Fix #huntrd875d1a2-7205-4b2b-93cf-439fa4c4f961

htdocs/admin/external_rss.php

@@ -296,9 +296,13 @@ if ($resql) {
 			$imageurl = $rssparser->getImageUrl();
 			$linkrss = $rssparser->getLink();
 			if (!preg_match('/^http/', $imageurl)) {
-				$imageurl = $linkrss.$imageurl;
+				include_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php';
+				if (image_format_supported($imageurl) >= 0) {
+					// If we are sure imageurl is a path to an image file, and if it does not start with http, we append root url to it.
+					$imageurl = $linkrss.$imageurl;
+				}
 			}
-			if ($imageurl) {
+			if ($imageurl && preg_match('/^http', $imageurl)) {
 				print '<img height="32" src="'.$imageurl.'">';
 			} else {
 				print $langs->trans("None");

htdocs/core/boxes/box_external_rss.php

@@ -134,6 +134,9 @@ class box_external_rss extends ModeleBoxes
 				if (!$date && isset($item['pubdate'])) {
 					$date = $item['pubdate'];
 				}
+				if (!$date && isset($item['pubDate'])) {
+					$date = $item['pubDate'];
+				}
 				if (!$date && isset($item['dc']['date'])) {
 					$date = $item['dc']['date'];
 				}
@@ -183,22 +186,22 @@ class box_external_rss extends ModeleBoxes
 				'td' => 'class="left" width="16"',
 				'text' => img_picto('', 'rss'),
 				'url' => $href,
-				'tooltip' => $tooltip,
+				'tooltip' => dol_escape_htmltag($tooltip),
 				'target' => 'newrss',
 			);
 
 			$this->info_box_contents[$line][1] = array(
 				'td' => 'class="tdoverflowmax300"',
-				'text' => $title,
+				'text' => dol_escape_htmltag($title),
 				'url' => $href,
-				'tooltip' => $tooltip,
+				'tooltip' => dol_escape_htmltag($tooltip),
 				'maxlength' => 0,
 				'target' => 'newrss',
 			);
 
 			$this->info_box_contents[$line][2] = array(
 				'td' => 'class="right nowrap"',
-				'text' => $date,
+				'text' => dol_escape_htmltag($date),
 			);
 		}
 	}

htdocs/core/class/rssparser.class.php

@@ -319,54 +319,54 @@ class RssParser
 				//var_dump($rss);
 				if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) {
 					if (!empty($rss->channel->language)) {
-						$this->_language = (string) $rss->channel->language;
+						$this->_language = sanitizeVal((string) $rss->channel->language);
 					}
 					if (!empty($rss->channel->generator)) {
-						$this->_generator = (string) $rss->channel->generator;
+						$this->_generator = sanitizeVal((string) $rss->channel->generator);
 					}
 					if (!empty($rss->channel->copyright)) {
-						$this->_copyright = (string) $rss->channel->copyright;
+						$this->_copyright = sanitizeVal((string) $rss->channel->copyright);
 					}
 					if (!empty($rss->channel->lastbuilddate)) {
-						$this->_lastbuilddate = (string) $rss->channel->lastbuilddate;
+						$this->_lastbuilddate = sanitizeVal((string) $rss->channel->lastbuilddate);
 					}
 					if (!empty($rss->channel->image->url[0])) {
-						$this->_imageurl = (string) $rss->channel->image->url[0];
+						$this->_imageurl = sanitizeVal((string) $rss->channel->image->url[0]);
 					}
 					if (!empty($rss->channel->link)) {
-						$this->_link = (string) $rss->channel->link;
+						$this->_link = sanitizeVal((string) $rss->channel->link);
 					}
 					if (!empty($rss->channel->title)) {
-						$this->_title = (string) $rss->channel->title;
+						$this->_title = sanitizeVal((string) $rss->channel->title);
 					}
 					if (!empty($rss->channel->description)) {
-						$this->_description = (string) $rss->channel->description;
+						$this->_description = sanitizeVal((string) $rss->channel->description);
 					}
 				} else {
 					//var_dump($rss->channel);
 					if (!empty($rss->channel['language'])) {
-						$this->_language = (string) $rss->channel['language'];
+						$this->_language = sanitizeVal((string) $rss->channel['language']);
 					}
 					if (!empty($rss->channel['generator'])) {
-						$this->_generator = (string) $rss->channel['generator'];
+						$this->_generator = sanitizeVal((string) $rss->channel['generator']);
 					}
 					if (!empty($rss->channel['copyright'])) {
-						$this->_copyright = (string) $rss->channel['copyright'];
+						$this->_copyright = sanitizeVal((string) $rss->channel['copyright']);
 					}
 					if (!empty($rss->channel['lastbuilddate'])) {
-						$this->_lastbuilddate = (string) $rss->channel['lastbuilddate'];
+						$this->_lastbuilddate = sanitizeVal((string) $rss->channel['lastbuilddate']);
 					}
 					if (!empty($rss->image['url'])) {
-						$this->_imageurl = (string) $rss->image['url'];
+						$this->_imageurl = sanitizeVal((string) $rss->image['url']);
 					}
 					if (!empty($rss->channel['link'])) {
-						$this->_link = (string) $rss->channel['link'];
+						$this->_link = sanitizeVal((string) $rss->channel['link']);
 					}
 					if (!empty($rss->channel['title'])) {
-						$this->_title = (string) $rss->channel['title'];
+						$this->_title = sanitizeVal((string) $rss->channel['title']);
 					}
 					if (!empty($rss->channel['description'])) {
-						$this->_description = (string) $rss->channel['description'];
+						$this->_description = sanitizeVal((string) $rss->channel['description']);
 					}
 				}
 
