Browse Source

Fix #yogosha6567

Laurent Destailleur 3 years ago
parent
commit
3dff7e29cc

+ 1 - 2
htdocs/comm/mailing/card.php

@@ -577,7 +577,6 @@ if (empty($reshook)) {
 
 		if (!$isupload) {
 			$mesgs = array();
-
 			$object->sujet          = (string) GETPOST("sujet");
 			$object->body           = (string) GETPOST("bodyemail", 'restricthtml');
 			$object->bgcolor        = (string) GETPOST("bgcolor");
@@ -744,7 +743,7 @@ if ($action == 'create') {
 	print '<div style="padding-top: 10px">';
 	// wysiwyg editor
 	require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
-	$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
+	$doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtmlallowunvalid'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%');
 	$doleditor->Create();
 	print '</div>';
 

+ 12 - 0
htdocs/comm/mailing/class/mailing.class.php

@@ -208,6 +208,12 @@ class Mailing extends CommonObject
 	{
 		global $conf, $langs;
 
+		// Check properties
+		if ($this->body === 'InvalidHTMLString') {
+			$this->error = 'InvalidHTMLString';
+			return -1;
+		}
+
 		$this->db->begin();
 
 		$this->title = trim($this->title);
@@ -257,6 +263,12 @@ class Mailing extends CommonObject
 	 */
 	public function update($user)
 	{
+		// Check properties
+		if ($this->body === 'InvalidHTMLString') {
+			$this->error = 'InvalidHTMLString';
+			return -1;
+		}
+
 		$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
 		$sql .= " SET titre = '".$this->db->escape($this->title)."'";
 		$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";

+ 5 - 2
htdocs/core/lib/functions.lib.php

@@ -775,18 +775,21 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 			}
 			break;
 		case 'restricthtml':		// Recommended for most html textarea
+		case 'restricthtmlallowunvalid':
 			do {
 				$oldstringtoclean = $out;
 
-				if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)) {
-					$dom = new DOMDocument;
+				if (!empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) && $check != 'restricthtmlallowunvalid') {
 					try {
+						$dom = new DOMDocument;
 						$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
 					} catch(Exception $e) {
+						//print $e->getMessage();
 						return 'InvalidHTMLString';
 					}
 					$out = $dom->saveHTML();
 				}
+				//var_dump($oldstringtoclean);var_dump($out);
 
 				// Ckeditor use the numeric entitic for apostrophe so we force it to text entity (all other special chars are correctly
 				// encoded using text entities). This is a fix for CKeditor.

+ 4 - 0
test/phpunit/SecurityTest.php

@@ -340,6 +340,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$langs=$this->savlangs;
 		$db=$this->savdb;
 
+		// Force default mode
+		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
+		$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
+
 		$_COOKIE["id"]=111;
 		$_GET["param1"]="222";
 		$_POST["param1"]="333";