Dolibarr ERP & CRM » Bugs » bug #733
Mass emailing tools do not support État| Détails |
| Last Modified On: | 22/02/2013 12:40 | | Submitted by: | HENRY Florian (fhenry) |
| Submitted on: | 22/02/2013 12:40 | | Dolibarr version: | 3.3 |
| PHP version: | Php 5.4 | | Database type and version: | MySQL 5.5 |
| OS Type/Version: | Ubuntu | | Category: | Other |
| Severity: | 5 - Major | |
| Summary: | Mass emailing tools do not support <style HTML tag |
| Description: | If you try to create an emailing with <style HTML tag, it's rejected by sql inject test.
IF FCK_EDITOR mail is on we should encode the HTML body to store it |
| Step to reproduce bug: | Create new emailing
Click on source
put this code :
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
<!--
a:link {
color: #E2017A;
}
-->
</style>
</head>
<body>Hello world</body>
</html>
Dolibarr give SQL injection error |
| Etat |
| Resolution: | Aucun | | Assigned to: | HENRY Florian (fhenry) |
| Status: | Open | |
Répondre
|
|