@@ -380,40 +380,40 @@ class RssParser
 				//var_dump($rss);
 				if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) {
 					if (!empty($rss->generator)) {
-						$this->_generator = (string) $rss->generator;
+						$this->_generator = sanitizeVal((string) $rss->generator);
 					}
 					if (!empty($rss->lastbuilddate)) {
-						$this->_lastbuilddate = (string) $rss->modified;
+						$this->_lastbuilddate = sanitizeVal((string) $rss->modified);
 					}
 					if (!empty($rss->link->href)) {
-						$this->_link = (string) $rss->link->href;
+						$this->_link = sanitizeVal((string) $rss->link->href);
 					}
 					if (!empty($rss->title)) {
-						$this->_title = (string) $rss->title;
+						$this->_title = sanitizeVal((string) $rss->title);
 					}
 					if (!empty($rss->description)) {
-						$this->_description = (string) $rss->description;
+						$this->_description = sanitizeVal((string) $rss->description);
 					}
 				} else {
 					//if (!empty($rss->channel['rss_language']))	$this->_language = (string) $rss->channel['rss_language'];
 					if (!empty($rss->channel['generator'])) {
-						$this->_generator = (string) $rss->channel['generator'];
+						$this->_generator = sanitizeVal((string) $rss->channel['generator']);
 					}
 					//if (!empty($rss->channel['rss_copyright']))	$this->_copyright = (string) $rss->channel['rss_copyright'];
 					if (!empty($rss->channel['modified'])) {
-						$this->_lastbuilddate = (string) $rss->channel['modified'];
+						$this->_lastbuilddate = sanitizeVal((string) $rss->channel['modified']);
 					}
 					//if (!empty($rss->image['rss_url']))			$this->_imageurl = (string) $rss->image['rss_url'];
 					if (!empty($rss->channel['link'])) {
-						$this->_link = (string) $rss->channel['link'];
+						$this->_link = sanitizeVal((string) $rss->channel['link']);
 					}
 					if (!empty($rss->channel['title'])) {
-						$this->_title = (string) $rss->channel['title'];
+						$this->_title = sanitizeVal((string) $rss->channel['title']);
 					}
 					//if (!empty($rss->channel['rss_description']))	$this->_description = (string) $rss->channel['rss_description'];
 
 					if (!empty($rss->channel)) {
-						$this->_imageurl = $this->getAtomImageUrl($rss->channel);
+						$this->_imageurl = sanitizeVal($this->getAtomImageUrl($rss->channel));
 					}
 				}
 				if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) {
@@ -434,19 +434,19 @@ class RssParser
 					//var_dump($item);exit;
 					if ($rss->_format == 'rss') {
 						if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) {
-							$itemLink = (string) $item->link;
-							$itemTitle = (string) $item->title;
-							$itemDescription = (string) $item->description;
-							$itemPubDate = (string) $item->pubDate;
+							$itemLink = sanitizeVal((string) $item->link);
+							$itemTitle = sanitizeVal((string) $item->title);
+							$itemDescription = sanitizeVal((string) $item->description);
+							$itemPubDate = sanitizeVal((string) $item->pubDate);
 							$itemId = '';
 							$itemAuthor = '';
 						} else {
-							$itemLink = (string) $item['link'];
-							$itemTitle = (string) $item['title'];
-							$itemDescription = (string) $item['description'];
-							$itemPubDate = (string) $item['pubdate'];
-							$itemId = (string) $item['guid'];
-							$itemAuthor = (string) $item['author'];
+							$itemLink = sanitizeVal((string) $item['link']);
+							$itemTitle = sanitizeVal((string) $item['title']);
+							$itemDescription = sanitizeVal((string) $item['description']);
+							$itemPubDate = sanitizeVal((string) $item['pubdate']);
+							$itemId = sanitizeVal((string) $item['guid']);
+							$itemAuthor = sanitizeVal((string) $item['author']);
 						}
 
