Protect md file

htdocs/core/boxes/modules_boxes.php

@@ -422,6 +422,7 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box
 			{
 				while (($file = readdir($handle)) !== false)
 				{
+					$reg = array();
 					if (is_readable($newdir.'/'.$file) && preg_match('/^(.+)\.php/', $file, $reg))
 					{
 						if (preg_match('/\.back$/', $file)) continue;

htdocs/core/lib/functions.lib.php

@@ -7970,6 +7970,7 @@ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0)
 	if (preg_match('/\.ini$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'ini'; $famime = 'file-text-o'; }
 	if (preg_match('/\.md$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'md'; $famime = 'file-text-o'; }
 	if (preg_match('/\.css$/i', $tmpfile)) { $mime = 'text/css'; $imgmime = 'css.png'; $srclang = 'css'; $famime = 'file-text-o'; }
+	if (preg_match('/\.lang$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'lang'; $famime = 'file-text-o'; }
 	// Certificate files
 	if (preg_match('/\.(crt|cer|key|pub)$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $famime = 'file-text-o'; }
 	// XML based (HTML/XML/XAML)

htdocs/modulebuilder/index.php

@@ -1463,7 +1463,13 @@ if ($action == 'savefile' && empty($cancel))
 			dol_copy($pathoffile, $pathoffilebackup, 0, 1);
 		}
 
-		$content = GETPOST('editfilecontent', 'none');
+		$check = 'restricthtml';
+		$srclang = dol_mimetype($pathoffile, '', 3);
+		if ($srclang == 'md') $check = 'restricthtml';
+		if ($srclang == 'lang') $check = 'restricthtml';
+		if ($srclang == 'php') $check = 'none';
+
+		$content = GETPOST('editfilecontent', $check);
 
 		// Save file on disk
 		if ($content)