From d4ab3826a2252114df0bb2a6d0457c973542306a Mon Sep 17 00:00:00 2001
From: mrozniecki <mrozniecki@easya.solutions>
Date: Tue, 10 Sep 2024 11:53:30 +0200
Subject: [PATCH 1/2] Backport yogasha

---
 htdocs/core/lib/functions.lib.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 9099d18cd7565..55bf534757a27 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -10483,7 +10483,14 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	// old behavior, return a string
 	if ($isAllowedForPreview) {
-		return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
+		$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
+		$title = $langs->transnoentities("Preview");
+		//$title = '%27-alert(document.domain)-%27';
+		//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");
+
+		// We need to urlencode the parameter after the dol_escape_js($tmpurl) because  $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
+		// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
+		return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')';
 	} else {
 		return '';
 	}

From 5e388e95fb036d0e7580dbc7d16b3e98353fd9ea Mon Sep 17 00:00:00 2001
From: mrozniecki <mrozniecki@easya.solutions>
Date: Tue, 10 Sep 2024 12:28:28 +0200
Subject: [PATCH 2/2] backport the entirety of the yogasha commit

---
 htdocs/core/class/translate.class.php | 10 +++++++++-
 htdocs/core/js/lib_head.js.php        |  2 +-
 htdocs/core/lib/functions.lib.php     |  2 +-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
index 4b538021da4a6..e6b4d4be63f98 100644
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@@ -660,7 +660,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
 				}
 			}
 
-			// Crypt string into HTML
+			// Encode string into HTML
 			$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
 
 			// Restore reliable HTML tags into original translation string
@@ -670,6 +670,10 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
 				$str
 			);
 
+			// Remove dangerous sequence we should never have. Not needed into a translated response.
+			// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
+			$str = str_replace(array('%27', '&#39'), '', $str);
+
 			if ($maxsize) {
 				$str = dol_trunc($str, $maxsize);
 			}
@@ -739,6 +743,10 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3
 				$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
 			}
 
+			// Remove dangerous sequence we should never have. Not needed into a translated response.
+			// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
+			$str = str_replace(array('%27', '&#39'), '', $str);
+
 			return $str;
 		} else {
 			/*if ($key[0] == '$') {
diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php
index c33cb7eb74821..33f8526b00073 100644
--- a/htdocs/core/js/lib_head.js.php
+++ b/htdocs/core/js/lib_head.js.php
@@ -996,7 +996,7 @@ function document_preview(file, type, title)
 	var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
 	var showOriginalSizeButton = false;
 
-	console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
+	console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);
 
 	if ($.inArray(type, ValidImageTypes) < 0) {
 		/* Not an image */
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 55bf534757a27..474fe1c3b2dba 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -10475,7 +10475,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 
 	if ($alldata == 1) {
 		if ($isAllowedForPreview) {
-			return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
+			return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
 		} else {
 			return array();
 		}