 						// Loop on each category
@@ -458,19 +458,19 @@ class RssParser
 						}
 					} elseif ($rss->_format == 'atom') {
 						if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) {
-							$itemLink = (isset($item['link']) ? (string) $item['link'] : '');
-							$itemTitle = (string) $item['title'];
-							$itemDescription = $this->getAtomItemDescription($item);
-							$itemPubDate = (string) $item['created'];
-							$itemId = (string) $item['id'];
-							$itemAuthor = (string) ($item['author'] ? $item['author'] : $item['author_name']);
+							$itemLink = (isset($item['link']) ? sanitizeVal((string) $item['link']) : '');
+							$itemTitle = sanitizeVal((string) $item['title']);
+							$itemDescription = sanitizeVal($this->getAtomItemDescription($item));
+							$itemPubDate = sanitizeVal((string) $item['created']);
+							$itemId = sanitizeVal((string) $item['id']);
+							$itemAuthor = sanitizeVal((string) ($item['author'] ? $item['author'] : $item['author_name']));
 						} else {
-							$itemLink = (isset($item['link']) ? (string) $item['link'] : '');
-							$itemTitle = (string) $item['title'];
-							$itemDescription = $this->getAtomItemDescription($item);
-							$itemPubDate = (string) $item['created'];
-							$itemId = (string) $item['id'];
-							$itemAuthor = (string) ($item['author'] ? $item['author'] : $item['author_name']);
+							$itemLink = (isset($item['link']) ? sanitizeVal((string) $item['link']) : '');
+							$itemTitle = sanitizeVal((string) $item['title']);
+							$itemDescription = sanitizeVal($this->getAtomItemDescription($item));
+							$itemPubDate = sanitizeVal((string) $item['created']);
+							$itemId = sanitizeVal((string) $item['id']);
+							$itemAuthor = sanitizeVal((string) ($item['author'] ? $item['author'] : $item['author_name']));
 						}
 						$itemCategory = array();
 					} else {

htdocs/core/lib/xcal.lib.php

@@ -307,7 +307,7 @@ function build_calfile($format, $title, $desc, $events_array, $outputfile)
  */
 function build_rssfile($format, $title, $desc, $events_array, $outputfile, $filter = '', $url = '', $langcode = '')
 {
-	global $user, $conf, $langs;
+	global $user, $conf, $langs, $mysoc;
 	global $dolibarr_main_url_root;
 
 	dol_syslog("xcal.lib.php::build_rssfile Build rss file ".$outputfile." to format ".$format);
@@ -320,8 +320,6 @@ function build_rssfile($format, $title, $desc, $events_array, $outputfile, $filt
 	$fichier = fopen($outputfile, "w");
 
 	if ($fichier) {
-		$date = date("r");
-
 		// Print header
 		fwrite($fichier, '<?xml version="1.0" encoding="'.$langs->charset_output.'"?>');
 		fwrite($fichier, "\n");
@@ -335,25 +333,25 @@ function build_rssfile($format, $title, $desc, $events_array, $outputfile, $filt
 			fwrite($fichier, "<language>".$langcode."</language>\n");
 		}
 
-		/*
-		fwrite($fichier, "<description><![CDATA[".$desc.".]]></description>"."\n".
-				// "<language>fr</language>"."\n".
-				"<copyright>Dolibarr</copyright>"."\n".
-				"<lastBuildDate>".$date."</lastBuildDate>"."\n".
-				"<generator>Dolibarr</generator>"."\n");
-		*/
+		// Define $urlwithroot
+		$urlwithouturlroot = preg_replace("/".preg_quote(DOL_URL_ROOT, "/")."$/i", "", trim($dolibarr_main_url_root));
+		$urlwithroot       = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
+		//$urlwithroot=DOL_MAIN_URL_ROOT;                       // This is to use same domain name than current
 
+		// Url
 		if (empty($url)) {
-			// Define $urlwithroot
-			$urlwithouturlroot = preg_replace("/".preg_quote(DOL_URL_ROOT, "/")."$/i", "", trim($dolibarr_main_url_root));
-			$urlwithroot       = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
-			//$urlwithroot=DOL_MAIN_URL_ROOT;                       // This is to use same domain name than current
-
 			$url = $urlwithroot."/public/agenda/agendaexport.php?format=rss&exportkey=".urlencode($conf->global->MAIN_AGENDA_XCAL_EXPORTKEY);
 		}
-
 		fwrite($fichier, "<link><![CDATA[".$url."]]></link>\n");
 
+		// Image
+		if (!empty($mysoc->logo_squarred_small)) {
+			$urlimage = $urlwithroot.'/viewimage.php?cache=1&amp;modulepart=mycompany&amp;file='.urlencode($mysoc->logo_squarred_small);
+			if ($urlimage) {
+				fwrite($fichier, "<image><url><![CDATA[".$urlimage."]]></url><title>'.$title.</title></image>\n");
+			}
+		}
+
 		foreach ($events_array as $key => $event) {
 			$eventqualified = true;