3 years ago · 3dff7e29cc
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -577,7 +577,6 @@ if (empty($reshook)) {
 
				 
			
 
				 		if (!$isupload) {
			
 
				 			$mesgs = array();
			
 
				-
			
 
				 			$object->sujet          = (string) GETPOST("sujet");
			
 
				 			$object->body           = (string) GETPOST("bodyemail", 'restricthtml');
			
 
				 			$object->bgcolor        = (string) GETPOST("bgcolor");
			
@@ -744,7 +743,7 @@ if ($action == 'create') {
 
				 	print '<div style="padding-top: 10px">';
			
 
				 	// wysiwyg editor
			
 
				 	require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
			
 
				-	$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
			
 
				+	$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtmlallowunvalid'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
			
 
				 	$doleditor->Create();
			
 
				 	print '</div>';
			
 
				 
			
--- a/htdocs/comm/mailing/class/mailing.class.php
+++ b/htdocs/comm/mailing/class/mailing.class.php
@@ -208,6 +208,12 @@ class Mailing extends CommonObject
 
				 	{
			
 
				 		global $conf, $langs;
			
 
				 
			
 
				+		// Check properties
			
 
				+		if ($this->body === 'InvalidHTMLString') {
			
 
				+			$this->error = 'InvalidHTMLString';
			
 
				+			return -1;
			
 
				+		}
			
 
				+
			
 
				 		$this->db->begin();
			
 
				 
			
 
				 		$this->title = trim($this->title);
			
@@ -257,6 +263,12 @@ class Mailing extends CommonObject
 
				 	 */
			
 
				 	public function update($user)
			
 
				 	{
			
 
				+		// Check properties
			
 
				+		if ($this->body === 'InvalidHTMLString') {
			
 
				+			$this->error = 'InvalidHTMLString';
			
 
				+			return -1;
			
 
				+		}
			
 
				+
			
 
				 		$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
			
 
				 		$sql .= " SET titre = '".$this->db->escape($this->title)."'";
			
 
				 		$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
			
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -775,18 +775,21 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 
				 			}
			
 
				 			break;
			
 
				 		case 'restricthtml':		// Recommended for most html textarea
			
 
				+		case 'restricthtmlallowunvalid':
			
 
				 			do {
			
 
				 				$oldstringtoclean = $out;
			
 
				 
			
 
				-				if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)) {
			
 
				-					$dom = new DOMDocument;
			
 
				+				if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
			
 
				 					try {
			
 
				+						$dom = new DOMDocument;
			
 
				 						$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
			
 
				 					} catch(Exception $e) {
			
 
				+						//print $e->getMessage();
			
 
				 						return 'InvalidHTMLString';
			
 
				 					}
			
 
				 					$out = $dom->saveHTML();
			
 
				 				}
			
 
				+				//var_dump($oldstringtoclean);var_dump($out);
			
 
				 
			
 
				 				// Ckeditor use the numeric entitic for apostrophe so we force it to text entity (all other special chars are correctly
			
 
				 				// encoded using text entities). This is a fix for CKeditor.
			
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -340,6 +340,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 
				 		$langs=$this->savlangs;
			
 
				 		$db=$this->savdb;
			
 
				 
			
 
				+		// Force default mode
			
 
				+		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
			
 
				+		$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
			
 
				+
			
 
				 		$_COOKIE["id"]=111;
			
 
				 		$_GET["param1"]="222";
			
 
				 		$_POST["param1"]="333";