Merge remote-tracking branch 'origin/support/2.6' into support/2.7

# Conflicts: # application/transaction.class.inc.php
2026-02-12 23:14:18 +01:00 · 2021-10-18 14:30:03 +02:00
parent 8154e718a1 b3f827ed5e
commit 8ea5be4ead
4 changed files with 183 additions and 16 deletions
--- a/application/transaction.class.inc.php
+++ b/application/transaction.class.inc.php
@@ -26,8 +26,6 @@
 * @copyright   Copyright (C) 2010-2012 Combodo SARL
 * @license     http://opensource.org/licenses/AGPL-3.0
 */
-
-
 class privUITransaction
 {
 	/**
@@ -101,7 +99,6 @@ class privUITransaction
 /**
 * The original (and by default) mechanism for storing transaction information
 * as an array in the $_SESSION variable
- *
 */
 class privUITransactionSession
 {
@@ -269,27 +266,26 @@ class privUITransactionFile
 	/**
 	 * Removes the transaction specified by its id
 	 * @param int $id The Identifier (as returned by GetNewTransactionId) of the transaction to be removed.
-	 * @return void
+	 * @return bool true if the token can be removed
 	 */
 	public static function RemoveTransaction($id)
 	{
-		$bSuccess = true;
 		$sFilepath = APPROOT.'data/transactions/'.$id;
 		clearstatcache(true, $sFilepath);
-		if(!file_exists($sFilepath))
-		{
+		if (!file_exists($sFilepath)) {
 			$bSuccess = false;
-			self::Error("RemoveTransaction: Transaction '$id' not found. Pending transactions for this user:\n".implode("\n", self::GetPendingTransactions()));
+			self::Error("RemoveTransaction: Transaction '$id' not found. Pending transactions for this user:\n"
+				.implode("\n", self::GetPendingTransactions()));
+		} else {
+			$bSuccess = @unlink($sFilepath);
 		}
-		$bSuccess = @unlink($sFilepath);
-		if (!$bSuccess)
-		{
+
+		if (!$bSuccess) {
 			self::Error('RemoveTransaction: FAILED to remove transaction '.$id);
-		}
-		else
-		{
+		} else {
 			self::Info('RemoveTransaction: OK '.$id);
 		}
+
 		return $bSuccess;
 	}

--- a/application/ui.extkeywidget.class.inc.php
+++ b/application/ui.extkeywidget.class.inc.php
@@ -372,10 +372,10 @@ EOF
 		$sHTML .= "</form>\n";
 		$sHTML .= '</div></div>';

