b7e2c7d87a2a33fbe18cde005951931484ca121b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Feb 2021 12:58:43 +0100 Subject: [PATCH] FIX #16393 Do not sanitize --- htdocs/core/lib/functions.lib.php | 4 ++++ test/phpunit/SecurityTest.php | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 92c519c5a668a..e2889c4d6d394 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -5833,6 +5833,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = '<'.$allowed_tags_string.'>'; + $stringtoclean = str_replace('', '__!DOCTYPE_HTML__', $stringtoclean); // Replace DOCTYPE to avoid to have it removed by the strip_tags + $stringtoclean = dol_string_nounprintableascii($stringtoclean, 0); $stringtoclean = preg_replace('/:/i', ':', $stringtoclean); @@ -5855,6 +5857,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $temp = preg_replace('/javascript\s*:/i', '', $temp); } + $temp = str_replace('__!DOCTYPE_HTML__', '', $temp); // Restore the DOCTYPE + return $temp; } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 78fdb0b1419e1..bca1aace56a90 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -300,6 +300,7 @@ public function testGETPOST() $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param11"]=' Name '; + $_POST["param12"]='aaa'; $result=GETPOST('id', 'int'); // Must return nothing print __METHOD__." result=".$result."\n"; @@ -397,6 +398,10 @@ public function testGETPOST() print __METHOD__." result=".$result."\n"; $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt'); + $result=GETPOST("param12", 'restricthtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml'); + return $result; }