Dolibarr ERP & CRM » Bugs » bug #733
Mass emailing tools do not support Dernières modifications
Répondre
État| Détails |
| Submitted by: | HENRY Florian (fhenry) | | Submitted on: | 22/02/2013 12:40 |
| Last Modified On: | 22/02/2013 15:03 | | Dolibarr version: | 3.3 |
| PHP version: | Php 5.4 | | Database type and version: | MySQL 5.5 |
| OS Type/Version: | Ubuntu | | Category: | Other |
| Severity: | 5 - Major | |
| Summary: | Mass emailing tools do not support <style HTML tag |
| Description: | If you try to create an emailing with <style HTML tag, it's rejected by sql inject test.
IF FCK_EDITOR mail is on we should encode the HTML body to store it |
| Step to reproduce bug: | Create new emailing
Click on source
put this code :
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
<!--
a:link {
color: #E2017A;
}
-->
</style>
</head>
<body>Hello world</body>
</html>
Dolibarr give SQL injection error |
| Etat |
| Resolution: | Fixed | | Assigned to: | HENRY Florian (fhenry) |
| Status: | Open | |
Commentaires- HENRY Florian 22/02/2013 15:51
- The bug has been corrected. Pull request send inside GIT sources
(http://www.github.com/Dolibarr/dolibarr) and waiting to merge
into develop branch. - HENRY Florian 22/02/2013 15:03
- Finnaly I found a config ckeditor to do not have this problem
- HENRY Florian 22/02/2013 14:06
- I can't find easyly how to handle CKeditor event to htmlencode the content.
The problem is not in create sql request, it be convert easily, but it's in POST data when creating the email.
sql_inject_script parse all POST and GET data.
|
|
(http://www.github.com/Dolibarr/dolibarr) and waiting to merge
into develop branch.