Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2024 rc backport Fix #yogosha18281 #1058

Merged
merged 2 commits into from
Sep 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion htdocs/core/class/translate.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -660,7 +660,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
}
}

// Crypt string into HTML
// Encode string into HTML
$str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content

// Restore reliable HTML tags into original translation string
Expand All @@ -670,6 +670,10 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
$str
);

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

if ($maxsize) {
$str = dol_trunc($str, $maxsize);
}
Expand Down Expand Up @@ -739,6 +743,10 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3
$str = sprintf($str, $param1, $param2, $param3, $param4, $param5); // Replace %s and %d except for FormatXXX strings.
}

// Remove dangerous sequence we should never have. Not needed into a translated response.
// %27 is entity code for ' and is replaced by browser automatically when translation is inside a javascript code called by a click like on a href link.
$str = str_replace(array('%27', '&#39'), '', $str);

return $str;
} else {
/*if ($key[0] == '$') {
Expand Down
2 changes: 1 addition & 1 deletion htdocs/core/js/lib_head.js.php
Original file line number Diff line number Diff line change
Expand Up @@ -996,7 +996,7 @@ function document_preview(file, type, title)
var ValidImageTypes = ["image/gif", "image/jpeg", "image/png", "image/webp"];
var showOriginalSizeButton = false;

console.log("document_preview A click was done. file="+file+", type="+type+", title="+title);
console.log("document_preview A click was done: file="+file+", type="+type+", title="+title);

if ($.inArray(type, ValidImageTypes) < 0) {
/* Not an image */
Expand Down
11 changes: 9 additions & 2 deletions htdocs/core/lib/functions.lib.php
Original file line number Diff line number Diff line change
Expand Up @@ -10475,15 +10475,22 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param

if ($alldata == 1) {
if ($isAllowedForPreview) {
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath));
} else {
return array();
}
}

// old behavior, return a string
if ($isAllowedForPreview) {
return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')';
$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
$title = $langs->transnoentities("Preview");
//$title = '%27-alert(document.domain)-%27';
//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");

// We need to urlencode the parameter after the dol_escape_js($tmpurl) because $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')';
} else {
return '';
}
Expand Down