Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport #yogosha18281 #30915

Open
wants to merge 3 commits into
base: 18.0
Choose a base branch
from
Open

Backport #yogosha18281 #30915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0be0c1a
Backport #yogosha18281
MaximilienR-easya Sep 10, 2024
1ee3c5e
Backport fix title
MaximilienR-easya Sep 13, 2024
bad8ee8
Fix title encode
MaximilienR-easya Sep 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions htdocs/core/class/translate.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -580,7 +580,7 @@ public function isLoaded($domain)
*/
private function getTradFromKey($key)
{
global $conf, $db;
global $db;

if (!is_string($key)) {
//xdebug_print_function_stack('ErrorBadValueForParamNotAString');
Expand Down Expand Up @@ -660,7 +660,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
}
}

// Crypt string into HTML
// Encode string into HTML
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content

// Restore reliable HTML tags into original translation string
Expand All @@ -670,6 +670,10 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
$str
);

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

if ($maxsize) {
$str = dol_trunc($str, $maxsize);
}
Expand Down Expand Up @@ -739,6 +743,10 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3
$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
}

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

return $str;
} else {
/*if ($key[0] == '$') {
Expand Down
2 changes: 1 addition & 1 deletion htdocs/core/js/lib_head.js.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -996,7 +996,7 @@ function document_preview(file, type, title)
var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
var showOriginalSizeButton = false;

console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);

if ($.inArray(type, ValidImageTypes) < 0) {
/* Not an image */
Expand Down
11 changes: 9 additions & 2 deletions htdocs/core/lib/functions.lib.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10349,15 +10349,22 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param

if ($alldata == 1) {
if ($isAllowedForPreview) {
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
} else {
return array();
}
}

// old behavior, return a string
if ($isAllowedForPreview) {
return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
$title = $langs->transnoentities("Preview");
//$title = '%27-alert(document.domain)-%27';
//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");

// We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.rawurlencode(dol_escape_js($title)).'\')';
} else {
return '';
}
Expand Down
Loading