From 0be0c1a1c15bf072bf2199cddf5a634db78825c7 Mon Sep 17 00:00:00 2001 From: mrozniecki Date: Tue, 10 Sep 2024 14:01:04 +0200 Subject: [PATCH 1/3] Backport #yogosha18281 --- htdocs/core/class/translate.class.php | 12 ++++++++++-- htdocs/core/js/lib_head.js.php | 2 +- htdocs/core/lib/functions.lib.php | 11 +++++++++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php index 4b538021da4a6..4a5cd7e493a7d 100644 --- a/htdocs/core/class/translate.class.php +++ b/htdocs/core/class/translate.class.php @@ -580,7 +580,7 @@ public function isLoaded($domain) */ private function getTradFromKey($key) { - global $conf, $db; + global $db; if (!is_string($key)) { //xdebug_print_function_stack('ErrorBadValueForParamNotAString'); @@ -660,7 +660,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = } } - // Crypt string into HTML + // Encode string into HTML $str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content // Restore reliable HTML tags into original translation string @@ -670,6 +670,10 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = $str ); + // Remove dangerous sequence we should never have. Not needed into a translated response. + // %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link. + $str = str_replace(array('%27', '''), '', $str); + if ($maxsize) { $str = dol_trunc($str, $maxsize); } @@ -739,6 +743,10 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3 $str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings. } + // Remove dangerous sequence we should never have. Not needed into a translated response. + // %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link. + $str = str_replace(array('%27', '''), '', $str); + return $str; } else { /*if ($key[0] == '$') { diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index c33cb7eb74821..33f8526b00073 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -996,7 +996,7 @@ function document_preview(file, type, title) var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"]; var showOriginalSizeButton = false; - console.log("document_preview A click was done. file="+file+", type="+type+", title="+title); + console.log("document_preview A click was done: file="+file+", type="+type+", title="+title); if ($.inArray(type, ValidImageTypes) < 0) { /* Not an image */ diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 785889eab78d0..f3bbbc682c018 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -10349,7 +10349,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if ($alldata == 1) { if ($isAllowedForPreview) { - return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath)); + return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath)); } else { return array(); } @@ -10357,7 +10357,14 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param // old behavior, return a string if ($isAllowedForPreview) { - return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; + $tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''); + $title = $langs->trans("Preview"); + //$title = '%27-alert(document.domain)-%27'; + //$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg"); + + // We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside. + // and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param + return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')'; } else { return ''; } From 1ee3c5e5a078f090f314e5731dd7efd930082e43 Mon Sep 17 00:00:00 2001 From: mrozniecki Date: Fri, 13 Sep 2024 12:08:58 +0200 Subject: [PATCH 2/3] Backport fix title --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f3bbbc682c018..12cacbb154971 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -10358,7 +10358,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param // old behavior, return a string if ($isAllowedForPreview) { $tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''); - $title = $langs->trans("Preview"); + $title = $langs->transnoentities("Preview"); //$title = '%27-alert(document.domain)-%27'; //$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg"); From bad8ee865d1b78eeda7960388350921b0c4afe2c Mon Sep 17 00:00:00 2001 From: mrozniecki Date: Fri, 20 Sep 2024 14:34:34 +0200 Subject: [PATCH 3/3] Fix title encode --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 12cacbb154971..a0dfce0b0e09a 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -10364,7 +10364,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param // We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside. // and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param - return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')'; + return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.rawurlencode(dol_escape_js($title)).'\')'; } else { return ''; }