Dolibarr ERP & CRM » Bugs » bug #733
Mass emailing tools do not support Dernières modifications
Répondre
État| Détails |
| Last Modified On: | 22/02/2013 14:06 | | Submitted by: | HENRY Florian (fhenry) |
| Submitted on: | 22/02/2013 12:40 | | Dolibarr version: | 3.3 |
| PHP version: | Php 5.4 | | Database type and version: | MySQL 5.5 |
| OS Type/Version: | Ubuntu | | Category: | Other |
| Severity: | 5 - Major | |
| Summary: | Mass emailing tools do not support <style HTML tag |
| Description: | If you try to create an emailing with <style HTML tag, it's rejected by sql inject test.
IF FCK_EDITOR mail is on we should encode the HTML body to store it |
| Step to reproduce bug: | Create new emailing
Click on source
put this code :
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
<!--
a:link {
color: #E2017A;
}
-->
</style>
</head>
<body>Hello world</body>
</html>
Dolibarr give SQL injection error |
| Etat |
| Resolution: | Fixed | | Assigned to: | HENRY Florian (fhenry) |
| Status: | Open | |
Commentaires- HENRY Florian 22/02/2013 15:03
- Finnaly I found a config ckeditor to do not have this problem
- HENRY Florian 22/02/2013 14:06
- I can't find easyly how to handle CKeditor event to htmlencode the content.
The problem is not in create sql request, it be convert easily, but it's in POST data when creating the email.
sql_inject_script parse all POST and GET data.
|
|
Aucun→ Fixed