Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport #yogosha18281 #30915

Open
wants to merge 3 commits into
base: 18.0
Choose a base branch
from
Open

Backport #yogosha18281 #30915

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0be0c1a
Backport #yogosha18281
MaximilienR-easya Sep 10, 2024
1ee3c5e
Backport fix title
MaximilienR-easya Sep 13, 2024
bad8ee8
Fix title encode
MaximilienR-easya Sep 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions htdocs/core/class/translate.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -580,7 +580,7 @@ public function isLoaded($domain)
*/
private function getTradFromKey($key)
{
global $conf, $db;
global $db;

if (!is_string($key)) {
//xdebug_print_function_stack('ErrorBadValueForParamNotAString');
Expand Down Expand Up @@ -660,7 +660,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
}
}

// Crypt string into HTML
// Encode string into HTML
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content

// Restore reliable HTML tags into original translation string
Expand All @@ -670,6 +670,10 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
$str
);

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

if ($maxsize) {
$str = dol_trunc($str, $maxsize);
}
Expand Down Expand Up @@ -739,6 +743,10 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3
$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
}

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

return $str;
} else {
/*if ($key[0] == '$') {
Expand Down
2 changes: 1 addition & 1 deletion htdocs/core/js/lib_head.js.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -996,7 +996,7 @@ function document_preview(file, type, title)
var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
var showOriginalSizeButton = false;

console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);

if ($.inArray(type, ValidImageTypes) < 0) {
/* Not an image */
Expand Down
11 changes: 9 additions & 2 deletions htdocs/core/lib/functions.lib.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10349,15 +10349,22 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param

if ($alldata == 1) {
if ($isAllowedForPreview) {
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
} else {
return array();
}
}

// old behavior, return a string
if ($isAllowedForPreview) {
return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
$title = $langs->transnoentities("Preview");
//$title = '%27-alert(document.domain)-%27';
//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");

// We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lvessiller-opendsi show that's a strange thing with urlencode on mimetype and title

here is the result of my test in javascript console with manual data set with urlencode:

image

the result is a popup with no pdf displayed and a title with raw url encoded string :

image

without urlencode on mimetype and title everything seems good:

image

image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here is the code you can type into debug js console

javascript:document_preview('/document.php?modulepart=propal&attachment=0&file=PR2409-0059%2FPR2409-0059.pdf&&entity=1', 'application/pdf', 'test éric / fichier js');

and

javascript:document_preview('/document.php?modulepart=propal&attachment=0&file=PR2409-0059%2FPR2409-0059.pdf&&entity=1', 'application%2fpdf', 'test+%C3%A9ric+%2F+fichier+js');

@eldy original fix seems to be concerned by the same error ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand how to reproduce your point @rycks.
You just upload a file with name "test éric / fichier js.pdf" on a proposal ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we shouldn't use urlencode for parameters "dol_mimetype" and $tiltle.
I think it would also be fix in develop.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rycks
It works fine with urlencode.

} else {
return '';
}
Expand Down
Loading