N°2235 Enable notification placeholders in hyperlinks

2026-02-12 23:14:18 +01:00 · 2019-05-21 17:38:28 +02:00
parent e9119e95ac
commit bc55bfbee1
2 changed files with 32 additions and 3 deletions
--- a/core/htmlsanitizer.class.inc.php
+++ b/core/htmlsanitizer.class.inc.php
@@ -243,10 +243,15 @@ class HTMLDOMSanitizer extends HTMLSanitizer
 		{
 			// Regular urls
 			$sUrlPattern = utils::GetConfig()->Get('url_validation_pattern');
+
 			// Mailto urls
 			$sMailtoPattern = '(mailto:(' . utils::GetConfig()->Get('email_validation_pattern') . ')(?:\?(?:subject|body)=([a-zA-Z0-9+\$_.-]*)(?:&(?:subject|body)=([a-zA-Z0-9+\$_.-]*))?)?)';

-			$sPattern = $sUrlPattern . '|' . $sMailtoPattern;
+			// Notification placeholders
+			// eg. $this->caller_id$, $this->hyperlink()$, $this->hyperlink(portal)$, $APP_URL$, $MODULES_URL$, ...
+			$sPlaceholderPattern = '\$[\w-]*(->[\w]*(\([\w-]*?\))?)?\$';
+
+			$sPattern = $sUrlPattern . '|' . $sMailtoPattern . '|' . $sPlaceholderPattern;
 			$sPattern = '/'.str_replace('/', '\/', $sPattern).'/i';
 			self::$aAttrsWhiteList['href'] = $sPattern;
 		}
--- a/core/metamodel.class.php
+++ b/core/metamodel.class.php
@@ -7216,6 +7216,10 @@ abstract class MetaModel
 				{
 					// Expand the parameters for the object
 					$sName = substr($sSearch, 0, $iPos);
+					// Note: Capturing
+					// 1 - The delimiter
+					// 2 - The arrow
+					// 3 - The attribute code
 					$aRegExps = array(
                        '/(\\$)'.$sName.'-(>|&gt;)([^\\$]+)\\$/', // Support both syntaxes: $this->xxx$ or $this-&gt;xxx$ for HTML compatibility
                        '/(%24)'.$sName.'-(>|&gt;)([^%24]+)%24/', // Support for urlencoded in HTML attributes (%20this-&gt;xxx%20)
@@ -7250,8 +7254,28 @@ abstract class MetaModel
 			}
 			else
 			{
-				$aSearches[] = '$'.$sSearch.'$';
-				$aReplacements[] = (string)$replace;
+				$aRegExps = array(
+					'/(\$)'.$sSearch.'\$/',   // Support for regular placeholders (eg. $APP_URL$)
+					'/(%24)'.$sSearch.'%24/', // Support for urlencoded in HTML attributes (eg. %24APP_URL%24)
+				);
+				foreach($aRegExps as $sRegExp)
+				{
+					if(preg_match_all($sRegExp, $sInput, $aMatches))
+					{
+						foreach($aMatches[1] as $idx => $sDelimiter)
+						{
+							try
+							{
+								$aReplacements[] = (string) $replace;
+								$aSearches[] = $aMatches[1][$idx] . $sSearch . $aMatches[1][$idx];
+							}
+							catch(Exception $e)
+							{
+								// No replacement will occur
+							}
+						}
+					}
+				}
 			}
 		}
 		return str_replace($aSearches, $aReplacements, $sInput);