hai 1 ano · ab3737e569
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -52,6 +52,12 @@ if ($action == 'getlastversion') {
 
				 	$result = getURLContent('https://sourceforge.net/projects/dolibarr/rss');
			
 
				 	//var_dump($result['content']);
			
 
				 	if (function_exists('simplexml_load_string')) {
			
 
				+		if (LIBXML_VERSION < 20900) {
			
 
				+			// Avoid load of external entities (security problem).
			
 
				+			// Required only if LIBXML_VERSION < 20900
			
 
				+			libxml_disable_entity_loader(true);
			
 
				+		}
			
 
				+
			
 
				 		$sfurl = simplexml_load_string($result['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
			
 
				 	} else {
			
 
				 		setEventMessages($langs->trans("ErrorPHPDoesNotSupport", "xml"), null, 'errors');
			
--- a/htdocs/admin/system/filecheck.php
+++ b/htdocs/admin/system/filecheck.php
@@ -176,6 +176,12 @@ if (GETPOST('target') == 'remote') {
 
				 	if (!$xmlarray['curl_error_no'] && $xmlarray['http_code'] != '400' && $xmlarray['http_code'] != '404') {
			
 
				 		$xmlfile = $xmlarray['content'];
			
 
				 		//print "xmlfilestart".$xmlfile."xmlfileend";
			
 
				+		if (LIBXML_VERSION < 20900) {
			
 
				+			// Avoid load of external entities (security problem).
			
 
				+			// Required only if LIBXML_VERSION < 20900
			
 
				+			libxml_disable_entity_loader(true);
			
 
				+		}
			
 
				+
			
 
				 		$xml = simplexml_load_string($xmlfile, 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
			
 
				 	} else {
			
 
				 		$errormsg = $langs->trans('XmlNotFound').': '.$xmlremote.' - '.$xmlarray['http_code'].(($xmlarray['http_code'] == 400 && $xmlarray['content']) ? ' '.$xmlarray['content'] : '').' '.$xmlarray['curl_error_no'].' '.$xmlarray['curl_error_msg'];
			
--- a/htdocs/admin/tools/update.php
+++ b/htdocs/admin/tools/update.php
@@ -63,6 +63,12 @@ if ($action == 'getlastversion') {
 
				 	$result = getURLContent('https://sourceforge.net/projects/dolibarr/rss');
			
 
				 	//var_dump($result['content']);
			
 
				 	if (function_exists('simplexml_load_string')) {
			
 
				+		if (LIBXML_VERSION < 20900) {
			
 
				+			// Avoid load of external entities (security problem).
			
 
				+			// Required only if LIBXML_VERSION < 20900
			
 
				+			libxml_disable_entity_loader(true);
			
 
				+		}
			
 
				+
			
 
				 		$sfurl = simplexml_load_string($result['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
			
 
				 	} else {
			
 
				 		$sfurl = 'xml_not_available';
			
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -2052,6 +2052,12 @@ class Setup extends DolibarrApi
 
				 			throw new RestException(500, $langs->trans("ErrorURLMustEndWith", $xmlremote, '.xml'));
			
 
				 		}
			
 
				 
			
 
				+		if (LIBXML_VERSION < 20900) {
			
 
				+			// Avoid load of external entities (security problem).
			
 
				+			// Required only if LIBXML_VERSION < 20900
			
 
				+			libxml_disable_entity_loader(true);
			
 
				+		}
			
 
				+
			
 
				 		if ($target == 'local') {
			
 
				 			if (dol_is_file($xmlfile)) {
			
 
				 				$xml = simplexml_load_file($xmlfile);
			
--- a/htdocs/core/class/rssparser.class.php
+++ b/htdocs/core/class/rssparser.class.php
@@ -260,9 +260,13 @@ class RssParser
 
				 			if (getDolGlobalString('EXTERNALRSS_USE_SIMPLEXML')) {
			
 
				 				//print 'xx'.LIBXML_NOCDATA;
			
 
				 				libxml_use_internal_errors(false);
			
 
				-				libxml_disable_entity_loader(true);	// Avoid load of external entities (security problem). Required only if LIBXML_VERSION < 20900
			
 
				+				if (LIBXML_VERSION < 20900) {
			
 
				+					// Avoid load of external entities (security problem).
			
 
				+					// Required only if LIBXML_VERSION < 20900
			
 
				+					libxml_disable_entity_loader(true);
			
 
				+				}
			
 
				 
			
 
				-				$rss = simplexml_load_string($str, "SimpleXMLElement", LIBXML_NOCDATA|LIBXML_NOENT);
			
 
				+				$rss = simplexml_load_string($str, "SimpleXMLElement", LIBXML_NOCDATA);
			
 
				 			} else {
			
 
				 				if (!function_exists('xml_parser_create')) {
			
 
				 					$this->error = 'Function xml_parser_create are not supported by your PHP';
			
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7613,7 +7613,11 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
 
				 			if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML') && $check != 'restricthtmlallowunvalid') {
			
 
				 				try {
			
 
				 					libxml_use_internal_errors(false);	// Avoid to fill memory with xml errors
			
 
				-					libxml_disable_entity_loader(true);	// Avoid load of external entities (security problem). Required only if LIBXML_VERSION < 20900
			
 
				+					if (LIBXML_VERSION < 20900) {
			
 
				+						// Avoid load of external entities (security problem).
			
 
				+						// Required only if LIBXML_VERSION < 20900
			
 
				+						libxml_disable_entity_loader(true);
			
 
				+					}
			
 
				 
			
 
				 					$dom = new DOMDocument();
			
 
				 					// Add a trick to solve pb with text without parent tag
			
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -422,6 +422,12 @@ if (getDolGlobalString('MAIN_EASTER_EGG_COMMITSTRIP')) {
 
				 		$resgetcommitstrip = getURLContent("https://www.commitstrip.com/en/feed/");
			
 
				 	}
			
 
				 	if ($resgetcommitstrip && $resgetcommitstrip['http_code'] == '200') {
			
 
				+		if (LIBXML_VERSION < 20900) {
			
 
				+			// Avoid load of external entities (security problem).
			
 
				+			// Required only if LIBXML_VERSION < 20900
			
 
				+			libxml_disable_entity_loader(true);
			
 
				+		}
			
 
				+
			
 
				 		$xml = simplexml_load_string($resgetcommitstrip['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
			
 
				 		$little = $xml->channel->item[0]->children('content', true);
			
 
				 		print preg_replace('/width="650" height="658"/', '', $little->encoded);