-		$sDialogTitle = addslashes($sTitle);
+		$sDialogTitleSanitized = utils::HtmlToText($sTitle);
 		$oPage->add_ready_script(
 <<<EOF
-		$('#ac_dlg_{$this->iId}').dialog({ width: $(window).width()*0.8, height: $(window).height()*0.8, autoOpen: false, modal: true, title: '$sDialogTitle', resizeStop: oACWidget_{$this->iId}.UpdateSizes, close: oACWidget_{$this->iId}.OnClose });
+		$('#ac_dlg_{$this->iId}').dialog({ width: $(window).width()*0.8, height: $(window).height()*0.8, autoOpen: false, modal: true, title: '$sDialogTitleSanitized', resizeStop: oACWidget_{$this->iId}.UpdateSizes, close: oACWidget_{$this->iId}.OnClose });
 		$('#fs_{$this->iId}').bind('submit.uiAutocomplete', oACWidget_{$this->iId}.DoSearchObjects);
 		$('#dc_{$this->iId}').resize(oACWidget_{$this->iId}.UpdateSizes);
 EOF
--- a/js/utils.js
+++ b/js/utils.js
@@ -749,4 +749,70 @@ Dict.Format = function () {
 	var args = Array.from(arguments);
 	args[0] = Dict.S(arguments[0]);
 	return Format(args);
+}
+
+
+
+/**
+ * Helper to Sanitize string
+ *
+ * Note: Same as in php (see \utils::Sanitize)
+ *
+ * @api
+ * @since 2.6.5 2.7.6 3.0.0 N°4367
+ */
+const CombodoSanitizer = {
+	ENUM_SANITIZATION_FILTER_INTEGER: 'integer',
+	ENUM_SANITIZATION_FILTER_STRING: 'string',
+	ENUM_SANITIZATION_FILTER_CONTEXT_PARAM: 'context_param',
+	ENUM_SANITIZATION_FILTER_PARAMETER: 'parameter',
+	ENUM_SANITIZATION_FILTER_FIELD_NAME: 'field_name',
+	ENUM_SANITIZATION_FILTER_TRANSACTION_ID: 'transaction_id',
+	ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER: 'element_identifier',
+	ENUM_SANITIZATION_FILTER_VARIABLE_NAME: 'variable_name',
+
+	/**
+	 * @param {String} sValue The string to sanitize
+	 * @param {String} sDefaultValue The string to return if sValue not match (used for some filters)
+	 * @param {String} sSanitizationFilter one of the ENUM_SANITIZATION_FILTERs
+	 */
+	Sanitize: function (sValue, sDefaultValue, sSanitizationFilter) {
+		switch (sSanitizationFilter) {
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_INTEGER:
+				return this._CleanString(sValue, sDefaultValue, /[^0-9-+]*/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_STRING:
+				return $("<div>").text(sValue).text();
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_TRANSACTION_ID:
+				return this._ReplaceString(sValue, sDefaultValue, /^([\. A-Za-z0-9_=-]*)$/g, '');
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_PARAMETER:
+				return this._ReplaceString(sValue, sDefaultValue, /^([ A-Za-z0-9_=-]*)$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_FIELD_NAME:
+				return this._ReplaceString(sValue, sDefaultValue, /^[A-Za-z0-9_]+(->[A-Za-z0-9_]+)*$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_CONTEXT_PARAM:
+				return this._ReplaceString(sValue, sDefaultValue, /^[ A-Za-z0-9_=%:+-]*$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER:
+				return this._CleanString(sValue, sDefaultValue, /[^a-zA-Z0-9_]/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_VARIABLE_NAME:
+				return this._CleanString(sValue, sDefaultValue, /[^a-zA-Z0-9_]/g);
+
+		}
+		return sDefaultValue;
+	},
+	_CleanString: function (sValue, sDefaultValue, sRegExp) {
+		return sValue.replace(sRegExp, '');
+	},
+	_ReplaceString: function (sValue, sDefaultValue, sRegExp) {
+		if (sRegExp.test(sValue)) {
+			return sValue;
+		} else {
+			return sDefaultValue;
+		}
+	}
 }
--- a/test/VisualTest/sanitize_test.php
+++ b/test/VisualTest/sanitize_test.php
@@ -0,0 +1,105 @@
+<?php
+/*
+ * @copyright   Copyright (C) 2010-2021 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+require_once '../../approot.inc.php';
+
+require_once(APPROOT.'/application\utils.inc.php');
+$index = 0;
+function testSanitize ($sValue, $sType, &$index ){
+	$sDefaultVal = '!defaultVal!';
+	$sValueEscapedJs = str_replace('"', '\"', $sValue);
+	$sSanitizedValue = utils::Sanitize($sValue, $sDefaultVal, $sType);
+
+	echo <<<HTML
+<tr id="test{$index}">
+	<td>{$sType}</td>
+	<td>{$sValue}</td>
+	<td class="sanitized_php">{$sSanitizedValue}</td>
+	<td class="sanitized_js"></td>
+	<td class="hasDiff"></td>
+</tr>
+<script>
+var parentTr = $("tr#test{$index}"),
+	sanitizedPhp = parentTr.find("td.sanitized_php").text(),
+	sanitizedJs = CombodoSanitizer.Sanitize("{$sValueEscapedJs}","{$sDefaultVal}","{$sType}");
+
+parentTr.find("td.sanitized_js").text(sanitizedJs);
+
+if (sanitizedJs !== sanitizedPhp) {
+	console.error("difference detected !", "{$sValueEscapedJs}", '{$sType}', sanitizedPhp, sanitizedJs);
+	parentTr.find("td.hasDiff").text("KO");
+}
+</script>
+HTML;
+
+	$index++;
+}
+
+$aValues = array(
+	"test",
+	"t;e-s_t$",
+	"123test",
+	"\"('èé&=hcb test",
+	"<div>Hello!</div>",
+	"*-+7464+guigez cfuze",
+	"",
+	"()=°²€",
+	"éèç",
+);
+
+$aTypes = array(
+	'context_param',
+	'element_identifier',
+	'field_name',
+	'integer',
+	'parameter',
+	'string',
+	'transaction_id',
+//	'variable_name', // introduced in 3.0.0
+);
+
+?>
+<!DOCTYPE>
+<html>
+<head>
+<script type="text/javascript" src="../../js/jquery.min.js"></script>
+<script type="text/javascript" src="../../js/utils.js"></script>
+<style>
+table, tr, td {
+	padding: 3px 10px;
+	border: 1px solid lightgrey;
+	border-collapse: collapse;
+}
+
+td.hasDiff {
+	color: red;
+}
+
+thead {
+	font-weight: bold;
+}
+</style>
+</head>
+<body>
+<table>
+	<thead>
+	<tr>
+		<td>Type</td>
+		<td>chaine initiale</td>
+		<td>chaine sanitize by php</td>
+		<td>chaine sanitize by js</td>
+		<td> status test</td>
+	</tr>
+	</thead>
+<?php
+
+foreach ($aTypes as $sType) {
+	foreach ($aValues as $sValue) {
+		testSanitize($sValue, $sType, $index);
+	}
+}
+?></table>
+</body>
+</html>