From ded3beee7114d6e5833f7dd441a04cfee1ddd917 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 14 Mar 2021 20:37:59 +0100
Subject: [PATCH] Disallow use of &# into dol_sanitizeUrl()

---
 test/phpunit/SecurityTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index b3ea5a2c9b2..b3a95d5f816 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
 		$result=GETPOST("backtopage");
 		print __METHOD__." result=".$result."\n";
-		$this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');
+		$this->assertEquals('x3a alert(1)', $result, 'Test for backtopage param');
 
 		return $result;
 	}
@@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 
 		$test = 'javascripT&javascript#x3a alert(1)';
 		$result=dol_sanitizeUrl($test);
-		$this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
+		$this->assertEquals('x3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
 
 		$test = 'javajavascriptscript&cjavascriptolon;alert(1)';
 		$result=dol_sanitizeUrl($test);