From cccd7494dfdfcce5017dcecb97166f3bf27bc4da Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 13 Feb 2023 13:29:30 +0100
Subject: [PATCH] Fix #huntr88841fe0-e332-49ce-a46b-36d4f091fd89

---
 htdocs/core/lib/website.lib.php  |  2 +-
 htdocs/core/lib/website2.lib.php |  1 +
 htdocs/website/index.php         | 10 ++++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php
index de5779a3f51..61a894b2c96 100644
--- a/htdocs/core/lib/website.lib.php
+++ b/htdocs/core/lib/website.lib.php
@@ -69,7 +69,7 @@ function dolStripPhpCode($str, $replacewith = '')
  *
  * @param 	string	$str			String to clean
  * @return 	string					Result string with php code only
- * @see dolStripPhpCode()
+ * @see dolStripPhpCode(), checkPHPCode()
  */
 function dolKeepOnlyPhpCode($str)
 {
diff --git a/htdocs/core/lib/website2.lib.php b/htdocs/core/lib/website2.lib.php
index 768f735fe39..6d93d4391b2 100644
--- a/htdocs/core/lib/website2.lib.php
+++ b/htdocs/core/lib/website2.lib.php
@@ -680,6 +680,7 @@ function showWebsiteTemplates(Website $website)
  * @param	string		$phpfullcodestringold		PHP old string. For exemple "<?php echo 'a' ?><php echo 'b' ?>"
  * @param	string		$phpfullcodestring			PHP new string. For exemple "<?php echo 'a' ?><php echo 'c' ?>"
  * @return	int										Error or not
+ * @see dolKeepOnlyPhpCode()
  */
 function checkPHPCode($phpfullcodestringold, $phpfullcodestring)
 {
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index b4262757bff..e585dd07bb2 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -806,6 +806,16 @@ if ($action == 'addcontainer' && $usercanedit) {
 				// Remove comments
 				$tmp['content'] = removeHtmlComment($tmp['content']);
 
+				// Check there is no PHP content into the imported file (must be only HTML + JS)
+				$phpcontent = dolKeepOnlyPhpCode('', $tmp['content']);
+				if ($phpcontent) {
+					$error++;
+					setEventMessages('Error getting '.$urltograb.': file that include PHP content is not allowed', null, 'errors');
+					$action = 'createcontainer';
+				}
+			}
+
+			if (!$error) {
 				$regs = array();
 
 				preg_match('/<head>(.*)<\/head>/ims', $tmp['content'], $regs);