Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Disallow use of &# into dol_sanitizeUrl()

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-14 20:37:59 +01:00
parent 9aa8916a9c
commit ded3beee71
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
test/phpunit/SecurityTest.php
View File

@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
$result=GETPOST("backtopage");
print __METHOD__." result=".$result."\n";
$this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');
$this->assertEquals('x3a alert(1)', $result, 'Test for backtopage param');
return $result;
}
@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$test = 'javascripT&javascript#x3a alert(1)';
$result=dol_sanitizeUrl($test);
$this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
$this->assertEquals('x3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
$test = 'javajavascriptscript&cjavascriptolon;alert(1)';
$result=dol_sanitizeUrl($test);